Last week, I was in a meeting with about a dozen senior executives discussing the The 20 Critical Security Controls. These were once known as the “SANS Top 20” and have been taken over by the non-profit Council on Cybersecurity to provide independent stewardship of these excellent controls.
The 20 Critical Security Controls is a prioritized list – the first four being ranked the most critical with decreasing impact and criticality as you move down the list, at least as a general statement. The challenge is that each organization’s risk profile, risk tolerance and threat landscape looks a little different.
In addition, everyone has invested somewhere on the top 20 list with varying degrees of success. Roll all of this together, add some internal resource contention, and we found that a lot of the organizations in the room were struggling with how to prioritize their efforts and investments.
Fortunately, one of the participants at our round table shared a tool he uses to drive executive-level discussions regarding his organization’s status and risk as it relates to the critical controls.
The picture below shows an example of a status slide he uses (showing dummy data):
I like this approach for many reasons, including the following:
1. It is customized to the organization
The slide has a line saying, “Protection From the Most Likely Attack Vectors.” This statement is powerful because it means an organization has spent time deciding what attacks the organization is most concerned about. Furthermore, organizations can tell their story of risk through that lens.
2. It helps keep the conversation from going ‘into the weeds’
This chart is high-level enough that you can have a strategic discussion around it, even with people who are not technical. It is fairly easy to explain how something like, “Secure Configurations for Hardware and Software on Laptops, Workstations and Servers” relates to the success of the business without getting into the technical details.
3. It uses primary colors to focus the conversation
This boils things down into a red, yellow and green assessment of current state, rated against the attacks identified as concerns, as well as the capabilities of the organization. This is a great way to discuss the current state versus the desired state in order to drive an investment and prioritization conversation.
4. It is a snapshot that shows progress or the impact of proposed investments
The executive who shared this with us uses a “before and after” slide that builds to tell a story. “This is where we are. If we adjust our resources as proposed, this dashboard will look like this.” By showing that visual contrast, people are more likely to be pushed towards action.
In the end, if a discussion can be driven so that it becomes about business risk, it will have more effective outcomes. I believe this sort of visual will help security professionals get there.
What about you? Are you struggling with how to handle the critical security controls? Have you found your own methods that work in your organization? I’d love to hear your stories.
- How to Justify Risk-Based Investments
- Some Stick & Rudder for Your Security Bread & Butter
- Overcoming Internal Barriers to Adopting Cyber Security
- Boards Should Worry, Too: 5 Corporate Principles to Better Cyber Risk Oversight
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Header image courtesy of ShutterStock