Applying a Security Framework to a Changing Infrastructure
- Business value comes from using the framework to demonstrate that you are doing due diligence in a way that can be measured and that drives trust, and trust drives business.
- Many factors can be considered with a framework, including weighing risk against the cost of achieving a certain posture, and seeing where you are compared to your competition.
- KAR has extensive partner relationships with banks, insurance companies, and auto manufactures, and one of the big drivers behind its security strategy is complying with the requirements of these partners.
“Whatever framework you use, the key question you have to ask is, does it meet the needs of the organization from a complexity and risk standpoint?”
The main reason Arlie Hartman, information security architect at KAR Auction Services, is using a security framework is to satisfy the security requirements of KAR’s customers. “We use the NIST Cybersecurity Framework here to measure our security program,” says Hartman. “We may leverage NIST controls from that framework, or we may use our own. Whatever framework you use, the key question you have to ask is, does it meet the needs of the organization from a complexity and risk standpoint?”