lolloj - Fotolia

Get started Bring yourself up to speed with our introductory content.

What are the benefits of a risk-based framework for security?

Many organizations use a risk-based framework to help manage their cybersecurity program. Expert Mike O. Villegas discusses the development and benefits of current frameworks.

The Global State of Information Security Survey 2016 from PricewaterhouseCoopers shows that 91% of surveyed organizations...

follow a risk-based cybersecurity framework. What are the other types of frameworks? What are the benefits and drawbacks of using a risk-based framework?

Cybersecurity frameworks have existed since the 1980s. For example, in 1985, five private-sector organizations formed a joint initiative to sponsor the National Commission on Fraudulent Financial Reporting, which is commonly known today as the Treadway Commission. With the assistance from Coopers & Lybrand -- the predecessor of PricewaterhouseCoopers -- and due to questionable corporate political campaign finance practices and foreign corrupt practices, the Treadway Commission introduced the Committee of Sponsoring Organizations (COSO).

COSO developed a framework that evolved to the Internal Control - Integrated Framework (ICIF) in September 1992. Most current frameworks -- ISO 27001, COBIT and CSF -- have a foundational basis in ICIF. ISO 27001, which developed from BSI Group's BS 7799, was originally published in 1995. In February 2013, President Obama issued an executive order 13636 called Improving Critical Infrastructure Cybersecurity. Then in February 2014, it was formally released as the Framework for Improving Critical Infrastructure Cybersecurity.

Another framework, COBIT, was developed by ISACA and released in 1996. COBIT focuses controls based on business risks and strategic objectives. Now there is COBIT 5 for Risk and COBIT 5 for Information Security. A more recent framework is ISACA's progressively expanding program Cybersecurity Nexus.

The list of risk frameworks is extensive but it is important to know that they evolved from being controls-based to business risk-based. Risks are not new, and they have always been the standard for cybersecurity frameworks. But as logical as it might seem to deploy protection schemes based on risk, they are often difficult to fully adopt. There are several factors contributing to difficult adoption of a risk-based framework, but the primary reasons are poor planning, reactive response approach to incidents, triage protection, insufficient budgets, inadequate skill sets and a lack of full management support.

There are numerous benefits of using a risk-based framework. They include proper planning since frameworks are typically comprehensive, allow responses to incidents to be proactive, focus on high risk mission critical IT environments, help justify requests for annual budgets, identify personnel and resources needed for the protection of mission critical systems, and earn the respect and support from executive management.

So there aren't really any drawbacks in using a risk-based framework. The problems don't come from the framework; they come from how it is deployed. Cybersecurity frameworks can be comprehensive but the majority of them are not holistic -- there is a difference. Comprehensive frameworks cover every area of technology considered in-scope for an enterprise. Holistic frameworks are more than comprehensive. They embed information security into the business, focus on strategic business objectives, and are flexible and easy to use. The challenge is whether either of these two approaches are deployed based on risk and whether the CISO has the knowledge, experience and, more importantly, the support of management to implement them.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Learn more about the response to the NIST Cybersecurity Framework

Find out what privacy controls are in the HITRUST Common Security Framework

Discover why the security industry needs a standardized CASB framework

This was last published in June 2016

Dig Deeper on Risk assessments, metrics and frameworks