Skip to content ↓ | Skip to navigation ↓

It’s becoming a predictable routine to see businesses and organizations of all sizes featured in breaking news headlines for yet another unforeseen compromise. Meanwhile, executives across all industries are asking themselves, “What can I do to make sure I’m not next?” The answer is not groundbreaking—the majority of attacks can be prevented with known solutions today.

“The problem is that you can’t find an example on your own and learn from it,” said Tony Sager, Chief Technologist and founding member of the Council on CyberSecurity. “Or perhaps that example is too specialized, too costly, or too inconsistent with your current policy or requirements for you to apply on your own.”

Screen Shot 2014-07-29 at 11.55.18 AMSo, why don’t we take what others have learned from previous incidents and apply it to our own security practices? The good news is that we are heading in the right direction.

A new SANS analyst survey recently reported that now 90 percent of participating organizations have implemented or are planning to implement the Critical Security Controls (CSCs), including a greater increase in adoption from entities in the financial and government sectors.

With the survey respondents ranging across all industries, job roles and workforce size, the results show greater overall security awareness and support of the benefits brought by implementing the CSCs.

For the organizations that adequately monitor and asses their security architecture against the controls:

  • 24 percent reported clearer visibility as a top improvement
  • 16 percent found improvements to overall risk posture
  • 11 percent cited the ability to detect advanced attacks as an area of improvement

Additionally, of those organizations aware of and adopting the controls, the report states that the support comes mostly from the top tiers of IT management:

  • 66 percent noted support of infosec management, including CISOs, CSOs and infosec managers
  • 61 percent stated those in operational IT management roles, such as CIOs, CTOs or IT managers were also supportive

However, only 26 percent of respondents indicated support from their organization’s CEO and COO, with similar statistics for business unit managers and auditors:


“It is important for tactical managers to take steps to introduce CEOs, COOs and boards of directors to the CSCs as a means through which to identify and defend their organization’s assets,” said James Tarala, SANS analyst and author of the report, “Especially after witnessing the effect of the Target breach, as well as impacts of other recent large breaches.”

However, not all businesses are in the same position. A number of barriers were listed from survey respondents, stressing the difficulty in their organization to implement some of the controls with the biggest concerns being insufficient staffing or personal resources and lack of budget.


“Personnel and their skills, often affected by budgets, and concern over operational silos definitely are key barriers to effective implementation,” said Tarala. “The lack of communication among silos may, in fact, contribute to the difficulties in prioritizing which controls to implement first.”

Tarala points out many organizations who currently adopt CSCs, don’t necessarily implement the Top 4 controls, which are ranked as the most critical for organizations and their security defenses. The survey findings revealed the most implemented controls, whether fully or partially, were the following:

  • 5: Malware Defenses
  • 13: Boundary Defense
  • 10: Secure Configurations for Network Devices, such as Firewalls, Routers and Switches
  • 12: Controlled Use of Administrative Privileges

It’s possible this approach may also be due to the barriers organizations continue to face, but survey respondents also disclosed various aspects that could help their organizations move forward to adopt the controls. Nearly 70 percent requested more usable case studies of successful implementations, while about 60 percent would like better operational best practices.

It’s important to remember an organization’s security posture does more than just benefit the security of its customers or stakeholders. “As more organizations invest in CSC implementation, the industry is likely to see more quantifiable, clear results of organizations being better able to defend themselves and prove compliance and overall improvements through risk reduction,” said Tarala.

Sager adds, “The Controls are not about having the best list of things to do—they are about members of a community helping each other improve their security.”


Related Articles:


picCheck out Tripwire SecureScan™, a free, cloud-based vulnerability management service  for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the Heartbleed vulnerability.

picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].

Title image courtesy of ShutterStock