A shovel is great for treasure retrieval, but it will take a lot hole digging without an idea of a treasure's location. On the other hand, a treasure map helps you find treasure, but is of little use to actually retrieve it. Now replace the shovel with security tools and the treasure map with a security framework. Both are incomplete without the other but together are powerful to ensuring security resiliency.

A current trend is organizations leaning toward a tech-heavy approach that relies on primarily security tools - shovels - with less or little use of an approach to implementing them - treasure maps. Embracing a security framework that strategically uses tools yields treasure in terms of risk reduction and competitive advantage.

Security tools, such as firewalls, WAFs, identity and access (IAM) controls, anti-virus, VPNs, vulnerability scanners, monitoring/alerting tools, etc that implement security controls are essential. Individually, these controls can be effective to detecting and defeating malicious efforts. Collectively managed, they can provide a unified defense. In many cases, though, these tools are not managed from a holistic perspective. They actually act individually for different aspects of the same goal and not as a cohesive strategy to securing the underlying networks and systems. In the end, correctly configured security tools do cover all of the aspects important to an organization. Don't they? Well, almost.

What about human error and social engineering? Or the risks from third-party providers? Attacks on the mobile devices increasingly used by departments? Or what about incident response? Ransomware attacks?

Using security frameworks as the roadmap to security resiliency not only helps to identify the gaps in security tool use, they are a method for defining a cohesive defense strategy and identifying a consistent measurement of maturity and improvement over time. A security framework includes evaluations based on organization-specific risks, as well as how to manage those intangible aspects like human error and vendor risk. Choosing a security framework like ISO-27001, GDPR, NIST or COBIT helps to identify the areas of your security and risk landscape that should be protected, giving a focus for what security tools might be needed and how to manage them. 

Organizations that embrace a security framework with the smart use of tools to support it reap the benefits of a strategic approach leverages both process and tactical controls. Using a framework and tools effectively has the added benefit of assessing your risk posture and identifying areas for more work. With a framework that drives tool use, an organization finds treasure in the form of better security management.

Everybody wants a safe partner or vendor that can objectively demonstrate they are actually secure. Using a security framework as the guide to implementing and managing security practices and controls is that demonstration in the ultimate form of obtaining security certifications like SOC 2 and ISO-27001. Increasingly, these certifications are the "table stakes" to basic demonstration and assurance that an organization's culture and practices embrace security. The treasure from a certification like ISO-27001 or SOC 2 can open doors to bigger customers, leaving competitors behind that do not have these attestations to safety.

In the comedy movie classic, It's a Mad, Mad, Mad, Mad World, the characters finally reach the place where a treasure is buried and begin to dig holes in multiple places, hoping to find it. Only when the final clue falls in place do they strike paydirt. Today's business environment is too costly, and frankly too fraught with security risks, to be blindly using security tools without a plan while hoping for the best. A security framework with security tools is the combination needed to find treasure in terms of effective security, risk reduction, and measuring progress.