After establishing a risk assessment and risk management as the foundation for a cyber security program, many enterprises then turn to a control framework or set of standards to help streamline processes and reduce costs. Standards can help the organization define terminology, and manage systems, processes and controls in a more streamlined or uniform manner.
On the other hand, many enterprises have to comply with a mix of state, industry-specific and/or international cyber security regulations. When it comes to our recent “Cyber Security Mid-Year Snapshot 2019” survey respondents, Figure 16 (below) shows that most are using the ISO/IEC 27000 family of standards at 44.93%, which aims to help organizations‘keep information assets secure.’
The next largest group is leveraging the NIST Cyber Security Framework (CSF) at 39.13%. As shown in the survey demographics, almost half of respondents are based in North America, so it comes as no surprise that the NIST CSF is high on the list. In the U.S., this Framework is widely pointed to as the go-to standard for security practices and development. While the use of the CSF is not mandatory for the private sector, many enterprise security leaders are still adopting it to provide a more common language and systematic methodology.
“The updated NIST cyber security framework is a pragmatic tool to enable an organization to gain clarity on its current level of capability for cyber risk management,” says James Turner, cyber security industry analyst for IBRS.
[inlinead-1]
See Related: “NIST Releases IoT Cyber Security And Privacy Risks Report”
Modeled after the NIST CSF is its latest Privacy Framework, which was announced at RSAC 2019, that is also meant to be risk-based/outcome-based and non-prescriptive, in order to increase adoption. With the abundance of data breaches in the news lately, this could be an upcoming framework to watch as enterprises try to get a better handle on their data privacy security strategies.
Finally, and perhaps surprising is the next highest number of respondents that are not using any industry frameworks or standards at all (28.99%). As this is the first introduction of the question for survey takers, it will be interesting to follow up and determine whether or not the use of these continues to grow or stall.
See Full Report: “Cyber Security Mid-Year Snapshot 2019”