Cybersecurity Frameworks: NIST vs. CIS

Jump to latest Follow Reply
#2
precious said:
In your experience, which cybersecurity framework do you feel has the most practical relevance for organizations today—NIST or CIS?
Click to expand...
I'm going to take the facile route to responding to this query by saying, one size doesn't fit all - it depends on the organization as to which framework would be the most practical.
 
  • Like
  • Love
Reactions: Steve Mallard and precious
#3
Trevor Chandler said:
I'm going to take the facile route to responding to this query by saying, one size doesn't fit all - it depends on the organization as to which framework would be the most practical.
Click to expand...
However, in your experience, have you found certain aspects of NIST or CIS frameworks to be particularly adaptable or effective across different organizational contexts?.......Or are there any guidelines or controls that you frequently suggest as a place to start?
 
  • Love
Reactions: Trevor Chandler
#4
Frameworks many times get rolled over and misused. Specifically, an organization will look and choose a framework based on its compliance requirements. So they will attempt to adopt a framework and push themselves to aligning with it, so if the compliance question is asked, they can say, "Oh yeah, we follow NIST/CIS/etc"

What is regularly missing is the concept of RISK ASSESSMENT. This is where you start, FIRST, before figuring out what framework would best suit. An inventory of assets, followed by risks to those assets to reveal vulnerabilities is what an organization has to do. Then, based on those requirements, choose the appropriate framework that makes sense.

Personally, I prefer NIST. But as there are so many frameworks out there that one might use, it makes sense that you have to start with the WHY, before you can proceed to the WHAT.

/r
 
  • Love
  • Like
Reactions: Steve Mallard, Trevor Chandler and precious
#5
Rick Butler said:
Frameworks many times get rolled over and misused. Specifically, an organization will look and choose a framework based on its compliance requirements. So they will attempt to adopt a framework and push themselves to aligning with it, so if the compliance question is asked, they can say, "Oh yeah, we follow NIST/CIS/etc"

What is regularly missing is the concept of RISK ASSESSMENT. This is where you start, FIRST, before figuring out what framework would best suit. An inventory of assets, followed by risks to those assets to reveal vulnerabilities is what an organization has to do. Then, based on those requirements, choose the appropriate framework that makes sense.

Personally, I prefer NIST. But as there are so many frameworks out there that one might use, it makes sense that you have to start with the WHY, before you can proceed to the WHAT.

/r
Click to expand...
Very very briliant points.....Do you think many organizations struggle with risk assessment because it’s more time-consuming, or is it just that compliance pressures drive them toward a 'check-the-box' mindset?
 
  • Love
Reactions: Trevor Chandler
#11
precious said:
However, in your experience, have you found certain aspects of NIST or CIS frameworks to be particularly adaptable or effective across different organizational contexts?.......Or are there any guidelines or controls that you frequently suggest as a place to start?
Click to expand...
I'm gonna have to give this one a lot of thought. I'll have to get back to you later!
 
  • Haha
Reactions: precious
You must log in or register to reply here.
Top Bottom
Back
Jump to latest Follow Reply
Jump to latest Follow Reply
Home
Media
Resources
Menu