Security experts and pundits strongly advocate for adoption of leading cybersecurity frameworks, yet many companies are not heeding their advice.
These frameworks include:
Related post: NIST, CIS/SANS 20, ISO 27001 – Simplifying Security Control Assessments
Organizations are either opting not to use these frameworks or are encountering major implementation problems when they try to use them.
Astonishingly, 95 percent of organizations said they face significant challenges in trying to implement cybersecurity frameworks, according to a survey of 319 IT security decision makers by Dimensional Research on behalf of CIS and Tenable Network Security.
Respondents identified a number of obstacles to cybersecurity framework implementation, including lack of trained staff (57 percent), inadequate budget (39 percent), lack of prioritization (24 percent), and insufficient management support.
Let’s take a closer look at these obstacles:
Worldwide, there is a huge shortage in skilled cybersecurity professionals. According to a survey of 775 IT pros in by Vanson Bourne on behalf of Intel Security and the Center for Strategic and International Studies (CSIS), 82 percent of respondents admitted to a shortage of cybersecurity skills at their company, with 71 percent of respondents citing this shortage as responsible for direct and measurable damage.
The IT pros surveyed estimated that 15 percent of cybersecurity positions in their company will go unfilled by 2020. This is a problem across the board, not just for companies struggling to implement security frameworks.
James Lewis, senior vice president and director of the Strategic Technologies Program at CSIS, observed that a “shortage of people with cybersecurity skills results in direct damage to companies…This is a global problem.”
Security budgets across the board are lagging behind the security challenges faced by companies. The average IT security budget for enterprises worldwide declined from $25.5 million in 2016 to $13.7 million this year, according to a survey of 5,000 businesses worldwide by Kaspersky Lab and B2B International. This despite the growing costs of data breaches.
Obviously, with IT security spending contracting, there is a lot less to go toward implementing cybersecurity frameworks. What is left goes to protecting critical data and putting out fires.
With shrinking budgets, upper management is less likely to prioritize investment in complicated security frameworks. A SANS survey of organizations implementing the CIS Critical Security Controls (CSCs) framework found that only one-quarter of security managers received support for adopting security controls from their chief executive officer, chief operating officer, and business units.
“It is important for tactical managers to take steps to introduce CEOs, COOs, and boards of directors to the CSCs as a means through which to identify and defend their organization’s assets,” said James Tarala, SANS analyst and author of the survey report.
Despite these obstacles, company should implement a cybersecurity framework, such as the CIS Critical Security Controls, which provide specific and actionable ways to stop pervasive and dangerous attacks.
The CIS controls are based on common attack patterns identified in threat reports and vetted across a broad community of government and industry practitioners. They were created by security experts from the National Security Agency, Department of Energy, law enforcement organizations, and top forensics and incident response organizations, explained the SANS Institute.
Based on analysis of new attack vectors, the controls are updated so they can stop or mitigate those attacks. The controls transform threat data into guidance to improve individual and collective security in cyberspace.
The top 20 CIS controls are:
We, at, can help you understand if your business systems or assets are at risk using the CIS top 20 controls. We can monitor and provide real-time assessments of your assets.
Our ArkAngel platform provides you with a security score of your systems against the CIS top 20 controls. It also gives you a risk score and vulnerabilities associated with your systems, as well as historical data about system vulnerabilities and trends in at-a-glance graphical format.
ArkAngel 5.9 includes a Governance Module, the governance, risk management, and compliance component, and a Vulnerability Management Dashboard, the tactical component.
The Governance Module focuses on your asset properties and the vulnerabilities that are discovered continuously. It helps you understand what your current security posture is, how it can evolve, and how you can lower your risk in line with your business objectives.
Our dashboard lists the top vulnerabilities that would expose you to the highest risks and helps you prioritize vulnerability fixes to avoid ransomware attacks and data breaches. The dashboard runs monthly reports based on statistics and indicators generated by scanners and compares trends over time, and we give you the flexibility of creating customized reports.
Reports vary from executive-level to detailed technical reports, providing your organization with different perspectives relevant to your users. Our security posture and trend analysis reports provide you with a view of your network’s security evolution over time.
We maintain an up-to-date database that includes thousands of known vulnerabilities. Through our customer portal, you can see the threat levels in your network and learn how to fix them. For more advanced threat levels, our team of security experts can provide threat remediation assistance.
Both components have visualization components and reporting capabilities that help you prioritize which vulnerabilities to patch first. In addition, the reporting enables your security teams to provide updates to upper management and the board of directors about current risk levels, mitigation efforts, and strategic goal setting.
The ArkAngel 5.9 platform turns security from a reactive process of scanning, assessing, and implementing patches to a proactive risk management process of applying critical patches to high-value systems efficiently and effectively.
Security experts agree that adopting and implementing a comprehensive security framework is a certain method to optimizing your risk management strategy and identifying your strengths and weaknesses in an organized, prioritized manner. As we’ve suggested, in many respects the key to success goes beyond implementation to gap analysis, measurement and continuous improvement.
In order to get a sense of how this best practice would work in your own organizations please reach out to one of our certified security consultants for a one to one consultation.
