Oklahoma City and the CIS Controls
Oklahoma City Uses the CIS Controls Version 6.0 to Fulfill Its Cybersecurity Requirements
Known for its cowboy culture and for being a dynamic hub of the energy sector, Oklahoma City is the capital and most populous city of Oklahoma. Like many city governments seeking to secure their information technology, Oklahoma City faces the challenge of limited time and resources. Ian Anderson is the Information Security Manager for Oklahoma City, and, along with his four-person team, his main responsibility is to safeguard the taxpayer. Oklahoma City turned to the CIS Controls as a practical and effective solution for addressing its cybersecurity requirements. The CIS Controls are a recommended set of actions for cyber defense that provide specific and actionable ways to thwart the most pervasive attacks.
Let Your Metrics Be Your Guide
When asked about the CIS Controls, Mr. Anderson said: “In our view the best thing about the CIS Controls is the metrics guidance provided to measure effectiveness. Metrics help answer the question ‘Is it worth it?’” He added: “The consumable data bits from the metrics feed into the rest of the organization. Every single control is tied into the real world based on the ‘offense informs defense’ principle.”
Mr. Anderson believes the CIS Controls aren’t heavy-handed and allow the user to define their own risk matrix. He said: "There is no penalty for not achieving 100 percent implementation. Resource constraints may prevent 100 percent implementation, but you can rank your own maturity and adjust accordingly.” He and his team utilize a maturity chart to drive effectiveness up and costs down.
The CIS Controls inform how Mr. Anderson and his team select vendors. “We use the CIS Controls to know what metrics we are looking to collect; then we are able to go to vendors for products that provide those metrics,” he stated. Taking this approach, they were able to find and implement a new product to manage security logs that provided the necessary metrics as recommended by the CIS Controls – in the end, the new system cost less than the upkeep of the previous system.
“The CIS Controls help security become transparent and predictable, and allow us to communicate security requirements across the organization.”
- Ian Anderson
Information Security Manager, City of Oklahoma City
Buy-In Is Essential
On how to achieve total buy-in from his security team to implement the CIS Controls, Mr. Anderson said: “Behavioral change isn’t easy. First and foremost as the security team you’ve got to ‘eat your own dog food’ – meaning if you want everyone to do as you say, you must follow your own recommendations.” He and his team utilized a four-step process to implement the CIS Controls:
With the CIS Controls as the centerpiece, his team generated 23 new policies. “The CIS Controls help security become transparent and predictable, and allow us to communicate security requirements across the organization and ease implementation,” said Mr. Anderson. Using the metrics gained by implementing the CIS Controls, he and his team are able to show trends, maturity, effectiveness, and automation.
About Ian Anderson
Ian Anderson is the Information Security Manager for the City of Oklahoma City. He and his team are responsible for all cybersecurity and physical security technologies that support the 625 square miles of City properties and services. He has served the City of Oklahoma City for four years and has experience in the energy, financial, and manufacturing industries as well. Mr. Anderson received his bachelor’s degree in Management of Information Systems from the University of Oklahoma, maintains a GIAC Security Leadership certification, and is a GIAC Certified Incident Handler.
About Oklahoma City
Oklahoma City was established on April 22, 1889, when more than 10,000 people participated in the Oklahoma Land Rush and settled in what is now downtown Oklahoma City. Oklahoma City, the state capital and most populated city of Oklahoma, is the 29th-largest city in the United States.