The best cybersecurity guidelines have made a huge difference in protecting data from theft and compromise, both in the United States and around the world.
These guidelines are comprehensive sets of recommended practices, procedures and principles designed to help organizations and individual people safeguard their digital assets, systems and data from malicious attacks. They can cover a wide range of practices and exist in part to collect and share best practices and strategies based on industry standards and expert knowledge. Crucially, they’re frequently updated to address evolving threats and technological advancements.
Truly effective cybersecurity guidelines serve as a roadmap for maximizing security. They are comprehensive, addressing both technical and organizational aspects. They come with clear governance structures, detailed implementation plans and the flexibility to adapt. And they recognize the importance of the human element, focusing on user empowerment and education rather than assuming and criticizing user ignorance.
However, not all cybersecurity guidelines are created equal. The least effective practices tend to overemphasize technology at the expense of human factors, neglect usability considerations, fail to address operational aspects or lack provisions for continuous assessment and improvement.
Here are the five cybersecurity guidelines that have made the biggest positive impact and three that could use some work.
1. NIST CSF
The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is one of the most effective and influential cybersecurity guidelines. One reason for that is that it’s comprehensive and built around five core functions: identify, protect, detect, respond and recover. This structure provides organizations with a holistic view of cybersecurity risk management, ensuring that all critical aspects are addressed.
The NIST CSF evolved over three main iterations: Version 1.0 was initially released in 2014, followed by a minor update to Version 1.1 in 2018 and a major overhaul with Version 2.0 in 2024.
It’s also flexible. Organizations of all sizes and across various sectors can readily adapt the framework to their specific needs, making it widely applicable.
2. ISO 27001
The ISO 27001 standard has made a big difference in global cybersecurity due to its highly systematic approach and emphasis on continuous improvement. It offers a structured methodology for identifying, assessing and treating information security risks. As an internationally recognized standard, ISO 27001 certification is respected across various industries and borders.
3. CIS Controls
The Center for Internet Security (CIS) Controls have become widely adopted as a practical and effective set of cybersecurity guidelines. The guidelines are characterized by prioritized actions, addressing the most critical security measures and helping organizations allocate resources efficiently. The framework’s tiered implementation allows organizations to tailor their strategy based on size and cybersecurity maturity. CIS regularly updates the controls to address emerging threats and evolving best practices.
Explore cybersecurity services
4. CSA Cloud Controls Matrix
The Cloud Security Alliance (CSA) Cloud Controls Matrix stands out thanks to its cloud-specific focus, addressing the unique security challenges inherent in cloud computing. Its comprehensive coverage spans multiple security domains, including application security, encryption and identity management. The matrix’s interoperability aligns with other major standards and regulations, facilitating compliance across multiple frameworks for organizations.
5. PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) has greatly improved payment card security despite its industry-specific nature. Organizations handling payment card data must comply with PCI DSS, ensuring widespread adoption. The standard offers detailed and actionable requirements for protecting cardholder data. And it regularly evolves to address emerging threats and technologies in the payment card industry.
Some cybersecurity guidelines haven’t made such an impact
Sadly, some cybersecurity guidelines haven’t been received as fondly as the five listed above. Here’s the cybersecurity guidelines Hall of Shame:
The TSA’s initial pipeline directive
In the wake of the Colonial Pipeline cyberattack, the Transportation Security Administration (TSA) issued its initial pipeline security directive, known as Security Directive Pipeline-2021-01, on May 27, 2021.
The directive aimed to enhance cybersecurity measures for pipeline owners and operators across the United States.
The initial directive mandated several key requirements for pipeline companies. It called for the designation of a Cybersecurity Coordinator who would be available 24/7 to respond to incidents and coordinate with government agencies. Additionally, companies were required to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 12 hours of detection.
Many cybersecurity experts viewed it as hastily implemented and based on inadequate industry consultation. The directive was too prescriptive in some parts and too vague in others, according to critics. And it was slammed as being too inflexible.
The directive was revised and satisfied many of the industry criticisms.
The UN cyber crime treaty
The United Nations finalized and approved a new global cyber crime convention in August, marking a significant milestone in international efforts to combat cyber crime. The treaty is a milestone because it’s the first cyber crime treaty negotiated and accepted by consensus among all UN member states (after three years of negotiations).
But some critics say the treaty would effectively criminalize cybersecurity research, that it’s outdated and overly prescriptive. They say it might actually weaken global cybersecurity.
Draft U.S. cyber reporting rules
The Cybersecurity and Infrastructure Security Agency (CISA) has recently proposed draft rules for cyber incident reporting in the United States, which could impact how critical infrastructure companies report cyberattacks to the federal government.
The draft rules target companies that own or operate systems deemed critical infrastructure by the U.S. government. This includes sectors such as healthcare, energy, manufacturing and financial services. The rules also extend to companies with operations vital to a sector’s functionality, including various service providers.
Some organizations have expressed concern that the reporting requirements may be burdensome (especially to smaller organizations), costly and overlapping with existing requirements.
The National Association of Manufacturers said the rules are overly broad and could affect more than 300,000 entities, casting doubt on whether all target organizations are involved with “critical infrastructure.”
The best cybersecurity guidelines strike the right balance
Cybersecurity guidelines are intended to improve security. And the best ones are vital tools that advance organizations toward that objective. Crafting excellent guidelines requires plentiful industry input, with comprehensive and broad issues covered and plenty of flexibility to allow for different organizational sizes and types.
The post The 5 most impactful cybersecurity guidelines (and 3 that fell flat) appeared first on Security Intelligence.