If you were building a security program from scratch, which many of our listeners have done, which framework would be your starting point?



Check out this post initiated by Sean Walls, vp, CISO of Visionworks, who asked, “If you were building a security program from scratch, would you align with ISO 27001, NIST CSF, or another framework, and why?”

That conversation sparked this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Omar Khawaja (@smallersecurity), CISO, Highmark Health.

Got feedback? Join the conversation on LinkedIn.

Thanks to this week’s podcast sponsor, Palo Alto Networks

Palo Alto Networks, the global cybersecurity leader, is shaping the cloud-centric future with technology that is transforming the way people and organizations operate. By delivering an integrated platform and empowering a growing ecosystem of partners, we are at the forefront of protecting tens of thousands of organizations across clouds, networks, and mobile devices.

On this episode of Defense in Depth, you’ll learn:

  • When determining a starting security framework, always lead with the “Why?” What are you trying to accomplish and achieve?
  • In some cases you’re building a framework to build trust.
  • Although most in security take a risk-based approach. That’s not always necessary when picking a framework. Frameworks are often very regulatory driven.
  • Framework decisions will be built on both internal and external pressures.
  • If you don’t have a specific security problem, a specific security solution makes no sense.
  • The Secure Controls Framework is a free meta-framework that allows users to pick and choose elements from multiple frameworks.
  • Check out Allan Alford’s four-year mapping of NIST CSF, CIS CSC 20, and ISO 27001.
  • While there are plenty of great frameworks out there, for someone who is truly starting from scratch, many security professionals pointed to the CIS top 20 because it maps to frameworks like NIST and ISO.