Best cybersecurity guidelines have made a huge difference in protecting against data theft and breaches in the United States and around the world.
These guidelines are a comprehensive set of recommended practices, procedures, and principles designed to help organizations and individuals protect their digital assets, systems, and data from malicious attacks. These can cover a wide range of practices and exist to collect and share best practices and strategies based on industry standards and expertise. Importantly, it is updated frequently to keep up with evolving threats and technological advances.
Truly effective cybersecurity guidelines serve as a roadmap for maximizing security. They are comprehensive and cover both technical and organizational aspects. These come with clear governance structures, detailed implementation plans, and the flexibility to adapt. We recognize the importance of the human element and focus on empowering and educating our users, rather than assuming their ignorance and criticizing them.
However, not all cybersecurity guidelines are created equal. The least effective practices are those that overemphasize technology at the expense of the human element, ignore usability considerations, fail to address operational aspects, and fail to provide for continuous evaluation and improvement. It tends to be lacking.
Here are five cybersecurity guidelines that have had the most positive impact, and three that require some effort.
1. NIST CSF
The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is one of the most effective and influential cybersecurity guidelines. One reason is that it is comprehensive and built around five core capabilities: identify, protect, detect, respond, and recover. This structure gives organizations a holistic view of cybersecurity risk management and ensures that all important aspects are addressed.
The NIST CSF has evolved through three major iterations. Version 1.0 was first released in 2014, followed by a minor update to version 1.1 in 2018, and a major overhaul in 2024 with version 2.0.
It’s also flexible. Organizations of all sizes and in different sectors can easily adapt the framework to their specific needs, making it widely applicable.
2.ISO27001
The ISO 27001 standard has revolutionized global cybersecurity due to its highly systematic approach and emphasis on continuous improvement. Provides a structured methodology for identifying, assessing, and addressing information security risks. As an internationally recognized standard, ISO 27001 certification is respected across industries and borders.
3. CIS control
Center for Internet Security (CIS) Controls are widely adopted as practical and effective cybersecurity guidelines. The guidelines feature prioritized actions that address the most important security measures and help organizations allocate resources efficiently. The gradual implementation of this framework allows organizations to adjust their strategies based on their size and cybersecurity maturity. CIS regularly updates controls to address new threats and evolving best practices.
Explore cybersecurity services
4. CSA Cloud Control Matrix
The Cloud Security Alliance (CSA) Cloud Control Matrix stands out for its cloud specificity, addressing the security challenges unique to cloud computing. Its comprehensive coverage spans multiple security domains, including application security, encryption, and identity management. Matrix interoperability is aligned with other leading standards and regulations, facilitating compliance across multiple frameworks for organizations.
5. PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) has significantly improved the security of payment cards, despite its industry-specific nature. Organizations that handle payment card data must become PCI DSS compliant and widely adopted. This standard provides detailed and practical requirements for protecting cardholder data. It also evolves regularly to address new threats and technologies in the payment card industry.
Some cybersecurity guidelines have had less impact
Unfortunately, some cybersecurity guidelines are not as well received as the five listed above. Hall of Shame’s cybersecurity guidelines include:
TSA’s first pipeline directive
In response to the Colonial Pipeline cyberattack, the Transportation Security Administration (TSA) issued its first pipeline security directive on May 27, 2021, known as Security Directive Pipeline-2021-01.
The directive aims to strengthen cybersecurity measures for pipeline owners and operators across the United States.
The first directive mandated several important requirements for pipeline companies. It called for the appointment of a cybersecurity coordinator to respond to incidents and coordinate with government agencies 24 hours a day, seven days a week. Additionally, companies are now required to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 12 hours of discovering them.
Many cybersecurity experts saw this as hastily introduced and based on insufficient industry consultation. Critics say the directive is too prescriptive in some areas and too vague in others. And it was criticized for being too inflexible.
The directive was revised to satisfy many of the industry’s critics.
United Nations Cybercrime Convention
The United Nations finalized and approved a new Global Cybercrime Convention in August, marking a significant milestone in international efforts to combat cybercrime. This treaty is a milestone because it is the first cybercrime treaty to be negotiated and accepted by consensus among all UN member states (after three years of negotiations).
But some critics say the treaty effectively criminalizes cybersecurity research and is outdated and too prescriptive. They say it could actually weaken global cybersecurity.
Draft US Cyber Reporting Regulations
The Cybersecurity and Infrastructure Security Agency (CISA) recently proposed draft rules for cyber incident reporting in the United States, which could impact how critical infrastructure companies report cyberattacks to the federal government.
The draft rule targets companies that own or operate systems deemed critical infrastructure by the U.S. government. This includes sectors such as healthcare, energy, manufacturing, and financial services. This regulation also applies to companies whose activities are essential to the functioning of the sector, such as various service providers.
Some organizations have expressed concern that the reporting requirements may be burdensome (especially for smaller organizations), costly, and duplicative of existing requirements.
The National Association of Manufacturers says the rule is too broad, could affect more than 300,000 entities, and questions whether all covered organizations are involved in “critical infrastructure.” said.
Optimal cybersecurity guidelines strike the right balance
Cybersecurity guidelines are intended to improve security. And the best ones are important tools that move your organization toward its goals. Creating good guidelines requires rich industry input that is comprehensive, covers a wide range of issues, and is flexible enough to accommodate different sizes and types of organizations.
read more
