Cybersecurity frameworks are selected based on a lot of factors. Commonly it's thought about like this:
Cybersecurity frameworks are better than nothing, but they will only lead you to complete a cybersecurity framework. Their completion is the ends to the means, leaving much to be desired when it comes to insight into what has been achieved in terms of major criteria like threat protection, posture advancement and operational improvement.
A cybersecurity framework can be a place to start, but should not be the destination for companies that are agile and growing.
In place of a framework, or even a set of disparate frameworks, should be a strategy.
To understand the difference between a strategy and a framework, one can look at the end goal in mind.
A cybersecurity framework is typically a list of tasks or deliverables that needs to be completed towards an end goal. The end goal, typically, is reporting.
The end goal of strategy is tied to a business outcome. Example of strategic outcomes may include:
A framework quite literally checks the box, but it misses critical insight as to where things stand from a business and operations standpoint.
During an incident, your SOC2 will do very little to hold up your business. Similarly, a NIST maturity document will not help you to understand where you stand vs competitors on your actual security performance.
The reason people like frameworks is because they are simple to follow and prescriptive in nature.
The negative to frameworks is that they are rigid and not tailored to your business environment.
Cybersecurity is a business realm that has a technical solution, in the form of the latest tool, for any problem you can imagine and many you cannot.
Without the correct framework, it is easy to both over and underspend on your problems.
It is also possible to dump hours of time and money into problem solving with no clear understanding of if anything meaningful has been accomplished.
Leaders who know where they are going know how to make choices: what they will do, what they will invest in and what they will not. The right strategy can save 10x the investment of creating a strategy.
A strategy allows a leader to be narrowly focused on what will deliver the business results that stakeholders expect from them. This allows them to tune out noise, buy only what they need and measure results up against tangible goals.
Industry trends can be misleading, which is a key reason to create a proprietary strategy and stick to it. It does not matter what is popular when it comes to cyber. It matters what is going to deliver results to your specific company and product.
There is nothing wrong with using popular frameworks to communicate cybersecurity across and outside of your organization.
It is important that frameworks exist next to a strategy, not in place of one.