Is My Company Secure?
Saying “My company is secure” is like saying “My team scored 27 tonight”. The metric doesn’t matter if you have nothing to compare it against. Enter the framework.
A framework is a standardized methodology for selecting, implementing, testing, and maintaining a set of security metrics, also called security controls. There are many frameworks to choose; NIST, ISO, NERC, PCI, etc., etc. The point is that you want to compare yourself against a known yardstick.