By Prasanna Abeysekera

It was a sunny afternoon, and I was doing my usual grocery run, weaving through the supermarket's aisles, when something odd hit me. Staring at the rows and rows of milk brands, I couldn't help but think how these milk cartons reminded me of the cybersecurity frameworks I work with daily. It might seem strange, but stay with me.

You see, just like there's no one perfect milk for everyone, there's no one-size-fits-all framework for cybersecurity. Each milk brand promises something different—added calcium, vitamins, or a smoother taste—and yet, in the end, they all promise to make you healthier. That's how cybersecurity frameworks like ISO, NIST, and ISM work. Each one is filled with different controls and protections designed to safeguard organisations, just like milk is meant to safeguard your health.

But standing in front of the cooler, I wondered—how do you know which milk is best for you? Do you pick based on the label or the price, or go with what you've always known? It's the same struggle organisations face when choosing a framework. Some pick ISO because it's familiar. Others go for NIST, and some industries might juggle a few at once.

I picked up my go-to brand and tossed it in a fancy new carton. Will the flavour be improved? Most likely not. However, the label suggests it contains an additional nutrient, which I may need. You can consume milk all day long, but how will you know whether it's helping your health if you're not keeping an eye on it? The same applies to companies that declare their ISO certification with pride. However, the answer is frequently evasive when you ask if they are gauging the success of their information security management system (ISMS). They have the milk, but they haven't had a taste yet.

After unpacking my groceries, I stood before the fridge, pondering the milk's "goodness." As the label suggests, will it help me avoid bone issues and fractures? It got me thinking—are we just doing things because we've been told they're good for us without checking if they actually work? It's like using medicine or following diets that are supposed to prevent diseases but not knowing if they're effective.

And then my mind wandered to the darker corners of cybersecurity—ransomware. If ransomware were a disease, it'd be cancer. Like cancer needs healthy cells to attack, ransomware needs a functioning system to encrypt. A dead machine is useless to ransomware, just like a dead cell is useless to cancer. They both thrive on life, feeding off what's healthy, waiting to spread and cause havoc. Back in primary school, I learned a saying, "Ange Indan Kana Kanawa wage," which roughly translates to "It's like eating the ear while on the horn." That's what ransomware does—it destroys while you're barely aware of it, just like cancer silently devours cells.

October is Cybersecurity Awareness Month—a perfect time to start thinking about how we can stop ransomware before it spreads and how we can better implement frameworks to prevent attacks.

But here's the thing—just like picking a milk that offers genuine "goodness," we shouldn't just slap on a cybersecurity framework without understanding how it works. There are 52 cybersecurity-related frameworks out there, and we must choose wisely.

Oops, did I get that number wrong? I don't think so.

Let's save the more extended discussion for later. For now, remember this: your cybersecurity framework should be like that perfect milk—rich, creamy, and packed with natural goodness, not just empty promises.

Legal Disclaimer