Cybersecurity is a Team Sport
Cybersecurity relies on specialists of every kind - CISOs, network systems administrators, cloud experts, and more - to achieve success. It takes a true team in order to avoid the pitfalls of cyber vulnerabilities and attacks. And just like team sports, cybersecurity has rules and regulations that help everyone stay safe. There are multiple cybersecurity frameworks that your organization can follow to improve its cyber defenses. Some are based around a particular vendor or cyber defense principle. The CIS Controls are one well-known security program based on real attack data and a consensus development process. The consensus process brings together cybersecurity experts from multiple industries around the world to create a prioritized list of cyber defense actions. Formerly known as the SANS Top 20, the CIS Controls are used by organizations around the world to protect their systems and data from cyber-attacks.
Because of multiple security regulations and standards, organizations often choose to implement more than one framework. For example, a local hospital may need to meet email compliance for GDPR, financial compliance for PCI, and data security compliance for HIPAA. Because the CIS Controls offer prioritized security guidance, some end users have described them as a useful "on-ramp" to meeting regulatory compliance.
No matter which cybersecurity framework(s) you choose to implement, you'll want to measure against it to see how your team fares. Without taking score, how will you know if you've really improved your organizational cyber defenses?
Taking Stock, Together
It's important to look at your organization's overall cyber defensive actions, not just those within a particular department. Once you've identified a security framework to put in place, see if it offers any tools or other resources to help you measure your implementation. Ideally, everyone on the team can input their work towards a particular security control. You'll want to measure and track the implementation of the cybersecurity program over time - hopefully achieving a greater percentage of the framework over time. You can manually record security control implementation or use a tool such as CIS CSAT (CIS Controls Self Assessment Tool). CIS CSAT provides a free method for organizations to track their implementation of the CIS Controls. It offers the ability for different team members to answer security control assessment questions, ensuring accountability across the organization. After all, in many organizations the person responsible for adding email SPF records may not be the same person responsible for securing payment data. CIS CSAT helps the entire team take part in the security journey. Organizations using CIS CSAT can also:
- Delegate questions to other team members
- Set deadlines for each CIS Control and sub-control
- Collect documentation related to your findings
- Capture team discussion about each assessment question
The Long View
Over time, your organization should be able to implement more and more of whichever security framework(s) you decide on. But you'll never know if you aren't keeping score! Measure your security control implementation not just once, but on a regular cadence. Doing so at scheduled intervals will help you identify gaps in security and remediate. You can also see if your organization is improving its adherence to cybersecurity regulations over time. Organizations can measure their compliance to the CIS Controls over time using CIS CSAT. Assessment results from CIS CSAT can be exported per department or organizational unit, or you can take a more holistic view of the entire organization’s security. With cross-mappings to additional security frameworks like NIST SP800-53 and PCI DSS, you can also track your alignment between other best practices and the CIS Controls. This free tool also allows you to anonymously compare your results to the average of your industry or other peer groups to help drive the direction of your security program.
Win as One
As we mentioned, it takes a whole team in order to achieve a strong cyber defense posture. From everyday users spotting a phishing attempt on the frontlines to hardened IT experts building strong firewall rules, it's up to all of us. By choosing a strong program, measuring implementation, and tracking your security controls over time, your team can win big. And remember, there's always room to grow more secure in our habits - insofar as cybersecurity can be considered a game, our truest opponents are always ourselves.