Summary

Traditional framework based assessments highlight the necessity for organisations to implement cyber security controls but often fail to provide realistic implementation guidance for those with lower security maturity. Through the Minimum Level Security (MLS) approach, we demonstrate how organisations establish foundational security measures aligned to their unique needs, providing a pragmatic path towards a sustainable security program.

The Value of Framework Based Assessments

Traditional frameworks based assessments have become the de facto starting point for organisations beginning their security journey – but this approach isn’t always optimal. Before we dive into the challenges of this approach, let’s acknowledge the significant strengths of traditional cyber security frameworks:

1. Industry Recognition: Frameworks like NIST CSF and ISO 27001 provide a universally understood language of cyber security. They offer credibility to stakeholders, customers, and partners.
2. Structured Approach: These frameworks provide a comprehensive, systematic method for identifying and addressing security vulnerabilities, representing years of collective expertise distilled into actionable guidelines.
3. Not expensive: As most consultancies can provide these assessments, on a continuing basis, reassessments are not drastically expensive for SMEs and non-profits. This is especially true when comparing to a completely comprehensive and custom assessment.
4. Measurable and Reproducible Results: Organisations can gauge their security maturity against established standards, creating clear paths for improvement and investment. However, the quantifiable nature of these results can be misleading due to differences in consultants thought processes as frameworks don’t provide the information to be graded against. For example, if you provide two consultants with the same client, don’t be surprised when they result in significantly different maturity outcomes.

The Painful Reality of Traditional Framework Assessments

Traditional frameworks and assessments can present significant barriers for low maturity clients, but the fundamental issue often goes unrecognised. At its core, the problem stems from a critical oversight: the traditional assessment method rarely considers the organisation’s context and available resources. This disconnect creates a cascade of challenges – disrupting the organisation’s security journey before it truly begins.

The traditional framework approach operates on an assumption that organisations possess a baseline level of security knowledge and resources. Without understanding the unique risk landscape and business objectives, assessors often produce generic recommendations that fail to address real world constraints. Too often the recommendations are focused on ‘passing’ the assessment as opposed to effectively reducing risks being faced by the organisation.

As consultancies compete for these engagements, it is not uncommon to see a race to the bottom. By reducing the time spent on these engagements, and given the comprehensive nature of the frameworks themselves, these assessments can result in an excessive number of recommendations. For a team already stretched thin, a report with 100+ recommendations can have an overwhelming impact on morale and motivation.

The misalignment is further complicated when the recommendations require technical knowledge and specialised skills to interpret and implement that don’t exist in lower maturity organisations. When faced with such technically complex and generic recommendations, organisations often find themselves unable to move forward, creating a paralysis effect instead of the intended security improvements.

Contrast this with more mature clients – those who have been on the journey of uplifting their cyber security capabilities for a longer period of time. Aligning to a framework can be hugely beneficial, providing a structured lens for continual review and improvement.

Case Study: Medical Equipment Manufacturer Nightmare

The following anonymised example highlights the core issues with traditional framework assessments. I assisted a healthcare provider in Australia who had a small, dedicated IT team. This organisation mainly manufactured medical equipment and was a large supplier for NDIS (National Disability Insurance Scheme). Given the nature of their work, the organisation stored highly sensitive client data, including PCI, PII, and health records. As part of new ownership, the incoming management wanted a review of the level of cyber maturity – and, as expected, a NIST CSF maturity assessment was initiated.

Given the infancy and specific nature of the organisation, it registered a ‘0’ across the board at the Function level. The resulting report had over 100 recommendations for the organisation to align to NIST CSF. What wasn’t surprising was that when the client received this report there was an immediate psychological impact on motivation. Due to competition amongst consultancies dramatically reducing the cost to win business, the consultants ability to gain a solid understanding of the organisation and adequately align recommendations that are reasonable and detailed is simply not possible. For example, this client had a substantial risk focus on physical locations, but the recommendations ended up like the following:

There simply was no time and budget assigned for any more detail – leaving the client with a lengthy list of unachievable recommendations requiring skills and budget they simply do not have.

