Yesterday, I mentioned the value of benchmarks / frameworks / standards to guide you in your efforts to defend against cyber attacks.
Why isn’t there just one benchmark that everyone should align to?
Because each one requires a different level of effort, cost and attention to attain and sustain.
Because each is trying to protect against varying levels of risk.
If this was about securing a property:
- Some are designed to protect a white house
- Others are designed to protect The White House.
Depending on your specific situation (e.g. the most likely threats; your current and future capabilities, and your organisation’s attitude to risk), many of the benchmarks will be insufficient or excessive.
But just like Goldilocks, I bet there is one that suits you just right.