Beyond box-ticking – the strategic value of cybersecurity frameworks
As cyber threats become profuse, relentless and sophisticated, too many CISOs continue to play technology gatekeeper and cultural outsider rather than leader. The result is not just missed business opportunities but an inherently weaker security posture.
CISOs must look beyond never-ending perimeter strengthening to take a more strategic and whole-system approach, says multi-award-winning CISO Chirag Joshi.
“The problem is when we take just a strictly compliance-based approach that does not reflect the organisation’s risk appetite – ticking boxes and putting in controls without considering the context.”
Chirag sat down with Mounika Ainala, SMX’s Security Assurance Compliance and Risk Specialist, to discuss how cybersecurity frameworks can support the evolving role of the tech leader.
The magic of the framework
“Far too often, organisations think they’re secure because a specific solution or a product will solve the problem,” says Chirag.
By contrast, a framework offers guidance for systematically assessing an organisation’s risk and security posture within its unique context and against a controlled objective.
“You can consider your industry, the amount of revenue or sensitive data you hold, how critical your infrastructure is to the day-to-day running, and your most likely threats. For example, the criminals out to make money have a very different way of operating from nation-states. They need different countermeasures.”
All of these considerations, says Chirag, are uncovered within the structure of a security framework.
Baking cybersecurity into BAU
Catching, preventing and responding to cyber threats requires speed. Therefore, it’s impractical to continue relegating cybersecurity management and processes to IT and technical staff.
“There should not be a choke point where everyone needs to come to this one team to assess. It slows everything down,” says Chirag.
The centralised approach comes with other risks, too. Non-technical team members may feel unburdened by responsibility as they get on with their ‘real’ work. This may make them more vulnerable to attacks, particularly those that leverage social engineering. It can also stifle innovation within teams that feel they have little ownership over security processes.
Instead, CISOs should look to democratise cyber security, spreading the weight of responsibility more evenly and allowing faster, more proactive responses. This sense of ownership redoubles as non-technical staff grow in awareness and take preventative steps proactively.
Creating this culture comes down to building cybersecurity best practices into the everyday, says Chirag.
“You start to educate the business to have informed risk choices within the guardrails of the framework. It’s about growing cyber judgment across the business.”
This shared responsibility also reduces costs by requiring less heavy-handed and expensive oversight.
“It lets the business make more educated and nuanced decisions about what risk they are happy to take.”
Cybersecure, compliant by default
Cybersecurity poses three immediate challenges for boards: how can we protect the business by remaining compliant with regulations, ensuring smooth operations, and securing intellectual property?
But locking down business security and ticking compliance boxes can seem to run in opposition to smooth, efficient operations. Chirag says it’s all about strategic alignment.
“You need to put measures in place that are reasonable and proportionate to the business risk appetite,” says Chirag.
A security framework gives CISOs and their organisations a roadmap to finding that balance – most security frameworks don’t just secure a business but also ensure it meets regulatory requirements. This is particularly helpful when an organisation is managing compliance with multiple regulators.
“Most regulations will map onto a common framework. You translate a bunch of different regulatory requirements in a sensible way rather than tracking them all separately.”
With the framework acting as a proxy for those myriad compliance requirements, the business can be sure it’s secure and compliant as a default.
Innovation and progress
Counterintuitively, the rigour imposed by a framework can alleviate the day-to-day burden of compliance and security. It can also ensure security measures align with the risk profile and appetite of the business so unnecessary protections don’t disrupt operations.
“Technology will enable innovation and growth if it’s used pragmatically,” explains Chirag.
It frees staff to explore opportunities for innovation unhampered by heavy-handed measures while knowing they’re operating securely.
“That's how we can leverage security frameworks to actually drive meaningful progress,” says Chirag.
Implementing a framework requires standardised practices across departments and seamless integration of new technologies and processes, says Mounika, which are all essential for rapid growth.
“By looking at security holistically, it’s also setting the foundation for scale.”
Prioritising recovery
“Far too often, people spend a lot of effort and resources on preventing things but not enough on detection and recovery,” says Chirag. “I get it. It’s the least interesting part sometimes, but it’s the most valuable in terms of business continuity.”
A framework ensures people follow consistent processes for detection and response protocols.
“That’s where the culture aspect comes in – your whole organisation needs to be going through exercises, not just the technical teams.”
Building that ‘muscle memory’ primes the organisation for an ideal response to a successful attack while uncovering potential exposure points.
As a bonus, these exercises make threats real for boards and executives.
“You can systematically walk them through the weak points, so they understand and appreciate what needs to be done,” says Chirag.
A competitive edge
Following an internationally recognised framework delivers a competitive edge, especially where competitors still take an ad hoc approach to cybersecurity. It reassures clients, investors and other stakeholders that you’re committed to protecting sensitive data while giving them a clear understanding of your approach and standards.
It also means you may weather a major attack better than competitors.
Mounika experienced just this in a previous role. After implementing a framework, the organisation was able to hit the ground running in the face of a cyberattack.
“Those events triggered a series of actions from different teams.”
It means an incident didn’t disrupt operations as much as it might have if they were less prepared.
“And time is money!” adds Chirag
Leadership buy-in
At the heart of exceptional cybersecurity is a CISO who can champion its importance with senior decision-makers. Again, a framework that aligns with business goals and strategies while delivering on must-meet regulations and commercial obligations makes this work easier.
“When everything maps back to a business outcome, you can start quantifying the initiative in terms of financial and enterprise risk,” says Chirag.
It also offers a way of benchmarking and reporting against sector peers – a persuasive jumping-off point for selling a cybersecurity strategy to the board.
“It gives a baseline against which they can choose to take on more or less risk.”
Visionaries needed in a new world of threats
The cybersecurity arms race continues at pace, with bad actors leveraging emerging tech unhampered by ethics or regulation. With generative AI polishing away the tell-tale signs of spoofing, we can expect to see ever more sophisticated phishing attacks – some we may not yet be able to imagine.
The best and, indeed, the only way to combat this new world is with a strategic whole-system approach.
So, while cybersecurity frameworks may seem like compliance necessities, they go far beyond box-ticking. They let organisations strategically target their most critical or vulnerable areas, democratising responsibility to speed up response times, cut costs and contribute to a culture of cyber security.
It’s time for CISOs to leave the server room and recognise the framework’s true power: an essential tool for business resilience, stability and growth.
To start the journey from ad hoc to holistic cybersecurity, book your free consultation with an SMX expert.