The Effective CISO Needs More Than a Control Framework

Chief Information Security Officers (CISOs) often talk about reducing the risk of financial loss to their organizations – whether it be through reducing the likelihood of unauthorized disclosure, ensuring information reliability and integrity, or reducing the risk of a breach causing downtime, unavailability, and damage to information assets and their respective systems. One of the first activities a new CISO will undertake is the selection of a control framework to increase the maturity of the cybersecurity (or information security) program.

There are many to choose from, such as ISACA’s recently updated COBIT 2019 framework, the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), ISO27001 Information Security Management System, Center for Internet Security (CIS) Security Controls, Information Security Forum (ISF) Standard of Good Practice for Information Security, or the NIST 800-53 Security and Privacy Controls for Information Systems and Organizations. We can also look to the various standards, laws, and regulations, such as the Payment Card Industry (PCI) Data Security Standard and other various sectoral laws and regulations regarding cybersecurity to determine an appropriate framework. Further, we can utilize overarching frameworks that have mapped the controls of each into one tool, such as the Cloud Security Alliance’s Cloud Control Matrix, or the HITRUST Common Security Framework, which harmonizes multiple standards and frameworks. Or, we can choose a big four consulting firm to provide its own proprietary framework to advance the maturity of the program. New approaches such as the CMMI Cybermaturity Platform, which focuses on a risk-based approach to cyber resilience and building board confidence, also are emerging.