Which cybersecurity framework should we use?

There is nothing wrong with using popular frameworks to communicate cybersecurity across and outside of your organization. It is important that frameworks exist next to a strategy, not in place of one.

Which cybersecurity framework should we use?

Cybersecurity frameworks are selected based on a lot of factors. Commonly it's thought about like this:

Build according to NIST if you are an old-school cybersecurity practitioner.
Implement SOC2 if you are trying to bring in deals and see if anyone makes you do anything else.
Weave in PCI and HIPAA if you are in a niche industry.

Cybersecurity frameworks are better than nothing, but they will only lead you to complete a cybersecurity framework. Their completion is the ends to the means, leaving much to be desired when it comes to insight into what has been achieved in terms of major criteria like threat protection, posture advancement and operational improvement.

If frameworks are limited, what do we do?

A cybersecurity framework can be a place to start, but should not be the destination for companies that are agile and growing.

In place of a framework, or even a set of disparate frameworks, should be a strategy.

The difference between strategy and framework.

To understand the difference between a strategy and a framework, one can look at the end goal in mind.

A cybersecurity framework is typically a list of tasks or deliverables that needs to be completed towards an end goal. The end goal, typically, is reporting.

The end goal of strategy is tied to a business outcome. Example of strategic outcomes may include:

Measurable risk reduction: being able to specifically pinpoint how the company has closed backdoors to their most common risks of breach.
Increasing bang for buck on vulnerability management: gaining greater wholeness from each action.
Preparing for specific incident types: knowing that it is just as much how a company can rebound from an incident as fighting one off.
Becoming the profile of the ideal vendor: making the right investments to speed up the sales process and put customers at ease.

A framework quite literally checks the box, but it misses critical insight as to where things stand from a business and operations standpoint.

During an incident, your SOC2 will do very little to hold up your business. Similarly, a NIST maturity document will not help you to understand where you stand vs competitors on your actual security performance.

The reason people like frameworks is because they are simple to follow and prescriptive in nature.

The negative to frameworks is that they are rigid and not tailored to your business environment.

What is the harm in using the wrong framework?

Cybersecurity is a business realm that has a technical solution, in the form of the latest tool, for any problem you can imagine and many you cannot.

Without the correct framework, it is easy to both over and underspend on your problems.

It is also possible to dump hours of time and money into problem solving with no clear understanding of if anything meaningful has been accomplished.

The benefit of building a strategy.

Leaders who know where they are going know how to make choices: what they will do, what they will invest in and what they will not. The right strategy can save 10x the investment of creating a strategy.

A strategy allows a leader to be narrowly focused on what will deliver the business results that stakeholders expect from them. This allows them to tune out noise, buy only what they need and measure results up against tangible goals.

Industry trends can be misleading, which is a key reason to create a proprietary strategy and stick to it. It does not matter what is popular when it comes to cyber. It matters what is going to deliver results to your specific company and product.