Even for Sophisticated Companies, Frameworks Help With Navigation and Priority Setting
- Mature companies tend to know what they need to do, but frameworks add an element of standardization and discipline that helps bring order and reproducibility to security processes.
- Choosing an appropriate framework requires experience and familiarity combined with a detailed business assessment and consideration of what partners may be doing.
- Thanks to frameworks there is a certain type of “security consensus,” which tends to help all parties focus, communicate with common language, and benefit from reproducibility that may not be possible without the framework.
“Frameworks simplify and reduce complexity because they restructure all the areas, so you can take out certain sections or certain areas and work on them one at a time, or divide and conquer.”
“The more mature a company is, the less dependent it probably is on standards,” says Daniel Cisowski, chief information security officer (CISO) at Vorwerk Group, a large German consumer-products company. “I believe this is because they already know what needs to be done.” However, according to Cisowski, this does not diminish the value of or need for frameworks. “I believe having a framework that you can align to is a very, very good thing — especially for small and medium businesses. They profit from having a framework or a standard that they can use, and frameworks help companies of all sizes to navigate through the security jungle,” he says.