As if securing an enterprise from the never-ending deluge of malware wasn’t enough to keep security professionals busy, there’s an increasingly urgent need to do more to show that you have your act together.
This means demonstrating your state of security, or at least your robust posture, to the many stakeholders of an enterprise, including senior executives and board members, shareholders, partners, suppliers and customers. You have to assure them that you won’t become the next Target, or Neiman Marcus or PF Chang.
This isn’t easy, for several reasons beyond the demands you already face. It’s not always easy communicating to other, non-technical people what you’re doing, why it matters, how it stacks up against the vast landscape of threats and how it compares to the readiness of similar enterprises.
Most senior executives are still new to IT in general, and don’t understand the language of cybersecurity. Neither do most board members, shareholders, supply chain partners, service providers, and clients. You can’t just show them an architecture diagram highlighting your solid defense-in-depth plan, or the detailed log data and analytics available through your SIEM tool, or the superiority of your encryption.
You have to communicate in a way that they understand.
Another challenge is that in a noisy environment of many options- including new products and services from a growing number of providers- it’s hard to focus limited attention and resources on the measures that matter most.
The lack of a commonly understood standard of care, or good cyber hygiene, makes it harder for enterprises to do what really matters, and be able to demonstrate their adherence to a reference that is broadly used.
Finally, it’s even more difficult to measure security. This is a challenge that has, and will continue to, plague security professionals across the physical and logical domains. While trend lines and near-misses are indicative, there is always the difficulty in assessing what-could-have-been within a vast field of known and unknown threats.
So how can you show that you’re doing the right thing to secure your enterprise? One way to do this is to show a commitment to, and alignment with, recognized best practice. By pointing to a standard that is known to be the set of essential, high-payoff measures, an enterprise can assure its many stakeholders that while there is no such thing as 100% secure, there is such as a thing as best-in-class.
The top 20 Critical Security Controls have emerged as a set of prioritized action for enterprise cybersecurity that leading professionals across the spectrum have collaborated to develop, and continue to update and refine.
The Council on CyberSecurity, as an independent non-profit platform for best practice, manages the process by which this community maintains the Controls, and works with strategic partners like Tripwire to encourage their broad adoption as essential cyber hygiene.
Beyond the ongoing stewardship of the Controls, the Council now provides a means for enterprises to demonstrate their commitment to best practice through adoption of the Controls as their enterprise standard of excellence. The 2014 membership program provides a means for both providers and users to publicly attest to their commitment and adherence to best practice.
The Council continues the work of identifying, validating, promoting and sustaining best practice across the areas of people, technology, and policy. Working through our panels of industry experts and leading practitioners, we are working on developing effective ways to measure implementation of the Controls, so that we can all improve our game.
By becoming a member of the Council, you can demonstrate your commitment to recognized best practice, publicly state your adoption of the Critical Controls, and support this important endeavor.
As a Founding Member, Tripwire has been an early supporter of the Council. Now an increasing number of other enterprises are seeing what Tripwire has seen- we can make best practice common practice.
About the Author: Maurice Uenuma is the Chief Operating Officer of the Council, responsible for implementing the organization’s value proposition through its programs and activities. Maurice was formerly with Dell, where he led global, cross-functional teams to establish sales intelligence and decision support capabilities for the $8+Billion IT services business, led the market development team for a $900+Million regional business and served as the operations lead for strategic sales, applying sales best practices to the largest contract pursuits worldwide. Prior to Dell, he was with Perot Systems as a strategist on the enterprise planning group, where he facilitated strategic planning at the corporate and business unit levels.
- Threat Mitigation and the 20 Critical Security Controls with Tony Sager
- The Role of Security in Creating a Standard of Due Care
- Who Should Insure the Nation’s Critical Infrastructure?
- Attention General Counsel: Do You Know Your DDoS from Your APT?
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].