Security Frameworks Must Serve Business Objectives
- One of the greatest values of a security framework is it helps to more strategically bridge the difference between security requirements and business needs.
- A third party may implement a framework more quickly, but you understand your business best. That’s the key to having a security program that serves strategic business objectives.
- Ultimately, frameworks serve as guardrails for being secure and compliant in a way that serves business goals.
“Use some of the frameworks as best practices, but also apply the framework controls that are essential for your business, and then use automation to drive those controls.”
For Floyd Fernandes, vice president and chief information security officer (CISO) at a large media organization, one of the greatest values of a security framework is that it enables him to more strategically bridge the difference between security requirements and business needs. “The industry has historically come from this attitude of ‘let’s lock everything down,’” Fernandes says. But that is changing. Now businesses and security experts recognize that security must also serve as a business enabler. “You need to take more of a guardrail approach,” he says. “This means using some of the frameworks as best practices, but also applying the framework controls that are essential for your business, and using automation to drive many of those controls.”