Security Best Practices: Cybersecurity & Compliance at Scale

Growing the business requires that your organization scale its cybersecurity program. Along the way, however, you will need to comply with multiple policy, regulatory, and legal security frameworks. This creates several obstacles. Take financial institutions as an example. They are subject to a complex and ever-changing regulatory landscape that includes PCI DSS, GLBA, and FFIEC CAT. Complying with all of these frameworks separately can be difficult, a waste of money, and time consuming to the point of overwhelming, a phenomenon known as the "Fog of More." When coupled with tool sprawl, the Fog of More could leave your security teams suffering from alert fatigue and feeling burned out.

To prevent this from happening and to scale your cybersecurity program more efficiently, you want to know how to plan out all of your compliance objectives so that you don't duplicate efforts.

"As an organization, you need to determine what framework is a priority and then map those requirements to the other frameworks to lessen the overlapping requirements," explained Stephanie Gass, Director of Governance, Risk, and Compliance at the Center for Internet Security® (CIS®). "You should also understand if your compliance objectives are required through regulations, contracts, or customer preference."

You can do both of these things using proven, prioritized security best practices that map to or are referenced by other frameworks and standards. Check out our video below to learn more.


Security Best Practices for Security Compliance

Although requirements vary, there is often overlap in the facets of security on which they focus. These are generally security best practices you can use as a starting point to scale your cybersecurity program and realize your compliance objectives.

For instance, the CIS Critical Security Controls® (CIS Controls®) are a prioritized set of actions for protecting your organization and data from known cyber attack vectors. They’re developed through a unique community consensus process, and they tell you not only how to be more secure but also how to prioritize the actions you should take to get there. This prioritization helps your organization work toward achieving effective cyber hygiene and scal from there rather than work through a list and hope to recognize some benefits along the way.

For a more granular take on security configuration, the CIS Benchmarks™ provide consensus-based guidance for specific technologies. Implementing these configuration recommendations helps you meet some of the CIS Controls, as each Benchmark maps to the Controls.

Achieving Compliance with CIS Controls inline image


The CIS Controls map to the following frameworks:

Once you know which frameworks to measure against, the next step is to manage your prioritization and implementation of those frameworks. The CIS Controls Self Assessment Tool (CIS CSAT), particularly the pro version, enables your security teams to prioritize their implementation of the CIS Controls. With that plan, your teams can track their efforts and verify whether specific CIS Controls and CIS  Safeguards have been assigned, implemented, automated, documented, and reported. They can leverage that insight to comply with other security frameworks and scale your organization's cybersecurity accordingly.

CIS Benchmarks Referenced in Industry Standards

The CIS Benchmarks are recognized as industry standards for cyber protection around the world, particularly as they relate to different types of information. Some references include the following:

  • Financial data — PCI DSS recommends CIS standards for hardening.
  • Government information — The DoD Cloud Computing Security Requirements Guide mentions CIS Benchmarks as an acceptable alternative to the STIGs and SRGs (Section 5.5.1).
  • Products and services in the cloud — FedRAMP suggests the use of CIS Benchmarks if U.S. government configuration guidelines aren’t available for a specific platform.
  • Medical details — The CIS Benchmarks function as a complement to the HIPAA security rule, with overlap of the same provisions.

A configuration assessment tool helps determine if your systems are securely configured. CIS-CAT® Pro allows you to assess for conformance to the CIS Benchmarks using its Assessor component both remotely and at scale. You can also use CIS-CAT Pro's Dashboard component  to track conformance (and thus compliance) over a recent period of time.

Scaling and Compliance with CIS SecureSuite Membership

Both the CIS Controls and CIS Benchmarks provide an “on-ramp” toward compliance with various frameworks. Indeed, they provide a starting point for securing your assets and scaling your organization's cybersecurity program, all while moving you toward compliance objectives.

Your organization can enjoy these benefits by implementing the CIS Controls and CIS Benchmarks on your own. Alternatively, your can gain access to additional resources and tools, such as CIS CSAT Pro and CIS-CAT Pro, by purchasing a CIS SecureSuite® Membership. It is a cost-effective way to achieve compliance, ensure the protection of data assets, and scale your cybersecurity efforts.


"SecureSuite helps to create baselines, whether it is benchmarking or hardening systems," noted Gass. "Using the CIS Controls and the CIS Benchmarks, you are able to identify potential gaps within the organization."

Want to take a closer look?