Frameworks Provide an Excellent Way to Understanding Risk
- Frameworks provide a central gathering point for important questions about the business that must be answered before moving forward.
- Adherence to a framework helps everyone in the organization see why their part is critical and that the actions they must take are not random but part of a disciplined plan.
“Every framework I’ve used in the cyber domain has focused on answering two questions: How much risk do we have, and what’s the impact to the business?”
A practical approach to security, according to Gary Hayslip, chief information security officer and vice president of Webroot, is first to understand and quantify risk. “To me, frameworks are just a way to understand your risks,” he says, “because you must have a place to start. What do you actually have? What’s important? What are you doing that’s good? What are you doing that you probably need to change? Are you totally missing things? Many times, you don’t know until you start asking questions. The typical driver of such questions is someone who has made a conscious decision to follow some type of best practice, a framework. Every framework I’ve used in the cyber domain has focused on answering two questions: How much risk do we have, and what’s the impact to the business?”