CIS Logo
tagline: Confidence in the Connected World

A Business Program or a Security Program – How Do You Employ The CIS Critical Security Controls?

August 20, 2020

ITSPmagazine

Have you ever thought that we are selling cybersecurity insincerely, buying it indiscriminately, and deploying it ineffectively?

For cybersecurity to be genuinely effective, we must make it consumable and usable. We must also bring transparency and honesty to the conversations surrounding the methods, services, and technologies upon which businesses rely.

If we are going to protect what matters and bring value to our companies, our communities, and our society, in a secure and safe way, we must begin by operationalizing security.

Join us as we explore how visionary leaders are Redefining Security.

This Episode: A Business Program Or A Security Program | How Do You Employ The CIS Critical Security Controls?

Host: Sean Martin

Guests:
- Claire Davis
- Phyllis Lee - CIS
- Larry Whiteside Jr.
- Christian Toon

A framework is a framework is a framework. Or is it?

The reality is, a framework is only as good as the process, data, and effort you put into it coupled with the support of the organization you receive to make it work based on business needs.

In today's episode, we bring together 2 guests from a medium-sized company that has implemented the CIS Critical Security Controls, a guest representing an MSSP that leverages the CIS Controls for consistency, transparency, and repeatability across clients, and a guest representing CIS and the framework itself to provide an even broader view surrounding the successful use of this widely-recognized controls framework.

So, what's the trick? As Christian Toon, CISO at Pinsent Masons, states: "Firstly, this is a business program. It's not a security program.

Once that is understood, the team can begin to tackle the selection and implementation of a framework. As Christian noted prior to recording this episode: "For me/us it’s about finding a framework that works best for you. There are many, and in my opinion, many that don’t quite cut it. Bringing the people together to unite under a common banner was important. This was our journey."

And a journey it was, and still is. It's a similar, yet different, journey for Larry Whiteside Jr., Chief Technology Officer at CyberClan, where he and his team see varying cybersecurity and risk maturity levels - each company has its own unique challenges and requirements - the framework helps Larry's organization bring clarity to the risk, the controls, and the process overall.

It's also a journey for the framework itself, as Phyllis Lee, Senior Director for Controls at Center for Internet Security, points out that ongoing revisions help organizations map the controls in meaningful ways, pointing to the recent changes made to map the sub-controls to MITRE ATT&CK.

The star of this show, as you'll hear in this conversation, however, is the champion. In this story, that champion is Claire Davis, program manager at Pinsent Masons. With so many moving parts—the networks, systems, applications, teams, operational infrastructure, colleagues in risk and privacy, the infosec function, etc.—you can't just think you're going to crack this out and deal with it as a side project. Where do you start? How do you make progress? How do you know you're succeeding?

Whatever your journey looks like, every program looks identical at one point: the start. This is the point at which you begin the journey. From there, it can be focused or chaotic. The choice is yours.

Now, it's time to start your journey by listening to this conversation.

Ready? Set. Go!