Developing a Culture of Cybersecurity with the CIS Controls

By Tony Sager, Senior Vice President and Chief Evangelist, CIS®

WFH (Work From Home). VM (Virtual Machine). BYOD (Bring Your Own Device). IoT (Internet of Things). OMGATAASTDMC (Oh My Goodness All These Acronymns Are Starting To Drive Me Crazy). If you’re hearing a lot of acronyms in your professional conversations lately, you’re not alone. As technology blurs the line between the professional and the personal, it’s more important than ever that workplaces – wherever they are – develop a culture of cybersecurity. Organizational culture includes the total expectations, experiences, and values that guide workplace behavior. Culture is based on shared attitudes as well as written and unwritten rules that develop over time. Given the complexity and rapid changes, culture plays an essential role in cybersecurity, maybe even greater than any written policy or rule.

Vulnerable Workspaces

The rush of personal devices onto your workplace network can leave your organization vulnerable to a variety of cyber attacks. In order to maintain a strong cybersecurity posture, everyone in your organization – from the first-day intern to the CEO – needs to adopt and implement secure technical practices – what we at CIS call “Cyber Hygiene.”

So how can you infuse cybersecurity into the everyday culture of your organization? There are multiple frameworks and security standards available to help: from the extensive technical guidance of the NIST Cybersecurity Framework (NIST CSF) to the specialized recommendations of PCI DSS (Payment Card Industry Data Security Standard) and FedRAMP (Federal Risk and Authorization Management Program). While these are all excellent frameworks, they can feel a bit intimidating to newcomers. So, what’s a good way to begin?

A Prioritized Approach

One way to get started is with the CIS Controls; in fact, you can use them as an on-ramp to other frameworks. The CIS Controls provide a prioritized approach to cybersecurity, starting with the most essential tasks and progressing to more sophisticated techniques. The CIS Controls v7.1 were developed by cybersecurity and subject matter experts from around the world through a robust, consensus-based process independent from any one technology vendor or solutions provider. There are 20 CIS Controls in all in v7.1, and it will take time and effort to implement all of them – but the resulting cybersecurity posture and culture your organization will achieve will make it all worthwhile.

Do you really need the CIS Controls?

Credit card breaches, identity theft, ransomware, theft of intellectual property, loss of privacy, denial of service – these cyber incidents have become everyday news. What’s truly disturbing is that many of these attacks could have been prevented by well-known security practices such as regular patching and secure configurations. That’s where the CIS Controls come in: they can help you protect your organization with a comprehensive set of cybersecurity best practices that address the most common threats and vulnerabilities. Let’s look at how to start by building secure habits and processes around the first two CIS Controls for v7.1.

CIS Control 1: Inventory of Authorized and Unauthorized Devices

It’s hard to protect what you don’t know you have – so first, count the devices within your organization. Be sure to include not just desktops, but printers, smart phones, and network devices. Once your company has established a device log, maintaining the inventory can become part of the culture of cybersecurity as different teams contribute to its upkeep. For example:

  • When new laptops are ordered for employees, procurement assigns each device a number and adds it to the device inventory.
  • When an employee receives a device, he or she updates the inventory to reflect the current owner.
  • IT periodically scans the network for new or unknown devices, so they can find and remove any unauthorized devices.

Depending on the size of your organization, the actual process of maintaining a device inventory may look a bit different. The general idea, however, is the same – to have an up-to-date list of all technical devices for which your organization is responsible.

CIS Control 2: Inventory of Authorized and Unauthorized Software

In concept, a software inventory is very similar to the hardware inventory discussed in CIS Control 1; it’s a current list of all software installed across an organization. Implementing CIS Control 2 often falls to the IT department, but its success really depends on an organization’s cyber culture.

Each time a new piece of software is introduced to the environment, you want to know that it has a legitimate business function and that the application files are coming from a reputable source. Take a moment to consider how your company handles this: When an employee needs a new piece of software, how do they get it? Do they ask someone in procurement or IT, or just sneakily try to download it on their own? Without a clear procedure for approving and acquiring software, employees will go to all sorts of lengths to get the tools and programs they need. If downloading and installing applications is too easy, some might even download games, unnecessary programs, and possibly even malware-infected applications.

By implementing a well-defined and convenient procedure for employees to request new software, your organization will be able to review each program’s business purpose and conduct a security assessment if necessary. Implementing such a procedure is one of the best ways to develop a culture of cybersecurity across the workforce.

A Team Effort

Nobody is born a technology expert, and yet each of us is a potential target for cybercriminals. While most organizations know that their data needs to be protected by firewalls and strong passwords, it’s equally important to develop a culture of cybersecurity which includes behaviors like inventory management, software procurement processes, and reporting suspicious or unusual computer activity. Technology and Controls can support a strong cybersecurity culture by making it easier for people to “do the right thing”, and making it harder for them to make a mistake. By working together, everyone in your organization can help develop a cybersecurity culture.

To see how the CIS Controls can help your organization prioritize its cybersecurity strategy with these tools and resources.

Using a framework like NIST CSF or PCI DSS? See how the CIS Controls v7.1  and v8 map to other security standards in the CIS Controls Navigator.