• To ensure you get the most out of your CIN membership and stay connected with the latest updates, we are asking all members to update their community profiles. Please take a few moments to log in and: • Complete all sections of your profile • Review your current information for accuracy • Enter an alternative email address if desired (CIN requires your valid business email address for your training organization). Keeping your profile up to date helps us better serve you, ensures your account is correctly linked with CompTIA’s CRM, streamlines processes, enhances communication, and guarantees you never miss out on valuable CIN opportunities. Thank you for taking this important step! step!

Cybersecurity Frameworks: NIST vs. CIS

In your experience, which cybersecurity framework do you feel has the most practical relevance for organizations today—NIST or CIS?
I'm going to take the facile route to responding to this query by saying, one size doesn't fit all - it depends on the organization as to which framework would be the most practical.
 
I'm going to take the facile route to responding to this query by saying, one size doesn't fit all - it depends on the organization as to which framework would be the most practical.
However, in your experience, have you found certain aspects of NIST or CIS frameworks to be particularly adaptable or effective across different organizational contexts?.......Or are there any guidelines or controls that you frequently suggest as a place to start?
 
  • Love
Reactions: Trevor Chandler
Frameworks many times get rolled over and misused. Specifically, an organization will look and choose a framework based on its compliance requirements. So they will attempt to adopt a framework and push themselves to aligning with it, so if the compliance question is asked, they can say, "Oh yeah, we follow NIST/CIS/etc"

What is regularly missing is the concept of RISK ASSESSMENT. This is where you start, FIRST, before figuring out what framework would best suit. An inventory of assets, followed by risks to those assets to reveal vulnerabilities is what an organization has to do. Then, based on those requirements, choose the appropriate framework that makes sense.

Personally, I prefer NIST. But as there are so many frameworks out there that one might use, it makes sense that you have to start with the WHY, before you can proceed to the WHAT.

/r
 
Frameworks many times get rolled over and misused. Specifically, an organization will look and choose a framework based on its compliance requirements. So they will attempt to adopt a framework and push themselves to aligning with it, so if the compliance question is asked, they can say, "Oh yeah, we follow NIST/CIS/etc"

What is regularly missing is the concept of RISK ASSESSMENT. This is where you start, FIRST, before figuring out what framework would best suit. An inventory of assets, followed by risks to those assets to reveal vulnerabilities is what an organization has to do. Then, based on those requirements, choose the appropriate framework that makes sense.

Personally, I prefer NIST. But as there are so many frameworks out there that one might use, it makes sense that you have to start with the WHY, before you can proceed to the WHAT.

/r
Very very briliant points.....Do you think many organizations struggle with risk assessment because it’s more time-consuming, or is it just that compliance pressures drive them toward a 'check-the-box' mindset?
 
  • Love
Reactions: Trevor Chandler
However, in your experience, have you found certain aspects of NIST or CIS frameworks to be particularly adaptable or effective across different organizational contexts?.......Or are there any guidelines or controls that you frequently suggest as a place to start?
I'm gonna have to give this one a lot of thought. I'll have to get back to you later!
 
  • Haha
Reactions: precious