4 Business Goals You Can Achieve While Scaling Cybersecurity
By Sean Atkinson, Chief Information Security Officer at CIS
Recently, I discussed how taking a layered approach to cybersecurity scaling helps organizations in the long term. Doing so enables them to implement complementary security controls that protect what's important to the business. By extension, they can use cybersecurity to support, not hinder, profitable business growth as their priorities evolve and their digital footprint grows.
But don't take my word for it. In this blog, I'll tell you how organizations use the layered resources in CIS SecureSuite Membership to achieve four business goals.
Goal #1: Make Life Easier for IT and Security Teams
As we all know, IT and security teams are extremely busy. They're trying to uphold day-to-day security operations while keeping an eye out toward changing regulatory obligations, emerging threats, and other new developments. By gaining access to layered cybersecurity resources that scale, personnel can maximize their time and spare themselves from things like burnout.
A CIS SecureSuite Membership can help in this regard. For instance, one bank downloaded the security recommendations of the CIS Benchmarks in machine-readable formats. Here's what they had to say afterwards:
Doing this allowed us to quickly and easily deploy industry-recommended security best practice configurations. Without this resource, the hardening of our devices would have taken a lot longer and required many meetings between IT and Security to debate which configuration settings to change and the impact they could have.
The speed of deploying the CIS Benchmarks enabled the bank to get more granular with their hardening efforts. Specifically, they were able to create documentation and define if and where exemptions in their implementation exist. This helped them to develop an even more comprehensive understanding of how their business and cybersecurity processes relate to one another.
It was a similar story with a State government. The Member made life easier for their IT and security teams by using CIS-CAT Pro, a configuration assessment tool, to evaluate their compliance to the CIS Benchmarks. Doing so helped them simplify their audit preparations and complete their security scans more quickly.
Goal #2: Find and Plug Gaps in Customers’ Cybersecurity Maturity
Layered resources aren't just useful for strengthening your own cybersecurity defenses. They're also instrumental to protecting others' systems and data, which is why both consultants and product vendors can use these CIS SecureSuite capabilities to support their customers' cybersecurity needs.
One consulting firm turned to CIS-CAT Pro toward this end:
CIS-CAT Pro is a real solid foundation by which you can go to any customer and tell them, "Look. Here’s what the Center for Internet Security tells us we need to be doing to lock your systems down. You can read what Tony Sager says – Stop chasing shiny objects and get back to the basics.”
Through the use of CIS-CAT Pro, the firm found that it was able to steer some of their customers clear from the newest "shiny object" and to foundational security embodied in the CIS Benchmarks.
Meanwhile, another consultancy concentrated on the Implementation Groups of the CIS Critical Security Controls (CIS Controls). They explained that they did so to grow their customers' cybersecurity maturity scores.
We start chipping away highly effectively at the risk and where most of the attacks are coming from...and get them to a point that’s actually safe for them to conduct business in.
In the process, they succeeded in bumping up the maturity scores of many clients from a 0.7 to 2.5 on a 0-5 point scale with minimal investments.
Goal #3: Achieve SOC 2 Compliance
SOC 2 is a reporting framework that evaluates an organization's information systems according to five principles – security, availability, processing integrity, confidentiality, and privacy. These principles aren't mutually exclusive. A single control can advance two or more of these principles simultaneously.
One CISO took this to heart in preparing their organization for its SOC 2 audit. They began by using the CIS Benchmarks to develop a policy for system hardening and workstation security. At the same time, they leveraged the CIS Controls to develop a path toward growing the organization's maturity. The CISO then drew upon several of the resources available via CIS SecureSuite to optimize the implementation of those security best practices.
Fast forward to audit time. The auditor wanted to understand how the organization was tailoring the CIS Benchmarks in various environments. To provide evidence of this process, the CISO provided an assessment report from CIS-CAT Pro to the auditor. This proved instrumental in helping the organization achieve its SOC 1 and SOC 2 certifications.
Goal #4: Gain a Competitive Advantage
Finally, the act of implementing layered resources says that you're serious about your organization's cybersecurity posture. You communicate this message not only to partners and internal stakeholders but also to customers and business prospects. As such, using the capabilities of CIS SecureSuite can help you gain a competitive advantage over those who don't take a layered security approach.
A management company's CISO realized as much, and like many of the examples discussed above, they used the CIS Benchmarks to harden their technologies. They then went ahead and established a "gold build" that employees could use.
Internally, Membership resources helped spare engineers from needing to create a gold build manually. But externally, it also helped them win an engagement in which they'd run cybersecurity assessments. A key part of that engagement was the company's use of the CIS Controls Self Assessment Tool (CIS CSAT Pro) to assess the security posture and maturity of their client and identify remediation actions.
The Possibilities Are Endless!
As the examples discussed above demonstrate, there's no limit to the goals that organizations can pursue using a CIS SecureSuite Membership as they scale their cybersecurity programs. It's even easier with our current promo. Now through October 31, organizations can receive up to 20% off a new CIS SecureSuite Membership.
Chief Information Security Officer
Sean Atkinson is Chief Information Security Officer of CIS. He uses his broad cybersecurity expertise to direct strategy, operations, and policy to protect CIS’s enterprise of information assets. His job responsibilities include risk management, communications, applications, and infrastructure. Prior to CIS, he served as the Global Information Security Compliance Officer for GLOBALFOUNDRIES, serving Governance, Risk and Compliance (GRC) across the globe.
Prior to GLOBALFOUNDRIES, Atkinson led the security implementation for the New York State Statewide Financial System (SFS) implementation from 2007 to 2014, and his last role and responsibility was as the Internal Control, Risk and Information Security Manager.
Atkinson was born in Brooklyn, N.Y. and lived in England for 18 years, graduating from Sheffield Hallam University in 2000. After moving back to the United States, he has pursued multiple degrees and certification in the IT arena.
In addition to his work with CIS, Atkinson is also an adjunct professor of Computer Science at the College of Saint Rose.