When it comes to cybersecurity in your business, where do you start? There are many models, standards, and frameworks out there. Choosing the correct path can be daunting. For instance, there is sector specific cybersecurity guidance for industries such as Energy. In Energy the voluntary C2M2 tool can be used. However, if a company deals with more than one industry like Energy and DoD another compulsory tool is available such as the CMMC. An organization in this setting would be held to the standards of both tools. In this case, it might be wise to hold to the NIST cybersecurity framework. The NIST framework could be considered a “gold standard” that even these DOE and DoD tools map to. Abiding by and adhering to the NIST framework though is an exceptionally large and cumbersome task.
It may seem to an outsider that interagency policy coordination would be merited. In such a case, the NIST framework would likely be the best way to comply with the various types of guidance out there. Unfortunately, there does not seem to be a one-size-fits-all solution from this perspective which may be the intent of sector specific cybersecurity guidance after all.
Often, when certain sets of guidance seem to clash against each other, it is best practice to adhere to the more restrictive of the two. This practice offers a higher probability that you will be in compliance. Taking this perspective, a bottom-up approach with the “greatest” sector of the lot being chosen as the starting point for cybersecurity maturity assessment and implementation. From there, other sectors’ guidance can be assessed against the organization’s current standing. In this case each policy or practice can be reviewed for conflict and the more apt solution, which would still adhere to all included sector guidance, can be chosen.
From here, if no solution can be found or merited, a look into the NIST framework could reveal more of the intent and/or inclusion of the specific policy or practice and provide a better picture of the necessary guidance. This sort of approach would allow an institution to get a foothold in the cybersecurity space without necessarily being immediately overwhelmed by conflicting practices and guidelines. This approach lends itself well to companies who may not be cybersecurity specific but do have cybersecurity needs that need to be met. Barring this approach, the relevant question regarding over-arching cybersecurity needs is, where do I start? To which, one answer in the form of a question is offered, “How do you eat an elephant?”