A survey of IT and security professionals found that 16% of organizations do not use any cybersecurity framework. The report, published by Dimensional Research and Tenable Network Security, surveyed 338 IT and security professionals in the U.S.

Even among larger organizations, framework adoption varies. Among larger organizations (companies with more than 10,000 employees), 10% do not use any security framework.

Many of the professionals surveyed said their companies plan to adopt a new or additional framework in the next 12 months: 14% of respondents said their company plans to implement the NIST Framework within that period.

Tenable strategist Cris Thomas attributed the high percentage of companies planning to implement the NIST Framework to its user friendly implementation. In speaking with SCMagazine.com, he observed that the framework “is very well geared to as companies that have no security posture whatever.”

Another 12% of the survey participants said their organization plans to implement the Critical Security Controls framework and 9% said their organization plans to implement the ISO 27001/27002 framework within the next 12 month period.

“The defense in depth model that we have relied on in previous years is outdated,” said Thomas. The guidelines can “bridge the gap between believing you're secure and knowing you're secure.”

“Standardization is a very good starting point, said Cymmetria CEO Gadi Evron, speaking with SCMagazine.com, but he noted that standards are “not necessarily the only way to do security.”

Of the individuals surveyed who have implemented the NIST Framework, 70% said they adopted the framework because they see it as a best practice, rather than because business partners or contracts required it.

Many organizations use multiple frameworks, and 13% of those surveyed said that they planned to discontinue using any existing frameworks.

“Every single standard can do done correctly or can be implemented as a checkbox, to varying degrees,” Evron said.