Cybersecurity relies on specialists of every kind – CISOs, network systems administrators, cloud experts, human resources and more – to achieve success. It takes a true team in order to avoid the pitfalls of failing controls and successful attacks. And just like team sports, cybersecurity has rules and playbooks that help everyone stay safe and provide guidance on how to be successful. A type of ‘playbook’ in cybersecurity are the multiple frameworks that your organization can follow to improve its cyber defenses. Some are influenced by a risk based model and others a proscriptive model. The CIS Controls are one well-known security best practice framework based on real attack data and a consensus development process involving an international group of volunteers. The consensus process brings together cybersecurity experts from multiple industries around the world to create a prioritized list of cyber defense actions. Formerly known as the SANS Top 20, the CIS Controls are used by organizations around the world to protect their systems and data from cyber attacks.
Because of multiple security regulations and standards, organizations often choose to implement more than one framework. For example, a local hospital may need to meet privacy compliance for GDPR, payment card security for PCI, and data security compliance for HIPAA. Because the CIS Controls offer prioritized security guidance and is mapped to various different standards and regulations, some end users have described them as a useful “on-ramp” to meeting regulatory compliance.
No matter which cybersecurity framework(s) you choose to implement, you’ll want to measure against it to see how your team fares. Without taking score, how will you know if you’ve really improved your organizational cyber defenses?
It’s important to look at your organization’s overall cyber defensive actions, not just those within a particular department. Once you’ve identified a security framework to put in place, see if it offers any tools or other resources to help you measure your implementation. Ideally, everyone on the team can input their work towards a particular security control. You’ll want to measure and track the implementation of the cybersecurity program over time – hopefully improving your security posture over time. You can manually record security control implementation or use a tool such as CIS CSAT (CIS Controls Self-Assessment Tool). CIS CSAT provides a free method for organizations to track their implementation of the CIS. It offers the ability for different team members to answer security control assessment questions, ensuring accountability across the organization. After all, in many organizations the person responsible for adding email SPF records may not be the same person responsible for securing workstations. CIS CSAT helps the entire team take part in the security journey. Organizations using CIS CSAT can also:
- Delegate questions to other team members
- Set deadlines for each CIS Control and sub-control
- Collect documentation related to your findings
- Capture team discussion about each assessment question
Over time, your organization should be able to implement more and more of whichever security framework(s) you decide on. But you’ll never know if you aren’t keeping score! Measure your security control implementation not just once, but on a regular cadence. Doing so at scheduled intervals will help you identify gaps in security and remediate. You can also see if your organization is improving its adherence to cybersecurity regulations over time. Organizations can measure their compliance to the CIS Controls over time using CIS CSAT. Assessment results from CIS CSAT can be exported per department or organizational unit, or you can take a more holistic view of the entire organization’s security. With cross-mappings to additional security frameworks like NIST SP800-53 and PCI DSS, you can also track your alignment between other best practices and the CIS Controls. This free tool also allows you to anonymously compare your results to the average of your industry or other peer groups to help drive the direction of your security program.
As I mentioned, it takes a whole team in order to achieve a strong cyber defense posture. From everyday users spotting a phishing attempt on the frontlines to hardened IT experts building strong firewall rules, it’s up to all of us. By choosing a strong program, measuring implementation, and tracking your security controls over time, your team can win big. And remember, there’s always room to grow more secure in our habits – insofar as cybersecurity can be considered a game, our truest opponents are always ourselves.
About the Author
Philippe Langlois is currently a Technical Product Manager for the CIS Controls®. In this role, he leads an international community of cybersecurity experts who develop best practices which help mitigate the most prevalent cyber threats. He manages the production, writing, and publication of a range of cybersecurity resources. Working in collaboration with users of the CIS Controls, he ensures the quality and utility of the guidance, plus the availability of tools, scripts, and other resources aiding users with implementation of the CIS Controls.