Companies today are increasingly discovering that it is difficult to determine which standard they should implement to secure their company's data, assets and people. Within the manufacturing, oil and gas, and electricity industries, they have a responsibility to themselves but also to customer's demands to be secure and compliant. Which one should they use? NIST, ISO, UL, NERC CIP, IEC 62443? This alphabet soup of standards certainly gets confusing. Is there a right one to use? Should more than one be used? From the purchaser standpoint in regards to a long-term model for industry control systems and how commodity hardware and software are demanding a change in paradigm, but rate cases do not allow for it.