when to use security frameworks

No matter the industry that you work in or the maturity of your business, questions about the security of your systems and your users' data will always be present. If you are a leader in tech, you're probably sat somewhere between having a constant nagging feeling that you should be doing more, to having sleepless nights about missing something that could take the entire company down. 

should we get a security certification?

This is a question that I get asked a lot. There is a lot to unpack here, not least that many security frameworks, including SOC 2, do not lead to a certification.

First, though, let's consider the two main reasons for using a security framework.

1. To improve the security of your systems and data;

2. To demonstrate your commitment to the security of your systems and data.

can a security framework lead to improved security?

The short answer is yes. The slightly longer answer is yes, if you are serious and committed to improving the security of your systems and data. The more cautious and caveated answer is yes, as long as you are continually learning, adapting, and mitigating so as to identify and protect against risks, and are prepared and able to respond and recover from issues that will undoubtably still occur. 

What a security framework can do is, well, provide a framework for thinking about your system and organizational controls. The most important word here is thinking. If you use the framework just as a checkbox exercise then you are really missing the point, and you probably won't see big improvements to your actual security.

Is it possible to do a good job of securing your systems and data without using a security framework? Sure. But it is always worth at least considering the cumulative advice and experience that has come from many experts in the field.

so, should we get "certified"?

Let's leave aside the question of whether you can actually get certified in the various frameworks for now. Is demonstrating compliance with one of the security frameworks worth doing?

Undoubtably, there is always value in being able to demonstrate that you take security seriously. However, whether the time, effort, and cost of demonstrating compliance is worth doing depends on your situation.

The main drivers for moving forward in demonstrating security compliance are:

1. You have customers, potential customers, investors, legal, regulators, etc, requesting that you demonstrate compliance.

2. You are spending too long answering bespoke security questionnaires, and would like to minimize that effort by showing compliance with a security framework.

3. You want to quickly reassure and build confidence with potential customers in marketing and sales communications.

4. You want to be able to CYA in the event of a security breach or other security issue.

Remember, the purpose of demonstrating compliance with a security framework is not about improving the security of your systems. It is to allow the easy and transparent communication of your commitment to security. If this communication method represents enough value to offset the time, cost, and effort of demonstrating compliance with a security framework then it's probably worth doing. 

when should we start using a security framework?

"The best time to plant a tree was twenty years ago. The second best is now."

Building your systems and processes with security baked in by design from the outset definitely makes your life easier. If you are not starting from scratch, though, then the next best option is to start taking steps in that direction now. It can feel overwhelming just thinking about how to get started, and of course, you have a billion other priorities. The good news, unless you have waited until an urgent requirement to demonstrate compliance has come in or you are scrambling in the aftermath of a data breach, is that you don't have to try to do everything at once. It is possible to make significant pragmatic steps that will improve your security situation without huge cost or putting all other development on halt.

which security framework should we use?

Naturally, the best option for you depends on your situation. Below are a few of the most popular security frameworks for use by a broad range of companies and industries. 

NIST Cybersecurity Framework

The NIST Cybersecurity Framework (CSF) 2.0 provides guidance to industry, government agencies, and other organizations on how to manage cybersecurity risks, regardless of the organization size and cybersecurity maturity. The CSF describes desired outcomes, rather than prescriptive processes and approaches, and provides resources and suggestions on how specific outcomes could be achieved.

Given the flexibility of the CSF and the free resources and guides that are available, this is a good place to start when first addressing and understanding your cybersecurity threats. There is no governing body to certify your compliance with the framework, but you could contract a third party to assess your adherence to the framework.

SOC 2

The Association of International Certified Professional Accountants (AICPA) provides a suite of System and Organization Controls (SOCs) that provide expectations for different types of organizations. SOC 2 relates to the operations of service organizations, and sets expectations for controls based on a selection of Trust Service Principles (TSPs).

SOC 2 details TSPs that an organization should have controls around, if relevant to the activities of that organization. However, how the expectations are met is flexible, and so an organization can meet them in different ways. There are five TSPs, with Security (also referred to as Common Criteria) the only one that is required for all audits. The Availability, Confidentiality, Processing Integrity, and Privacy TSPs are all optional.

SOC 2 can be considered as three distinct but related concepts:

1. The system of controls and processes that an organization puts in place so as to fulfill the expectations set out by the AICPA.

2. The independent audit that is performed to assess an organization's controls and processes (Type 1 audit), as well as their adherence to them over a period of time (Type 2 audit).

3. The output of the above audit is an attestation report, which can be shared with interested parties to provide confidence and transparency into the controls and processes that the organization has in place. The auditor does not certify compliance against SOC 2 requirements, rather attests their opinion on the effectiveness of the controls.

SOC 2 is a very popular choice, especially for service organizations within the US. Given the flexibility in determining which criteria are relevant for an organization and how the expectations are met, the framework can be less onerous to adhere to than others, especially for less mature organizations. 

ISO 27001

ISO 27001 (with supporting guidance in ISO 27002 and ISO 27003) was created by the International Organization for Standardization, and is more widely known and respected internationally. ISO 27001 contains a rigid controls framework, and requires the organization to establish an Information Security Management System (ISMS). Although intended for organizations of any size, the requirements of ISO 27001 and associated time and cost to prepare for and complete an audit can be difficult for a less mature organization to take on.

Unlike SOC 2, an ISO 27001 audit will lead to certification against the requirements. Rather than the expression of opinion on the effectiveness of controls that a SOC 2 audit provides, the ISO 27001 audit is a more binary decision on whether the requirements have been met. 

the bottom line

A security framework can act as an effective guide when developing you security controls, processes, and policies. This is something important to take seriously whenever you store or process sensitive or business critical data. 

Demonstrating compliance against a security framework is valuable when you want to be able to transparently and effectively communicate your commitment to security.   

final words

Of course, security is just one part of the overall picture. You could store all your users' data on an encrypted hard drive, seal it in a lead-lined container, encase it in reenforced concrete, and sink it to the bottom of the ocean. It might be fairly secure, but probably not all that much use to your user's. Your systems must be available and the integrity of the data that you store and process must be assured. Sorry for stating the obvious, but there are always tradeoffs, and that's what makes life so fun!

Ready to get started?

If you would like help on your developing your approach to security controls, then contact us to discuss your options.