Most cybersecurity frameworks are designed by and for large organisations. They assume dedicated security teams, mature governance structures, and budgets that can sustain multi-year transformation programmes. For the majority of African SMEs and SACCOs, these frameworks are largely inaccessible as a practical guide to action.
The S.I.N.S. Framework™ was designed to address a specific problem: how do you build genuinely effective security controls in an organisation that doesn't have a CISO, can't afford a full-time security team, and needs to make progress this quarter rather than this decade? The answer is structure — not more complexity.
Why most cybersecurity programmes fail
| Common approach | Why it fails | S.I.N.S. alternative |
|---|---|---|
| Buy a security tool | Tools without governance produce alerts, not outcomes. A SIEM nobody monitors is decoration. | Systems layer first — establish control before adding detection. |
| Hire a consultant for a report | A gap report sitting in a drawer changes nothing. Execution is the hard part. | Assessment + implementation — gaps only matter when they get fixed. |
| Focus on compliance only | Compliance is a minimum standard, not a security programme. A compliant organisation can still be breached. | Security drives compliance as a natural outcome. |
| Start with the perimeter | Securing the network edge while endpoints are unmanaged and identities are ungoverned is backwards. | Systems → Infrastructure → Network → Security — inside out. |
The four pillars
Systems
The Systems layer addresses the foundational question: do you know what you have, and is it under control? Before any other security investment makes sense, you need a maintained inventory and managed endpoints.
- Asset inventory and lifecycle management
- Identity and access management
- Endpoint configuration standards
- Enterprise system hardening — M365, SharePoint, ERP
- Patch management
Infrastructure
The Infrastructure layer secures the platforms on which your business runs. The central concern is resilience: can you continue operating when something goes wrong?
- Server hardening and configuration baseline
- Backup architecture and tested recovery
- Cloud security posture management
- Virtualisation security (VMware, Hyper-V)
- Disaster recovery design
Network
The Network layer addresses how data moves. With Systems and Infrastructure established, you can now make informed decisions about what network access is legitimate and where monitoring should be deployed.
- Firewall policy design and rule review
- Network segmentation and VLAN architecture
- Secure remote access — VPN and Zero Trust
- Physical security — CCTV, PoE, access control
- Network access control (NAC)
Security
The Security layer governs, measures, and sustains the controls in the first three layers. Controls without governance degrade. This layer addresses the human and process dimensions.
- Security policy framework
- Risk assessment and risk register
- Incident detection, response, and post-incident review
- Compliance programme — DPA, ISO 27001, SASRA
- Security awareness and culture
Why the sequence matters
The order — Systems, Infrastructure, Network, Security — reflects the logical dependency between layers. You cannot meaningfully secure your network if you don't know what devices are legitimately connected (a Systems problem). You cannot govern security risks without knowing what infrastructure you have (an Infrastructure problem).
The S.I.N.S. Framework does not tell you to secure the perimeter first. It tells you to secure the inside first — because in most organisations, that is where the most critical vulnerabilities actually are.
How it maps to existing frameworks
The S.I.N.S. Framework™ is not a replacement for ISO 27001, the NIST Cybersecurity Framework, or CIS Controls. It is an implementation alignment layer that makes the requirements of these larger frameworks actionable for organisations without dedicated security expertise. The four pillars map naturally to ISO 27001 Annex A control domains, SASRA regulatory requirements, and Kenya DPA governance obligations.
What engagement looks like in practice
Every RETACH engagement begins with a S.I.N.S. Health Scan — a structured assessment across all four layers that produces a working gap register with prioritised remediation actions, mapped to the relevant pillar, with indicative effort and cost for each.
The key principle: every phase of work ends with something that is implemented and working — not a recommendation. The S.I.N.S. Framework™ exists to close the gap between knowing what needs to be done and having it done.
See where your organisation stands
The S.I.N.S. Health Scan gives you a clear baseline across all four pillars — starting at KES 32,500.
Start with a Health Scan →