Amidst the volatility, uncertainty and noise of the cybersecurity field, few best practice frameworks have emerged as consistently reliable and useful as the Center for Internet Security (CIS) Security Controls. Recently updated as version 7.0, the CIS Controls represent the most important security controls that an organization must implement to secure its data, information systems and operational technology. The wide recognition of this framework as a de facto standard of care for cybersecurity is based on several key attributes.
CIS Controls - Essential and foundational
The CIS Controls take a “must do first” approach to the challenge of securing information systems. Starting with basic controls, such as knowing what’s connected to your network and what’s running on your systems, the Controls advance to more refined controls such as maintaining secure configurations and tight control over administrative rights before tackling the complexities of intrusion detection and incident response. In this way, the CIS Controls take a building block approach to cybersecurity, outlining a roadmap that all organizations can follow. These are essential and foundational controls without which no cybersecurity program can be effective. While there are many more controls that can be implemented with an even broader range of technical capabilities that can be deployed, the focus remains on those controls that matter most. Many experts have suggested that successfully implementing even the first five or six Controls will mitigate 85% or more of cybersecurity incidents. This prioritization and focus can improve effectiveness while eliminating waste and maximizing the return on cybersecurity investments.
Wisdom of the crowds
CIS does not develop these Controls in isolation. Rather, CIS engages a diverse group of cybersecurity practitioners from government, industry and academia in a variety of roles. The breadth of perspectives, representing the various needs and constraints of a cross section of sectors, ensures that these Controls are current and relevant. Of course, crowds can go astray as well, swept up by fads and sentiments. By following a disciplined process of gathering input broadly, reviewing and refining suggestions through an editorial board and seeking commentary on pre-release versions, CIS ensures that it is capturing more wisdom than folly.
While crowd-sourcing remains the core mechanism by which the CIS Controls are developed and refined, relevant data sources are also culled. These include databases and surveys that provide quantitative context to the input of practitioners. The manner in which organizations are commonly breached, for example, helps to prioritize recommended actions. For example, the widely-read Verizon Data Breach Investigations Report notes that the vast majority of attacks exploit already-known vulnerabilities for which there are already-available fixes. The data consistently supports the prioritization of continuous vulnerability management, including timely patching, as reflected in CSC #3.
The CIS Controls apply to every sector and type of organization from large government agencies and Fortune 500 corporations to privately-held mid-size firms and non-profits. Regulations, compliance regimes, auditing requirements, supply chain dependencies and a host of other variables present each sector with its own challenges, but the Controls are flexible enough to be useful to all. In addition to outlining cybersecurity best practices, the Controls map to a broad set of compliance frameworks, even those unique to a sector (such as HIPAA for healthcare or NERC CIP for electric utilities). While compliance does not always translate to better security, the Controls can be implemented at the same time. In other words, the organization can take steps to increase security in a real way and achieve compliance at the same time. By remaining more focused on “what” must be done, and less on “how,” there is flexibility in the organization’s selection of technical capabilities and internal processes to implement the Controls. For example, vulnerability scanning (CSC #3), which should be performed in an automated fashion, can be accomplished through agent deployment or through remote, authenticated scans. The CIS Controls do not prescribe the method as long as vulnerability scanning can be reliably and accurately performed. A closer look at each Control is provided by my colleague Travis Smith in a series of blog posts.
A best practice that needs to be common practice
Even as the CIS Controls continue to gain in recognition and adoption, there is much more to be done. Many organizations still do not have a coherent cybersecurity strategy. Many do not know where to begin and lack the expertise (or interest) to figure it out. And many remain reactive, responding to compliance requirements but otherwise not investing in security. To the goal of broader awareness and adoption, Tripwire will be hosting a key leader of the community of experts which maintains the Controls. Tony Sager, Senior Vice President and Chief Evangelist at CIS, will be our guest during the May 30 webinar, “Jumpstarting Your Cyberdefense Machine with CIS Controls V7.” We'll discuss the following:
- How effective cyberdefense is an information-driven, dynamic “machine”
- Why failure to implement CIS Controls will lead to failure despite having other “advanced” controls in place
- How the CIS Controls align to widely-referenced security frameworks and compliance regimes
- The underlying principles that drive the development of the CIS Controls, particularly the just-released Version 7
- The complementary ecosystem of tools that have grown up around the CIS Controls
Click here to register.