CIS Logo
tagline: Confidence in the Connected World

How to Choose a Cybersecurity Consultant: What are their Security Best Practices?

There are lots of options when it comes to cybersecurity consultants and managed security services providers. One way to vet your choices is by asking which security best practices the organization or consulting individual follows to implement cyber defenses. Some best practices are driven by massive organizational teams or a company’s bottom line. However, there is another way to develop security guidelines by leveraging the CIS Controls and CIS Benchmarks through a CIS SecureSuite Membership.

The CIS Controls and CIS Benchmarks are security best practices that lead the way towards improved defenses through a unique community consensus process. By collaborating with security professionals from around the world, CIS develops holistic security guidance (the CIS Controls) and specific hardening configurations for technologies (the CIS Benchmarks).

Let’s examine how BFB Consulting President Bruce Bading leverages his CIS SecureSuite Membership to help bolster cybersecurity for his clients. BFB Consulting provides cyber defense services to help organizations improve their cyber policies, compliance requirements and procedures.

Implementing foundational security

With 40 years of experience in cybersecurity and regulatory compliance, Mr. Bading has seen the growth and development of different best practices. From his time as CFO at a major industrial company to years of experience at IBM as a Senior Cybersecurity Consult, he learned how to leverage CIS SecureSuite resources. He trusts the CIS Controls, CIS RAM (Risk Assessment Method), and CIS Benchmarks to help clients operationalize foundational security. Mr. Bading uses CIS-CAT Pro, a configuration assessment tool, to show his customers the gaps in their configuration security:

"CIS-CAT Pro is a real solid foundation by which you can go to any customer and show them; Look. Here’s what the Center for Internet Security tells us we need to be doing to lock your systems down. You can read what Tony Sager says – stop chasing shiny objects and get back to the basics."

Mr. Bading has seen firsthand how some customers fall for “shiny object syndrome” and chase claims of technical grandeur while ignoring basic best practices. “We have got to get back to foundational security,” he insists. Part of that foundational security includes implementing best practices like the CIS Benchmarks and assessing for conformance and compliance. Customers should ask if consultants are CIS SecureSuite Members. If so, they can ask to see their own CIS-CAT Pro results to identify configuration security gaps. The consultant’s expertise can then help close those gaps and address any remaining cybersecurity concerns.

Security for the hybrid environment

Mr. Bading’s clients operate in hybrid environments – that is, on both self-hosted (on-premise) and cloud infrastructure. What’s important, Mr. Bading tells us, is that the criticality and confidentiality of each piece of data is identified. He recommends that private information such as Personally Identifiable Information (PII) or other confidential data should be stored in a private cloud. For public data, a public cloud is sufficient. Then, it’s essential that organizations harden the cloud environments, no matter where they are hosted. CIS provides security best practices for securely configuring cloud accounts and services on three of the top providers:

CIS AWS Foundations Benchmark

CIS Azure Foundations Benchmark

CIS Google Cloud Platform Foundations Benchmark

No matter which environment you operate in – self-hosted or cloud, public or private – secure configurations are key. “And that’s what we need to communicate to people,” explains Mr. Bading. “You have to harden those images.”

Collaborating and connecting to community

Mr. Bading participated in the CIS Community consensus process to help develop the first CIS IBM i Benchmark. He enjoys being connected to a larger cybersecurity community and said, “My next goal is to get into some of the other communities.” The CIS Communities offer an opportunity to network with other technical experts, troubleshoot security concerns, and find consensus on cyber best practices. “The professionals have gone through this debate,” Mr. Bading explains, “through a community, they’ve vetted it out. And here’s what they’ve collectively said. This is not one person, this is not one company – this is a large group of individuals all giving the same message.”

Serious security for serious threats

“Cyber criminals are serious,” Mr. Bading warns, “and they’re not afraid to break things.” The determination of cyber criminals demonstrates for clients that they’ve got to be equally serious about implementing best practices and compliance. Cybersecurity is a business issue, not just an IT issue. For BFB Consulting and its clients, CIS SecureSuite Membership provides the resources they need to implement security best practices. “Firewalls and antivirus are no longer cutting it in the age of malicious AI, fileless and metamorphic malware,” says Mr. Bading. “We’ve got to constantly step up our security game and internal controls.” By combining the powerful CIS Benchmarks and CIS Controls, CIS SecureSuite Membership helps organizations keep systems securely configured. It’s an essential resource for developing true foundational security throughout the business.