How Prioritized Security Controls Break Through the Fog of More

By Sean Atkinson, Chief Information Security Officer & Stephanie Gass, Information Security Audit and Governance

security controlsThe 80s and 90s may have been the wild west days of cyber attacks and early defense protocols, but in 2019, things have changed. Chances are, your organization is facing a wide range of cybersecurity regulations. We call this overwhelming mix of cyber defense programs, regulatory frameworks, and compliance regulations the “Fog of More.” Organizations are faced with the challenge to understand and align a cybersecurity control program to multiple frameworks like PCI DSS3, HIPAA, NIST 800 series, ISO series, or GDPR. There’s often so much to do, you may not know where to even begin in defending your systems and data.

Breaking through the fog

Rather than rushing to implement the first framework you find, why not take a prioritized approach? The CIS Controls provide a foundation for organizations to align specific cyber defense controls to various frameworks. The CIS Controls are:

  • Prioritized, starting with essential cybersecurity actions and moving on to advanced techniques
  • Based on real attack data
  • Consensus-developed and validated by a global cyber defense community

They are also mapped to popular security frameworks, so you can see exactly where your security actions align. By applying the CIS Controls, organizations are able to define and take action in 20 specific areas that are commonly required in most cybersecurity frameworks – such as vulnerability management, malware defenses, and data protection.

Assessing for compliance

Captured in many frameworks is the requirement to perform third-party risk assessments, such as questionnaires and/or certifications. These can fulfill the evidence that a cybersecurity program is initiated and functioning. The CIS Controls Self Assessment Tool (CIS CSAT) is a self-evaluation tool organizations can use to demonstrate and measure their adherence to cybersecurity best practices. CIS CSAT also illustrates the alignment between multiple cyber defense frameworks. The tool is free to use, offers reporting features, and allows teams to join and collaborate on questions related to the CIS Controls.  Read more on our blog: CIS CSAT: A Free Tool for Assessing Implementation of CIS Controls.

A holistic view of cyber defense

By following a prioritized cyber defense program, your organization can get a more holistic view of its current security. Because the CIS Controls are mapped to other frameworks, following a consolidated approach provides a comprehensive analysis of the implementation without adding additional audits or compliance cycles to cybersecurity and audit teams. This will reduce the strain of implementing many frameworks at once while ensuring strong defense protocols are in place. Of course, you should always follow up to ensure you are meeting any regulatory requirements for your industry or location. We like to think of the CIS Controls as an “on-ramp” to more strenuous cybersecurity programs such as NIST 800 series.

Practical security for real protection

Meeting compliance requirements is about more than just following rules – it’s about implementing real security. For example, a strong cyber defense program like the CIS Controls will include asset inventory, incident response, and secure configurations. By using the CIS Controls to measure both compliance and practical security actions, you can build a stronger defense program for protecting the whole organization.