Saving Customers Time, Money in Hardening to CIS Benchmarks

Sicura is a startup in the cybersecurity and compliance industry. It offers a product that helps organizations in financial services, government, and other sectors to harden their infrastructure to different regulatory standards and frameworks.

We sat down with Kendall Moore, CTO at Sicura. Kendall oversees Sicura's use of cybersecurity technologies and partnership opportunities, ensuring they align to how both current and prospective customers use tooling. In this capacity, he communicates strategy to the team, drives the directions of products, and shares Sicura's vision as a speaker at industry events.

Kendall told us how Sicura began using its CIS SecureSuite^® Product Vendor Membership, particularly its participation in the CIS OEM Partner Program, as part of its broader Security Control Management (SCM) platform, ensuring automated compliance to CIS Benchmarks, DISA STIGs, and other frameworks.

Let’s examine how this happened.

The Challenge: Lack of Quality Content in Helping Customers to Build Compliance Frameworks

Sicura wanted a consistent solution for automating system hardening in a compliant way to free up engineers from having to do it manually. It also wanted this solution to address customer requirements related to standards and regulations for which they rely on Sicura's SCM platform to help them harden their systems using continuous remediation, automated enforcement, and configuration drift control.

Most customers voice their interest in complying with the CIS Benchmarks^®.

"The CIS Benchmarks are superior in terms of content accuracy," remarked Kendall. "Other benchmark authors put out 'free' content that’s riddled with false positives, rarely if ever updated, and carbon copies of itself across successive versions. This content is not fun to use and just ends up creating more work. By contrast, the CIS Benchmarks do a really great job reputationally."

Kendall recognized that many of Sicura's customers are looking to build an internal technical compliance program for the first time. They don't always understand which frameworks and standards are required in a specific industry. As they map to and are referenced by other frameworks, the Benchmarks simplify this process.

Customers of Sicura's SCM platform want access to the Benchmarks and other quality content from the Center for Internet Security^® (CIS^®), but not all of them can purchase a CIS SecureSuite^® Membership on their own. As a result, they can do only so much to streamline their efforts of hardening their systems to the Benchmarks. They can't tailor a Benchmark's recommendations to fit their needs in CIS WorkBench or rapidly deploy a Benchmark using a CIS Build Kit.

Sicura wanted to find a way to supports its customers with CIS content.

The Solution: Actionable CIS-CAT Pro Results through the CIS OEM Partner Program

Sicura made the decision to join the CIS OEM Partner Program, which is available exclusively to CIS SecureSuite Product Vendor Members.

Want to learn about other benefits of a CIS SecureSuite Product Vendor Membership? Check out our video below.

 

 

Through its participation in the CIS OEM Partner Program, Sicura gives customers access to CIS-CAT^® Pro Assessor through its SCM platform so they can scan their systems' settings against the Benchmarks. It also guides customers through the process of remediating or building new based on their CIS-CAT Pro results, helping them to more closely conform to the Benchmarks on a long-term basis.

"The CIS OEM Partner Program gives us a foot in the door as a product vendor," explained Kendall. "Customers get to run a scan using CIS-CAT Pro Assessor, and we get to show them how they can build from it. In that way, we're adding value to CIS-CAT Pro Assessor. We're not looking to build something competitive or different. We're giving customers information and expertise they can use to take action on their scan results."

The Impact: Over $2M Saved for Customer in First Year with Sicura

By joining the CIS OEM Partner Program as a CIS SecureSuite Product Vendor Member, Sicura saved time, money, and effort by not needing to develop its own configuration assessment tool. Its SCM platform customers experienced similar savings in the process. For instance, before coming to Sicura, 12 IBM Cloud system engineers and administrators spent hours monitoring and configuring customer servers' compliance to DISA STIG in support of NIST-800-53, HIPAA, and the Benchmarks. This dropped to two engineers after IBM Cloud began working with Sicura, saving an estimated 4,300 hours and $2.36 million in labor cost savings and improved efficiency within its first year using Sicura's all-in-one solution. Not only that, IBM Cloud also benefitted from security assurance, faster ATO/cATO readiness, and reduced engineering burden after getting started within Sicura's SCM platform.

Sicura also used its participation in the CIS OEM Partner Program to refine how it completes CIS Benchmarks Certification, which enables designees to advertise they can scan and harden against the Benchmarks for which they're certified. When Sicura started going through this process prior to joining the CIS OEM Partner Program, it needed to first demonstrate a CIS-CAT Pro scan as close to 0% (non-compliance) as possible. From there, it needed to demonstrate it could get that score up to an acceptable number of around 96%. Internally, this took Sicura some time, and then it took CIS several days to award Certification. This process was the same for each Benchmark — that is, until it joined the CIS OEM Partner Program. The Program automates the entire CIS Benchmark Certification process, saving Sicura additional time and effort.

Today, Sicura is certified to scan and harden against dozens of Benchmarks.

This success in part traces back to the quality of Sicura's partnership with CIS. As a CIS SecureSuite Product Vendor Member and participant in the CIS OEM Partner Program, it routinely works with the CIS-CAT Pro team to discuss use cases and share feature enhancements from its customers. It also regularly works with the Benchmarks team to relay customer feedback and track requests.

Sicura’s Support of an Ongoing CIS Partnership

When asked about his experience partnering with CIS, Kendall expressed interest in making Benchmark exceptions a first-class citizen. He said this would help Sicura to support customers' compliance to specific aims and use cases — even in instances where customers don't have access to WorkBench and thus can't tailor a Benchmark themselves.

He went on to share how he continues to enjoy partnering with CIS over the years.

"It's been a great partnership since we first started working with CIS in 2021," he said. "We're seeing a lot of traction, especially with mappings to different NIST standards in the government space."

Now It’s Your Turn!

Through the use of its CIS SecureSuite Product Vendor Membership and its participation in the CIS OEM Partner Program, Sicura provides its customers with access to CIS-CAT Pro Assessor and actionable content. This helps its SCM platform customers to securely harden their systems to the Benchmarks along with other standards and regulations.

Interested in supporting your customers’ security and compliance goals?