The top cybersecurity recommendations have had a significant impact on safeguarding data from theft and compromise, both domestically and globally.
These recommendations consist of extensive collections of suggested practices, procedures, and principles aimed at assisting organizations and individuals in protecting their digital assets, systems, and data from malicious attacks. They encompass a broad array of practices and are designed in part to compile and disseminate best practices and strategies based on industry norms and expert insights. Significantly, they are regularly updated to tackle evolving threats and advancements in technology.
Truly efficient cybersecurity recommendations function as a blueprint for enhancing security. They are thorough, addressing both technical and organizational components. They incorporate clear governance frameworks, elaborate implementation strategies, and the adaptability to adjust. Moreover, they acknowledge the significance of the human factor, concentrating on empowering and educating users rather than presuming and condemning user ignorance.
Nonetheless, not all cybersecurity recommendations are of equivalent quality. The least effective practices often focus excessively on technology at the detriment of human elements, overlook usability considerations, fail to handle operational aspects, or lack provisions for ongoing evaluation and enhancement.
Here are the five cybersecurity recommendations that have had the largest positive influence and three that have room for improvement.
1. NIST CSF
The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) stands out as one of the most effective and influential cybersecurity recommendations. One reason for its success is its comprehensive nature, structured around five core functions: identify, protect, detect, respond, and recover. This framework offers organizations a holistic perspective on cybersecurity risk management, ensuring that all critical aspects are addressed.
The NIST CSF has evolved through three primary iterations: Version 1.0 was initially released in 2014, followed by a minor update to Version 1.1 in 2018 and a major revamp with Version 2.0 in 2024.
It is also adaptable. Organizations of all sizes and across various sectors can easily tailor the framework to meet their specific requirements, making it widely applicable.
2. ISO 27001
The ISO 27001 standard has had a significant impact on global cybersecurity thanks to its methodical approach and emphasis on continuous enhancement. It presents a structured approach for identifying, evaluating, and managing information security risks. As an internationally recognized standard, ISO 27001 accreditation is valued across different industries and regions.
3. CIS Controls
The Center for Internet Security (CIS) Controls have gained widespread acceptance as practical and efficient cybersecurity recommendations. These recommendations are noted for prioritizing actions, addressing the most critical security measures, and aiding organizations in efficiently allocating resources. The framework’s tiered implementation enables organizations to customize their strategy based on size and cybersecurity maturity. CIS regularly updates the controls to tackle emerging threats and evolving best practices.
Discover cybersecurity services
4. CSA Cloud Controls Matrix
The Cloud Security Alliance (CSA) Cloud Controls Matrix is distinguished by its emphasis on cloud-specific challenges, addressing the distinct security obstacles inherent in cloud computing. Its comprehensive scope covers various security domains, including application security, encryption, and identity management. The matrix’s interoperability conforms with other major standards and regulations, facilitating compliance across multiple frameworks for organizations.
5. PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) has significantly enhanced payment card security despite its industry-specific focus. Organizations handling payment card data must adhere to PCI DSS requirements, ensuring widespread adoption. The standard outlines detailed and actionable stipulations for safeguarding cardholder data and is consistently updated to address emerging threats and technologies in the payment card sector.
Some cybersecurity recommendations have had less impact
Unfortunately, some cybersecurity recommendations have not been as well-received as the five mentioned above. Here are the cybersecurity recommendations that fall short:
The TSA’s original pipeline directive
In response to the Colonial Pipeline cyberattack, the Transportation Security Administration (TSA) issued its initial pipeline security directive, known as Security Directive Pipeline-2021-01, on May 27, 2021.
The directive aimed to enhance cybersecurity measures for pipeline owners and operators nationwide.
The initial directive imposed several key requirements on pipeline companies, including the appointment of a Cybersecurity Coordinator available 24/7 to handle incidents and collaborate with government agencies. Additionally, companies had to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 12 hours of detection.
Many cybersecurity specialists viewed it as hastily implemented and lacking industry consultation. Critics argued that the directive was overly prescriptive in some areas and too vague in others, while also being criticized for its lack of flexibility.
The directive underwent revisions that addressed several industry critiques.
The UN cyber crime treaty
The United Nations finalized and ratified a new global cyber crime convention in August, marking a significant step in international endeavors to combat cyber crime. The treaty is noteworthy as it is the first cyber crime treaty crafted and accepted by consensus among all UN member states (following three years of negotiations).
However, some skeptics assert that the treaty could effectively criminalize cybersecurity research, is outdated, and overly restrictive. They suggest that it might actually undermine global cybersecurity efforts.
Draft U.S. cyber reporting regulations
The Cybersecurity and Infrastructure Security Agency (CISA) recently proposed draft regulations for reporting cyber incidents in the United States, which could impact how critical infrastructure firms report cyberattacks to the federal government.
The regulations target companies overseeing systems deemed critical infrastructure by the U.S. government, encompassing sectors such as healthcare, energy, manufacturing, and financial services. The rules also extend to companies whose operations are essential to a sector’s functionality, including various service providers.
Some entities have raised concerns that the reporting requirements might be burdensome (especially for smaller organizations), costly, and duplicative of existing mandates.
The National Association of Manufacturers criticized the rules as overly expansive, potentially affecting over 300,000 entities, casting doubt on the inclusion of all identified organizations under “critical infrastructure.”
The finest cybersecurity recommendations strike the ideal balance
Cybersecurity recommendations are devised to enhance security. The top recommendations are essential tools that propel organizations closer to achieving that goal. Developing exceptional recommendations necessitates extensive industry feedback, with thorough coverage of broad issues and ample flexibility to accommodate a variety of organizational sizes and types.