Introducing the Minimal Level Security Approach

Drawing from my own consulting experience and countless discussions with teams across APAC and Europe, I noticed a concerning pattern: low maturity organisations were consistently struggling with the traditional cyber security approaches. So, I began piecing together an alternative method. The result is what I call the Minimum Level Security (MLS) approach. While not an industry standard term, MLS synthesises various best practices and real-world experiences into a pragmatic starting point for organisations beginning their security journey. It’s born from the realisation that we needed something between ‘basic security hygiene’ and full framework adoption - a stepping stone that provides meaningful security improvements while acknowledging resource constraints and organisational realities.

Minimal Level Security aims to provide low maturity clients with a practical starting point for their security journey. Organisations require focus on various aspects and therefore different controls to be secure. Therefore, the MLS approach does not have a defined list of controls that are mandated, rather it uses an iterative approach to identify and implement controls that effectively reduce the risks being faced. For instance, a manufacturing company with sensitive industrial equipment might prioritise physical security controls, while a software development startup would give focus to code security and access management. Similarly, a healthcare provider might emphasise data protection and compliance, while a retail business prioritises payment security and point-of-sale system hardening. MLS is not a permanent substitute for frameworks or standards; rather, it serves as a stepping stone for establishing foundational security and governance.

Before implementing any controls, we need to conduct a comprehensive risk assessment to understand what risks are most relevant to the organisation. This includes evaluating their unique threat landscape, business operations, and management’s risk tolerance.

Based on this assessment, we can then implement appropriate controls that are commensurate with the identified risks and the defined risk appetite. This might include setting up basic governance structure, but only to the extent necessary for that organisation.

MLS does not impose a fixed set of governance controls. Instead, it encourages a flexible, organisation-specific development of security measures that evolve with business needs.

Core Principles of MLS

At the core of MLS, the following principles exist:

• Tailored, Not Generic: Every recommendation is custom built for the organisation’s specific context.
• Risk Prioritised: Focus is on illustrating controls that deliver the most significant risk reduction.
• Evolutionary, Not Static: The security approach grows and adapts with the organisation.

By following these principles, we can ensure that the advice given to low maturity clients is pragmatic – focusing on risk reduction and setting up a framework for continual improvement.

Implementation of MLS

The key to successful implementation lies in establishing a context driven security baseline. This means creating a foundation of security measures that are specifically tailored to the organisation’s unique situation.

First and foremost, we need to ensure that our security efforts align with the business objectives. We’re looking beyond generic goals like ‘protect our data’ to focus on what truly drives organisational success – such as strategic initiatives, revenue generating activities, operational processes, and regulatory requirements. These objectives enable security to identify the processes genuinely needing protection and allows us to prioritise the limited resources where they’ll have the most significant business impact. This isn’t about security for security’s sake – it’s about ensuring our security program enables rather than hinders business growth.

Next, we look at the threat landscape, as every organisation faces different risks based on their industry, size, location, and other factors. Some organisations may be more likely to face insider threats as compared to external attackers, be victims of ransomware or intellectual property theft. Understanding these threats helps us focus our limited resources where they’ll have the most impact.

Speaking of resources, it’s crucial that we acknowledge and work within the constraints of the organisation. Lower maturity organisations such as non-profits often don’t have the luxury of large security budgets or dedicated cyber security teams. Our implementation strategy must incorporate the available financial resources, technical expertise, and human capital.

These factors don’t exist in isolation either – they continually influence and inform each other throughout the cyber security journey of an organisation. By considering these three factors, we can develop a security baseline that is both effective and sustainable. This approach ensures that we’re not just implementing security measures for the sake of ticking boxes but are making strategic decisions that provide real value and protection to the organisation. This approach sets the stage for long-term security success, regardless of the organisation’s starting point.

