Key points are not available for this paper at this time.
Although widely adopted, the effectiveness of corporate security standards like ISO 27001 and NIST CSF is not well established. Budgetary restrictions, skills shortages, existing infrastructure, adoption difficulties, and usability challenges can hinder the implementation of complete security measures. As a result, organizations can opt to adopt only part of the available security procedures. Among the different security techniques and validations available, many companies choose to follow security standards such as the NIST Cybersecurity Framework or ISO 27001:2013, which consist of many individual guidelines. However, some of these guidelines may be outdated, unclear, or incapable of addressing new technologies, resulting in insufficient practical and actionable security improvements. We conducted two studies to understand the perceptions and pain points of practitioners. In the first study, 30 security experts evaluated the perceived effectiveness of the 113 ISO 27001 guidelines and the 108 NIST Cybersecurity Framework guidelines, ranking them as High, Medium or Low. They also provided their perspectives and insights behind the total 1326 ratings and what areas of improvement existed in the standards. Building on the initial study’s recommendations, we engaged 14 additional security experts to explore the pain points and potential changes in security systems through in-depth interviews. Our findings indicate that in order to enhance the perception and effectiveness of the standards, timely updates, flexibility, maintainability, cost-effectiveness, and the ability to impact technical security are needed.
Kumar et al. (Mon,) studied this question.