From the Ground Up: How CIS Best Practices Helped Build A Cybersecurity Consulting Agency

Businesses and organizations around the world are facing a gap between existing cybersecurity processes and implementing stronger defenses to stop attacks. There are multiple frameworks available to help organizations get up to speed and in conformance – however, not all best practices are created equal. Some are driven by a single organization’s perspective, while others are created with security as an afterthought.

The CIS Controls and CIS Benchmarks are cybersecurity best practices that lead the way towards improved defenses created by a unique community consensus process. By collaborating with security professionals from around the world, CIS develops holistic cybersecurity guidance (the CIS Controls) and specific hardening configurations for technologies (the CIS Benchmarks). Both are included with CIS SecureSuite Membership to help organizations implement security best practices and stop cyber-attacks.

Let’s examine how Inovo InfoSec leverages CIS SecureSuite Membership to bolster cybersecurity for its clients. Led by CEO Eric Rockwell, Inovo InfoSec provides cyber defense services to help organizations improve their cyber maturity and prevent attacks.

Adaptive security for modern challenges

Rockwell has been familiar with the CIS Controls since their origins as the SANS Top 20. He’s seen firsthand how the security best practices have shifted in prioritization and grown over time. Rockwell describes how the CIS Controls have helped form a foundational knowledge base of cybersecurity guidance.

I have literally been growing this security consulting practice we have from the ground up…based on the 20 CIS Controls.

By leveraging CIS SecureSuite Membership, Inovo InfoSec is able to implement the CIS Controls in client engagements to provide real security for customers. In particular, Rockwell works with small businesses and solution providers. “So far,” he says, “we’ve identified 64,000 solution providers in the U.S., U.K., and Canada, and we’re trying to arm them with this type of adaptive defense – a policy driven approach.” He hopes that by helping these organizations and their clients, Inovo InfoSec can have a large impact on reducing breaches.

A strong starting point for maturity development

Rockwell’s security team has found that on a zero-to-five point scale, the cyber maturity of most organizations measures around 0.7 – meaning there’s a lot of work to do. But with finite technical, financial, and human resources, knowing where to start can be a challenge.

Inovo InfoSec has rebuilt their product offering around one prioritized solution, the CIS Controls Implementation Groups (IGs). “I love the new Implementation Groups,” says Rockwell. “That’s a tremendous resource.” The IGs are a new prioritized way to look at the CIS Controls and develop a cyber maturity program. Introduced in Version 7.1, the IGs can be a helpful way for Rockwell’s team to help clients grow their cyber defenses in a logical and security-conscious way.

By combining the CIS Controls IGs with their consulting experience to more effectively leverage existing tools and processes, Inovo InfoSec is able to take many clients from the 0.7 maturity score to a 2.5 with minimal investments. “And, we start chipping away highly effectively at the risk and where most of the attacks are coming from,” describes Rockwell, “and get them to a point that’s actually safe for them to conduct business in.”

Flexible, yet powerful configuration security

The team at Inovo InfoSec leverages the robust CIS Benchmarks configuration guidelines by importing them into a CIS-verified assessment tool. Through a honeypot server used to measure malicious activity, Rockwell knows all too well how leaving the pre-installed settings can create major vulnerabilities. “They’re just default configurations on the server, but we see tens of thousands of actual successful attacks and breaches every month.”

When it comes to client security, he trusts the CIS Benchmarks for cyber defense recommendations. It’s one of the most exciting capabilities included in CIS SecureSuite Membership, according to Rockwell. “We absolutely love the different Benchmarks that we’re able to import and scan against,” he explains. CIS SecureSuite Members can download CIS Benchmarks in multiple formats including machine-readable XML files.

A surefire recommendation for CIS SecureSuite

The bottom line on CIS SecureSuite Membership? “Excellent value,” says Rockwell. “It should be part of everybody’s security program.” For his team, the Membership provides critical resources that help protect clients from cyber-attacks while growing a cyber maturity program. From leveraging the CIS Controls IGs for prioritized resource management to conducting assessments against CIS Benchmark guidelines, there’s a lot to discover in CIS SecureSuite.