Case Study: National Charity Security Transformation

Let’s look at an example client to illustrate what this can look like in practice. A national charity in Australia sought guidance on how to begin its cyber security journey. As part of the initial assessment the following was highlighted:

The non-profit organisation operated with a small, non-technical staff with a limited IT budget and a heavy reliance on volunteers. Their critical operations included managing donations and safeguarding research data. Based on this, we identified the following key contextual factors:

• Business Alignment
  • Their business objectives included maintaining trust and ensuring effective outreach to sustain donations to enable effective research.
  • Given the business objectives, the organisation prioritises protecting donor information, ensuring reliable communication, and safeguarding research data. These priorities align with common non-profit objectives: maintaining donor trust, ensuring effective outreach, and safeguarding intellectual property.
• Threat Landscape
  • Specific threats include phishing attacks targeting donations (a common issue for non-profits), potential hacktivism, and data breaches of sensitive research.
• Resource Constraints
  • Like many other non-profits, the organisation has a limited IT budget and a small staff that may not be technically oriented.

In contrast to the previous example for the healthcare provider with 100+ generic recommendations, the MLS approach resulted in 26 detailed, actionable activities for the National Charity. As you can see below, the left hand side covers the intent of NIST CSF or ISO 27001 but does not provide clear guidance to the client who needs it. Compared to the right hand side, which provides proposed security measures that directly addresses the identified risks while considering resource limitations.

As opposed to the more generic recommendations that we too often see from framework based assessments – given the truncated time available to conduct the assessment – MLS recommendations provide clear and precise implementation advice. As the MLS approach only focuses on larger risk reduction controls, the National Charity went through an iterative approach adding more domains of cyber security before aligning to a framework.

The Transition Path: From MLS to Comprehensive Frameworks

As organisations grow and mature in their security posture, there often comes a time when aligning with established frameworks becomes beneficial or even necessary. The first thing worth mentioning here is that MLS is not a one-and-done. Rather, we can iterate MLS to determine additional controls, or depth of controls required as we uplift the cyber security maturity.

The above timeline summarises the transition, as once the MLS foundation has been established, the next step is identifying the right moment to introduce frameworks. Again, this isn’t a one-size-fits-all decision – it depends on various factors unique to the organisation. The organisation might consider introducing frameworks when:

• The organisation has outgrown its MLS controls.
• There’s a need for more structured governance.
• There is increased scrutiny from partners, customers, or regulators.

It’s crucial to recognise these trigger points and initiate the transition at the right time – not so early that it overwhelms the organisation, but not so late that it hampers growth or introduces unnecessary risks.

Once we’ve determined it is time to align with a framework, the next step is mapping MLS controls to framework requirements. This is where the groundwork we have laid with MLS really pays off. By taking an inventory of all the security measures already implemented and mapping these to the chosen framework requirements, we will often see that many requirements have been already met, at least partially, by the implemented MLS controls. From this we also have a clear identification of gaps that exist.

From this gap analysis, the organisation can develop a plan to implement and integrate additional controls or enhance existing ones. The key here is to maintain the context driven approach that made MLS successful. This will be accomplished by reviewing the identified business objectives, key risks, and threat landscape – and making updates where required. The goal is not to blindly adopt framework controls but thoughtfully integrating them into our existing security strategy.

This mapping process also helps in maintaining continuity. Instead of a jarring shift from one approach to another, we’re evolving our security posture organically. It’s a gradual transition that builds on the solid foundations established under the MLS approach.

Key Takeaways and Recommendations

Through MLS, we ensure that we focus on risks and mitigating controls that matter to lower maturity organisations to begin their cyber security journey.

When using this approach, we should remember:

• Cyber security is a journey, not a destination: Focus on continuous improvement rather than achieving theoretical perfection.
• Context is king: The organisation’s security approach must be unique as the organisation.
• Start small, think strategic: Implement controls that provide maximum risk reduction with minimal resource investment.

This approach will assist organisations to build out a minimal level of security, and then when required transition to a more holistic, framework aligned security posture without closing the context specific benefits they’ve gained.

Remember -> The goal isn’t to avoid frameworks forever, it’s to build a foundation that makes framework adoption meaningful and sustainable.

Contact Us