You have two choices – adopt a security framework, or roll your own security program. One option gives you a defensible, operationally sound, and effective set of practices – borrowing from collective industry intelligence, while the other option is slow and inefficient.
From Rafal Los:
From Rafal Los:
One of the things I have observed that is missing the most in the security field is structure. Security leaders struggle to replicate successes from one enterprise to another largely because they are starting from scratch at every new turn. However, anecdotal evidence from client engagements shows that a rigid structure won’t fit all use cases which is absolutely true as each enterprise has its unique quirks and nuances that makes it just different enough to buck the pattern.
Somewhere between reinventing the word security at every turn and rigid structure is the desire to build repeatable patterns that are flexible enough to adapt to the unique and changing environments of different enterprises, market verticals, sizes and conditions. This is what I believe the role of frameworks plays. A framework by definition is a structure which has just enough rigidity to force consistency of vision but allows for unique adaptations within that vision.
…Once a set of guidelines are identified by an industry neutral body across various maturity levels of organizations of all sizes and industries, we can discern the commonalities (let’s call these leading practices). These become the pieces of the framework. We then leave the details of the implementation to tailored use-case-driven functional plans to make the framework real.