Technology Cybersecurity frameworks are not enough to protect organizations from...

Cybersecurity frameworks are not enough to protect organizations from today’s threats


- Advertisment -

Watch the Low-Code/No-Code Summit on-demand sessions to learn how to successfully innovate and achieve efficiencies by upskilling and scaling citizen developers. Watch now.

As the number of cybersecurity incidents increases, critical infrastructure and global enterprises are increasingly being targeted by financially motivated cybercriminal gangs and even national threat actors. Today’s organizations face increasing threats and increasing risks due to a constantly evolving threat landscape.

New cryptojacking and ransomware programs last year increased by 75% and 42%respectively all while OT vulnerabilities jump 88%. In general, companies experience average 270 to attack in 2021, an increase of 31% compared to 2020.

It is clear that threats are growing at an unprecedented rate, forcing security teams to grapple with the seemingly endless challenges these risks pose. To address the business risk now at the forefront of conversations with cybersecurity boards, companies in both the public and private sectors have implemented cybersecurity frameworks such as NIST and MITER ATT&CK.

Cybersecurity frameworks are designed to help businesses and governments better understand, manage and mitigate their cybersecurity risks. Currently all 16 critical infrastructure sectorsincluding energy and manufacturing, using the NIST framework, while 80% of companies use MITER ATT&CK. A recent ThoughtLab study found that leading organizations often use more than one frame to meet global standards and improve cybersecurity outcomes.


Intelligent security stop

On December 8, learn about the critical role of AI and ML in cybersecurity and industry-specific case studies. Register for your free pass today.

register now

While frameworks such as NIST and MITER ATT&CK provide a practical foundation for basic cybersecurity practices, organizations should view them as the beginning of their cybersecurity journey, not the final destination. To ensure they have a well-rounded and effective security program, companies need to build on the framework and move beyond a “check-the-box” mindset to achieve a continuous state of security.

Break the traditional reactive “scan and patch” approach

While frameworks such as NIST and MITER ATT&CK provide organizations with a starting point, these frameworks focus on reactive strategies that are no longer sufficient to keep up with the pace and scale of threats. For example, two of the five core pillars of the NIST cybersecurity framework focus on detect-and-response tactics, which occur after an attack. While the MITER ATT&CK framework is a guideline for classifying and describing cyberattacks and intrusions, the guidance it provides is also linked to an attack response tactic.

Reactive strategies outlined in cybersecurity frameworks that focus on scanning and patching are not just slow and laborious; in many cases, they also do not reflect the level of risk associated with a threat. This often results in valuable resources being wasted on false alarms.

While cybersecurity frameworks are voluntary guidelines for private sector organizations, federal agencies and government contractors are required to comply with NIST’s cybersecurity frameworks. This creates a strong focus for public sector organizations on achieving compliance rather than developing proactive strategies that will have a greater impact.

Proactively combat current cybersecurity threats

The threat landscape has evolved dramatically, while cybersecurity practices unfortunately lag behind. Traditional approaches are no longer enough to withstand a growing attack surface and increasing threats, so what’s the alternative? A recent study from ThoughLab sheds light about how a group of organizations are flipping the story, ignoring the reactive models of the past and shifting cybersecurity to a process of precise, continuous exposure and threat management that can identify and mitigate risk.

This proactive approach to cybersecurity includes regularly assessing the likelihood and impact of risks, performing advanced quantitative and scenario analysis, integrating cybersecurity into enterprise-wide risk management, and working with business leaders to proactively mitigate risk. A risk-based approach enables organizations to achieve greater cybersecurity proficiency by giving them the tools to identify, measure, prioritize and manage the threats they face.

Amid the current economic uncertainty, security leaders need a way to mitigate risk in a timely manner while ensuring they have tools that can quantify the economic impact of cybersecurity risks on the business. By quantifying risk through risk analysis, organizations can identify and prioritize threats and ultimately calculate the true return on investment of their cybersecurity strategies.

Risk-based cybersecurity has been proven to reduce breaches

By taking a proactive approach to defending against critical threats, organizations can effectively focus their remediation efforts on vulnerabilities that expose them to cyberattacks. According to recent research, 48% of organizations without breaches in 2021 a risk-based approach to their security programs.

In addition to cybersecurity frameworks, modern risk-based strategies enable organizations to build robust, modern cybersecurity programs that defend against today’s unpredictable threats, especially for security teams tasked with protecting complex environments.

Gidi Cohen is CEO and founder of Skybox Security.

Data decision makers

Welcome to the VentureBeat community!

DataDecisionMakers is where experts, including the technical people who do data work, can share data-related insights and innovation.

To read about advanced ideas and up-to-date information, best practices and the future of data and data technology, join DataDecisionMakers.

You might even consider contributing an article yourself!

Read more from DataDecisionMakers

Shreya Christina
Shreya has been with for 3 years, writing copy for client websites, blog posts, EDMs and other mediums to engage readers and encourage action. By collaborating with clients, our SEO manager and the wider team, Shreya seeks to understand an audience before creating memorable, persuasive copy.


Please enter your comment!
Please enter your name here

Latest news

Former Russian Krispy Kreme franchisee is the latest to start the rebranded operation

This month the former Russian franchisee of the international donut brand Krispy Kreme became the last local franchise operator...

Apple unveils App Store Awards 2022, starting with Apex Legends Mobile

Missed a GamesBeat Summit Next 2022 session? All sessions are now available for viewing in our on-demand library....

US airports see busiest Sunday since before coronavirus pandemic, just 178 canceled flights

Opinions expressed by contributors are their own. The coronavirus pandemic isn't officially over yet, but that hasn't stopped millions...

The 98 best Cyber ​​Monday deals: Headphones, games and more

Below we've rounded up the best Cyber ​​Monday deals you can get right now, whether you're looking for a...
- Advertisement -

As Pipe’s founding team departs, tensions rise over allegations •

On November 22, alternative finance startup Pipe announced its three co-founders step down from their executive...

Love & Hip Hop Edition”?

Season 3 of VH1's hit Family Reunion: Love & Hip Hop Edition is scheduled to air on the network...

Must read

- Advertisement -

You might also likeRELATED
Recommended to you