Creating a Basic Website Security Framework

When you build or remodel a house, construction workers create a strong framework that can withstand the elements to keep your home and possessions secure. But what happens if you ignore proper building codes and inspections? The resulting risks to health and security are unacceptable.

The same concept applies to how you secure your websites and the environments they reside in. You have to start with a blueprint that prioritizes security through regular maintenance.

Leverage a Security Framework

The following framework is borrowed from the Framework for Improving Critical Infrastructure Cybersecurity, developed by the US National Institute of Standards and Technology (NIST).

It is built on 5 core elements: Functions, Categories, Subcategories, and Informative References. This can be easily leveraged for your organization’s website security needs.

Figure 1 – Basic Security Framework Built on NIST

Whether a large organization or a small project, this framework will provide you the supporting structure you require. It’ll help you think about the things you don’t know, and remind you of the things you do, but may forget.

Security is a continuous process, not a static state.

While the framework helps you think of the major domains of security, it doesn’t tell you how to “think” about security. If the first illustration identifies the foundational elements, then the following helps define the mindset.

Figure 2 – Security is a Continuous Process


When you think about your framework, you want to come to terms with the fact that this is going to be an investment that extends through the entire lifecycle of your website. This will not be a set-it-and-forget-it configuration.

Instead, you will want to establish a sequence of events -on some interval- that affords you an opportunity to review your framework continuously. Doing so will ensure that you maintain an appropriate security posture, reducing your overall risk position.

How deep or complex you make your framework is completely on you as the website owner. For smaller teams and properties, my general recommendation is to keep it simple. An over-complicated system will make it a daunting task to maintain, and even more challenging when you revisit the process later.

Figure 3 – A Simplified Security Framework

The illustration above is an example of what your framework might look like.

In future posts I will dive into each section with more granularity and specificity, but for this article was to introduce the basics of thinking about a security framework.

Security Responsibility

We invest a tremendous amount of time on the technology and tools website owners need to combat threats, but we forget that the tools themselves are useless without our engagement. A baseball will never be known for being a World Series MVP, no it’ll be the Baseball player. A race car by itself doesn’t win races, no it’s the driver. The security solutions we deploy won’t magically solve all our security problems, they themselves require you – the website owner.

Feed a person and they eat for a day, teach them to fish and they eat for a lifetime.

I want to spend some more time educating website owners, not on the tools they need to employ, but on the basic principles and concepts they should be aware of. We know a lot about how attacks happen today, and for most website owners they share similar characteristics: attacks of opportunity, automated and abuse our behavioral weaknesses. If we invest just a fraction of our energy changing the way we think, the global impact we can have on the greater internet security paradigm is exponential.

If you’re interested to hear more, I’ll be speaking on our responsibility as service providers and bridging the divide between website owners at WHD USA September 11th/12th in Las Vegas, Nevada and  WordCamp Sacramento on September 16th/17th in Sacramento, California.

You May Also Like