Today, cybersecurity frameworks play a crucial role in guiding organisations towards robust defence strategies. However, many organisations face significant challenges in adopting and implementing these frameworks, such as Zero Trust or the Australian Government’s Essential Eight, effectively.
The complexity of deployment, the need for a cultural shift, challenges in team alignment, and the absence of external evaluation mechanisms are key roadblocks that hinder the widespread adoption of these frameworks.
Fortifying defences requires a significant cultural change within an organisation. It involves implementing controls gradually, often starting with basic measures like blocklisting applications and progressing to more advanced strategies such as allowlisting. Each control has its own set of requirements and limitations, making the deployment process complex and time-consuming.
Additionally, the deployment of these controls requires a shift in mindset from reactive to proactive. This change in culture is not easy to achieve because it often involves breaking down silos within the organisation and fostering collaboration between different teams.
Often, these efforts are thwarted by a lack of alignment among internal teams. Each team within an organisation may have different credentials, responsibilities, and priorities, making it challenging to align efforts towards a common goal. This lack of alignment can result in a fragmented approach to cybersecurity and dangerous gaps in security coverage.
Organisations can address misalignment by taking a proactive role in overseeing team collaboration, ensuring teams are working towards a common objective.
For cybersecurity frameworks to be effectively adopted, deployment and implementation should be driven by top management, and the necessary resources need to be provided to support the deployment process.
One of the key factors differentiating frameworks like the Essential Eight and Zero Trust from other standards like International Organization for Standardization (ISO) certifications is the absence of external evaluation mechanisms. ISO certifications are backed by external bodies that evaluate and certify adherence to the standards, providing organisations with a clear benchmark for their security practices.
In contrast, frameworks like the Essential Eight are not legally mandated, and there is no external body to evaluate and certify adherence. This lack of external validation can lead to these frameworks not being taken seriously despite their proven effectiveness.
In working towards the goal of a safer and more secure digital environment, simply implementing technical controls is not enough. To face the problem head-on, the roadblocks slowing organisations’ effective adoption of cybersecurity frameworks must be broken down by a cultural transformation from within.
Mohamed Marjook Hussain, regional technical head, ANZ & APAC for ManageEngine
