A Cybersecurity Veteran Counts on the CIS Controls

Recently, CIS had the opportunity to speak with Mike Yeatman, Director of Information Security of a mid-size technology integration company. As a 20-year veteran of the industry, he brings to the table professional and proactive cybersecurity expertise. Along with his team, Mr. Yeatman safeguards information assets for companies and their clients. To achieve this objective, he relies on the CIS Controls as the foundation of his program. The CIS Controls are a practical and effective solution for a cyber defense that provides real security for real threats.

Backed by Data

Mr. Yeatman said he uses the CIS Controls because “they make sense.” He noted that there are other beneficial frameworks, such as ISO and the NIST Cybersecurity Framework, that can be used alongside the CIS Controls. Another aspect of the Controls he values is that they “are backed by data.” What makes CIS Controls unique is that they are developed based on actual threat data observed in the cyber environment. The security experts who maintain the CIS Controls validate the content in line with the most authoritative threat reports from vendors like Verizon and Symantec.

Support from the Top

“Cultural buy-in is very important,” Mr. Yeatman explained. He works to gain cultural buy-in at his organization and has experience briefing his board of directors on the value of investing in cybersecurity. He added: “I’ve garnered a good deal of support and backing for it in the organizations that I serve. It is a core component of the current security program I support, and I plan to use it as the basis for programs I build in the future.” He said the challenge with cybersecurity is that “it is a long-term sustainment effort. You have to maintain and manage the program and controls over time.”

“The CIS Controls are an ordered approach …they are where I am willing to hang my hat.”
– Mike Yeatman,
Director of Information Security

In discussing the value of the CIS Controls in comparison with other standards, Mr. Yeatman said the top five CIS Controls are paramount. He said he appreciates the priority order of the CIS Controls, explaining: “They guide you toward the areas that should be rock-solid first – they are in a relatively sensible order. … Without some sense of priority, how do we know we are keeping things buttoned up properly?”

Capability Maturity

While tracking the implementation of the CIS Controls is key for a program’s success, it also presents itself as a complex endeavor for many organizations. Mr. Yeatman discussed the need to align the Controls with “people, processes, and policies.” To evaluate their risk in these areas, he measures capability against a maturity model and uses this approach to help drive security investment decisions. Maturity metrics are key to this process.

About Mike Yeatman

Mike Yeatman is a Director of Information Security and has had a broad tour of security from various companies since 1998. He received his degree from James Madison University and holds SANS Technology Institute certifications.