Fragmented Cybersecurity Can’t Stop A Fragmented Threat Landscape
We frequently say that cyberthreats evolve faster than security controls can withstand. However, the notion of “fragmentation” is too often ignored in cyber risk conversations.
Consider that ransomware victims surged 53% year over year as the ecosystem splintered into dozens of specialized groups, and 89% of organizations encountered risky AI prompts. At the same time, 40% of the 10,000 Model Context Protocol (MCP) servers reviewed showed exploitable security gaps. Siloed security programs are proving no match for this kind of fragmented, multifront assault.
I believe the best way organizations can address the risks introduced by AI and the post-quantum readiness gap is by building a risk management posture that best aligns with regulatory frameworks across geographies. Businesses are increasingly expected not only to demonstrate compliance by showing deployment of necessary controls but also to prove those controls actually work. That’s a high bar to clear, and according to Cisco, only 4% of organizations have the mature security readiness to do so. A huge gap exists between what the fragmented threat landscape demands and what most cybersecurity frameworks have called into service.
Many businesses try to solve this problem by expanding their frameworks, adding more controls and implementing policies. But in my experience, this reactive approach often lacks cohesion.
The Growing Complexity Of Governance, Risk And Assurance
Modern organizations operate across distributed environments, cloud platforms and interconnected supply chains. At the same time, they must respond to overlapping regulatory expectations across jurisdictions.
To manage this, many adopt a combination of standards, including but not limited to ISO for governance, NIST for risk management, CIS for controls and more. These can also be layered with industry-specific and regional regulations.
There is no doubt about the security ROI of these frameworks, but if they operate in isolation, there is a very good chance of introducing fragmentation into the overarching security system. Policies may be written using one framework, controls implemented using another and assurance activities conducted against a third. Over time, this can lead to a disjointed operating model where alignment becomes difficult and consistency becomes even harder to maintain.
The Compliance-Assurance Gap
Compliance frameworks define expectations, clearly demarcating the controls organizations must have in place to manage risk. But there is no guarantee that these controls are effective.
It is relatively easy for an organization to demonstrate that security policies exist, controls are defined and the necessary framework is mapped. More challenging is determining whether these controls are consistently implemented, operate as intended and deliver results.
The Link Between Strategy And Execution
In my experience, a cybersecurity posture that can address the challenges of a rapidly evolving threat landscape is comprised of two layers:
1. Governance, Risk And Assurance: This first layer underlines the direction that your organization’s cybersecurity strategy must take, the kind of risks the organization is willing to tolerate and the validation of controls.
2. Controls: This second layer focuses on converting strategic intent into action by implementing the necessary technical measures and operational processes that safeguard systems and data.
If these layers do not work in concert, the resulting security framework is likely to become as fragmented as the threat landscape, with different security tools working at cross purposes.
A Structured Approach To Integration
The introduction of structure into the cybersecurity ecosystem isn’t about adding yet another disconnected framework on top of existing ones. In my experience, more documentation, more controls and compliance-mapping in isolation is the wrong approach. A unifying structure can bring governance, risk, assurance and controls together, reducing the “silo-fication” of frameworks and helping to ensure they work optimally.
Unifying frameworks such as my organization’s Standard of Good Practice (SOGP) show how cybersecurity integration can go beyond control checklists. These frameworks ask organizations to focus on the two connected layers: one for governance, risk and assurance and another for controls and operational execution. The emphasis should be on building a unifying structure that translates regulatory requirements into a common model, maps overlapping controls, identifies gaps and validates whether implemented controls are functioning as needed.
In practical terms, I recommend against adopting any single security framework in isolation. Rather, build a structure that unifies the frameworks and controls you already use. Here is a simple breakdown of this approach:
● Map your existing frameworks and regulations against common risk objectives instead of treating each requirement in isolation.
● Identify control overlaps that lead to duplicated effort and security gaps across business units, cloud environments, third parties and critical systems.
● Link controls to measurable outcomes so your teams can test whether controls are delivering results.
● Ensure leadership, risk teams, auditors and security operations are on the same page so they all speak the same security language.
● Review the structure regularly to ensure it can address new risks such as AI, the post-quantum threat landscape and cross-border threat actors.
In my experience, this approach can give organizations greater confidence that their frameworks are delivering security value and are not working at cross-purposes with each other.
In Summary
Organizations looking to deploy a strong security posture typically do not suffer for lack of frameworks; in fact, overlapping and conflicting compliance directives are a common problem. Businesses select frameworks they believe are necessary, but they often deploy them in a disconnected manner.
The challenge is one of integration, in which compliance, assurance and control come together as a cohesive unit. By creating a unifying framework for your company, you can ensure that various controls work in concert without wasting precious resources.