Cybersecurity Standards Scorecard (2025 Edition)

The webcast, hosted by veteran SANS instructor James Troll, introduces the 2025 edition of the Cybersecurity Standards Scorecard – an annual research effort that catalogues and evaluates the growing universe of cyber‑security frameworks. Troll notes that the SANS database now tracks roughly 120‑plus standards, a dramatic rise from the handful of frameworks organizations once could simply adopt. Key insights from the presentation highlight the practical challenges of this proliferation. Companies frequently default to familiar names such as NIST or CIS, even when those frameworks do not align with specific initiatives like DevOps, leading to compliance gaps. The discussion also warns against letting AI hype eclipse core controls, citing recurring deficiencies in application control and third‑party patch management across assessments. Troll illustrates his points with vivid analogies – comparing organizations to hikers distracted by side trails – and recounts a recent client who insisted on using the NIS CSF for a DevOps review despite its lack of relevant safeguards. He also references the consistent omission of basic safeguards, reinforcing the need for a disciplined, destination‑focused approach. The implications are clear: leaders must define a concrete target state, select frameworks that truly address their risk profile, and leverage SANS’s upgraded, database‑driven scoring methodology to communicate progress to stakeholders. By prioritizing fundamentals over shiny trends, firms can streamline compliance, reduce audit fatigue, and better align security investments with business objectives.