x
Limited Time Offer: Save up to 20% on a new CIS SecureSuite Membership | Learn more
×
Why CIS Solutions Join CIS Resources
CIS WorkBench Sign-in CIS WorkBench Sign In CIS Hardened Images CIS Hardened Images Support CIS Support


Why CIS

Who We Are

CIS is an independent, nonprofit organization with a mission to create confidence in the connected world



About Us Leadership Principles Testimonials

Solutions

secure your organization
Secure Your Organization


secure specific platforms
Secure Specific Platforms


cis securesuite CIS SecureSuite® Learn More      Apply Now  
u s state local tribal and territorial governments
U.S. State, Local, Tribal & Territorial Governments


View All Products & Services  

Join CIS

Get Involved

Join CIS as a member, partner, or volunteer - or explore our career opportunities



CIS SecureSuite® Membership Multi-State ISAC (MS-ISAC®) Elections Infrastructure ISAC (EI-ISAC®) CIS CyberMarket® Vendors CIS Communities Careers

Resources

resources
Resources


learn
Learn


filter by topic
Filter by Topic


View All Resources  
CIS Logo Show Search Expand Menu

CIS Podcast: Cybersecurity Where You Are Ep. 16

Cybersecurity – Think INSIDE The Box

In this edition of Cybersecurity Where You Are, CIS Senior VP and Chief Evangelist, Tony Sager welcomes back Kathleen Moriarty, Chief Technology Officer for CIS. Together they discuss the role service providers play in the future of cybersecurity.

 

The Problem with Out-of-the-Box Technology

Technological products today often favor performance and features over security. When a new product reaches the market, it is not secure out of the box. Its current configuration continuously needs updating due to vulnerabilities. This solution, while a universally accepted practice, is not optimal.

The process of pulling in and aggregating the data and then manually incorporating solutions into the infrastructure is both costly and time consuming. It also means that companies are remediating however they see fit. There are no common threads between how one company solves a problem compared to the rest. This inconsistency can lead to even more vulnerabilities.

The Problem with Patches

Patches are appropriately named – they cover something up to allow something to continue to work. In order forto them to be effective, they have to be identified and implemented almost immediately.. Hackers take advantage of the downtime that exists from the time the vulnerability is found to a patch being created, communicated, and implemented.

A Built-in Solution for Cybersecurity

The current temperament around technology is that system flaws “come with the territory” and cannot be avoided.  Patches are created and then deployed in the hopes of fixing the issue. However, at times, what is done in one area of an application may aeffect another. This can cause the system to not work correctly or even crash.

The ideal solution would be to move away from add-on products and offer software with built-in security. DevSecOps short for development, security, and operations automates the integration of security. Writing code in modules from the beginning will patch more easily and without impacting other code. An unrelated app won’t crash because there was a change in another module.

Service Providers and Vendors to the Rescue

Many may think that only large companies are at risk. This is a misconception. Schools, hospitals, local governments, and small businesses are all targets as they possess personal data and intellectual property that's appealing to hackers. What they do not have are tools and resources to protect themselves. Product and service providers can offer built-in cybersecurity technology that is both cost- effective and automated.

If the future brings more built-in cybersecurity to applications, service providers and vendors will have to trust that the solutions they are selling/recommending areis configured correctly. Kathleen gives an example of the CIS Benchmarks, where no-cost, consensus-based configuration guidelines have been created for more than 20+ years. If a company were to purchase software built using these Benchmarks, their policy settings and measurements will have required configurations and be verified with no expertise required on site.

Looking to the future, a more built-in, automated, and uniform system for cybersecurity is key to protection for all.

Resources