Financial limitations, a lack of resources, unclear risk appetite and multiple compliance demands are all internal forces that can impair the success of an organization’s cybersecurity efforts. The 20 Critical Security Controls (20 CSC) are one proven way to obtain a baseline for prioritization in implementing the necessary technical controls required to support a healthy network security posture.
Development and advocacy for the controls, previously governed by SANS, are now the responsibility of the Council on CyberSecurity (@CouncilonCyber), an independent not-for-profit organization with a global scope which was formed to catalyze change and to accelerate the availability and adoption of effective security measures, best practices and policies.
We had the opportunity to speak with Jane Lute – President and Chief Executive Officer of the Council – and Elizabeth Ireland – VP Marketing at Tripwire – who will be discussing the challenges involved in building a robust security program at the Gartner Security and Risk Management Summit, June 23-26, 2014, at the Gaylord National Resort and Convention Center in National Harbor, Maryland.
The panel includes Jeff Franklin, CISO for the State of Iowa, and the session will examine how organizations implement the third-party-validated, authoritative framework called 20 Critical Security Controls to make security practical, effective and aligned to the business.
Lute most recently served as Deputy Secretary for the Department of Homeland Security (DHS), and from 2003-2009 she served as Assistant Secretary-General of the United Nations, as well as having been the Executive Director of the Carnegie Commission on Preventing Deadly Conflict.
She also served on the National Security Council staff under both President Bush and President Clinton and had a distinguished career in the United States Army, including service in the Gulf during Operation Desert Storm. Lute has a Ph.D. in political science from Stanford University and a J.D. from Georgetown University.
Ireland has over twenty years of technology marketing, business development and strategy experience, and has previously held leadership positions at nCircle, Extensity, MapInfo and the May Company, as well as having been a Certified Public Accountant and Computer Audit Specialist with Ernst & Young.
Everyone understands that resources are not unlimited in any organization. So how can you prioritize spending on cyber security efforts? Lute says one CISO at a power company used a rather simple technique with great success: He took the popular “SANS 20 Critical Security Controls” poster and did a basic self-assessment of his organization’s security posture against the measures listed using a simple red, yellow, or green yardstick.
“No outside consultants, no exotic technology. He and his team did a self-evaluation to see where they stood as compared to the best guidance out there on good cybersecurity practice — the 20 Critical Security Controls,” Lute recalled.
“He showed the results of that assessment on two slides to his Board of Directors and they immediately understood the problem. For the first time, they allocated funding for cybersecurity as a separate line, and put themselves on a program to improve. The important take away from this example is that without spending a lot of money, the case can be made.”
This is a timely topic for many organizations that are grappling with the changing threat environment. At the same time there are changing external threats, there are often internal issues as well. Funding is a conversation that happens around every initiative in an organization, and providing adequate resources for establishing the right level of cybersecurity is a critical topic.
“Every organization has financial and resource restrictions, and we will be addressing some practical and pragmatic ways to address these issues, like what are the new avenues for funding? How can you connect the need for improved cyber security to a risk appetite in an organization?” Ireland said.
“An organization needs a framework to make decisions against—this protects against unlimited spending or under spending, and clearly ties investment to what matters to the business.”
Ireland says that leaving the level of acceptable risk undefined is a recipe for either spending too little or too much, and without a definition and target to move towards, it leaves too much open to chance.
“Every organization can perform, they just need to set parameters to achieve against, and without that there is in essence no scoreboard,” Ireland said. “Setting the level of acceptable risk is a part of good management, and while the cybersecurity team should have input, it is the business that needs to accept the risk – in many organizations this is a challenge as measuring cyber-risk is a new discipline.”
Lute points out that companies need to know what’s connected to their networks, what’s running or trying to run on their networks, limit and manage those who have admin privileges, and have in place an automated system like DHS’s continuous diagnostics and mitigation, else they are signaling that their appetite for risk is unlimited. No one wants to send that message.
“One of the benefits of the 20 Critical Security Controls is that they represent a risk judgment by a respected segment of the expert community, that you can prevent 80-90% of all known attacks by implementing and staying current on basic cyber hygiene,” Lute said. “No enterprise needs to conduct a cyber risk assessment as if nothing were known. We know what to do to get you to a baseline of protection that prevents the vast majority of all known attacks.”
Ireland agrees, and says it is critical to be in a position to register any early indicators of breach activity. “A baseline is all about that, especially on your critical servers and infrastructures, discerning a ‘known secure state’ is a must. You need to be able to revert to that state, understand the scope if you have had any changes, and to be able to identify in real-time what may look like minor changes but may turn out to be early indicators of breach activity.”
The Gartner panel session should appeal to anyone who wants to have the support of the wider community of “fellow travelers” on the security journey to help them overcome obstacles in their organizations in order to adopt known best practice – from other business lines competing for resources, from C-suite executives who may not understand the persistent threats, or from Boards that haven’t yet turned their cybersecurity discussions into support for effective action.
“People should leave this conversation determined to do the right thing. Implementing the 20 Critical Security Controls helps prioritize the most important actions that every enterprise should take first to strengthen their cybersecurity posture,” Lute said.
“People should also leave this conversation confident that they are part of a wider community committed to implementing known best practices, and should be aware that resources exist to help them on this journey. Tell us your story and we will share your example. We want to celebrate more cybersecurity heroes.”
Lute further points out that failing to implement the 20CSC will almost certainly mean that accountable officials will at some point have to face their Boards, their shareholders, and their customers and admit that they didn’t observe the minimum standard of due care when it came to protecting their information, their identities, the intellectual property and the IT systems that the enterprise uses to deliver value.
As the National Governor’s Association call to action on Cybersecurity (“Act and Adjust”) says: “…the Council on CyberSecurity’s Critical Controls for Effective Cyber Defense is an industry standard that provides…a security framework that can strengthen…cybersecurity defenses and ultimately protect information, infrastructure, and critical assets. Compliance with that standard will provide a baseline of defense, deter a significant number of attacks, and help minimize compromises, recovery, and costs.”
Lute notes that the Council and the Center for Internet Security have joined forces with the National Governors’ Association Homeland Security Advisers to launch the National Cyber Hygiene Campaign.
“In the coming year we will showcase best practice, provide tools to help others adopt basic cyber hygiene based on the 20 Critical Controls and comply with the NIST cybersecurity framework,” she explained. “Raise your hand and tell us who you are — we want to focus on you — the professionals and enterprises out there showing how, every day, that best practice can become common practice.”
Lute points out that no enterprise in the marketplace delivers any value today without relying on the Internet, and it will not be possible to deliver that value without having basic cyber hygiene in place. “Companies can deliver products and services, improve sales, reach customers, and run themselves effectively with sound cybersecurity practices in place,” Lute said. “It doesn’t have to be either or.”
Ireland notes that while it is completely an organization’s choice as to which framework they choose to implement, the key takeaway here is that every organization should definitely make that choice.
“This is going to be an elevated discussion at the boardroom level as these questions will continue to be asked: Are we doing what is considered best practice? What are other organizations doing? Can we measure our progress against our peers?” Ireland said.
“Besides, there is the concept of quick wins, and I always like a pragmatic approach to solving a problem – make progress, and then move on to solving the harder problems.”
- Demonstrating Enterprise Commitment to Best Practice
- Threat Mitigation and the 20 Critical Security Controls with Tony Sager
- The Role of Security in Creating a Standard of Due Care
- Attention General Counsel: Do You Know Your DDoS from Your APT?
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].