Cyber Hygiene Matters, and So Do Definitions
In an earlier article, I wrote about the importance of cyber hygiene and offered up a specific definition of basic cyber hygiene based on CIS Controls Implementation Group 1. I’d like to expand a bit on why having a clear-cut definition is really important.
A specific definition lets you move from a general awareness campaign to an unambiguous action plan – one that can be communicated, adapted for different conditions, and followed.
There’s a big difference between “only you can prevent wildfires,“ and an explicit set of steps to safely extinguish your campfire. Having such a plan allows you to focus the attention of the entire cyber ecosystem of users, adopters, suppliers (vendors), as well as authorities (governments, regulators, the legal system) around a common set of problems, and a common set of actions.
A concrete definition provides a technical basis to identify tools to implement the actions, measurements to track progress or maturity, and reporting that can be used to manage an enterprise improvement program.
A specific definition also gives you the opportunity to change the recommended behaviors when the underlying science or understanding changes. In public health, for example, hygiene recommendations are used to translate complex science about topics like disease control into specific personal or social behaviors.  
Cybersecurity defenders are already flooded with information about attackers, vulnerabilities, and malware. But, as with public health, most don’t have the time, expertise, or interest to read the latest research – they just want a way to focus on positive, constructive action.
In today’s environment of shared technology, linked by complex business relationships and dependencies, we also need a specific way to negotiate “trust” and an “expectation” of security (Are you a safe partner to bring into my supply chain? Can I count on this merchant to safely hold my financial information?) – one that is better than paper surveys or inconsistent interpretation of abstract security requirements.
Finally, if you don’t have a specific definition then you can’t do the analysis needed to help you establish the specific value of cyber hygiene (or any cyber improvement program). This is what CIS has done through our Community Defense Model, and is a topic for another day.
About the Author
Tony Sager is a Senior Vice President and Chief Evangelist for CIS®. He leads the development of the CIS Controls®, a worldwide consensus project to find and support technical best practices in cybersecurity. Sager champions the use of CIS Controls and other solutions gleaned from previous cyber-attacks to improve global cyber defense. He also nurtures CIS’s independent worldwide community of volunteers, encouraging them to make their enterprise, and the connected world, a safer place. In November 2018, he added strategy development and outreach for CIS to his responsibilities.
 “Show Me the Science”, https://www.cdc.gov/handwashing/show-me-the-science.html