It’s Time to Consider CIS Controls for Your Enterprise Security

By Ron Temske, Vice President of Security Solutions, Logicalis US

In previous blog articles, I’ve mentioned the Center for Internet Security (CIS), a nonprofit that harnesses the power of the global IT community to safeguard private and public organizations against cyber threats. We think very highly of their approach to cybersecurity, so much so in fact, that Logicalis recently became an Organizational Consulting Member of CIS because we recognize that its approach to security aligns very tightly with our own and supports our values. Here’s why we find CIS important and I think that you will as well.

Recent high-profile attacks have shined a spotlight on inaction and indecision surrounding enterprise security. Much of the lack of decision is due to a lack of a good starting point for enterprise security – the options and steps to take can appear overwhelming.

We recommend one starting point from CIS that provides a straightforward and rigorous method to accomplish enterprise security. Their CIS Controls are a recommended set of actions for cyber defense that provide specific and actionable ways to thwart the most pervasive attacks. The CIS Controls are a relatively short list of high-priority, highly effective defensive actions that provide a “must-do, do-first” starting point for every enterprise seeking to improve their cyber defense. The CIS Controls are a publicly-available, non-proprietary set of best practices that have been endorsed by leading IT security vendors and governing bodies.

Many organizations face regulatory and contractual obligations to demonstrate to auditors and their board of directors that they have taken commercially appropriate steps to provide enterprise security.

A consensus-driven set of best practices like the CIS Controls provide the best and most rigorous method to accomplish these requirements and avoid “analysis paralysis.”

The CIS Controls are prioritized in a specific order to help security professionals organize and prioritize their first steps in cybersecurity. According to CIS, the CIS Controls have been proven to mitigate 85 percent of the most common vulnerabilities.

Top Five CIS Controls

Just the first five CIS Controls alone have been found to eliminate most enterprise weaknesses. These CIS Controls are:

  1. Inventory of Authorized and Unauthorized Devices
  2. Inventory of Authorized and Unauthorized Software
  3. Secure Configurations for Hardware and Software
  4. Continuous Vulnerability Assessment and Remediation
  5. Controlled Use of Administrative Privileges

And, as we have said in an earlier post that bears repeating here, we see organizations leveraging common security frameworks (CSF) in one or more of the following ways:

  1. To improve overall security. Leveraging the CSF blueprint to ensure they address the most important aspects.
  2. As a competitive differentiator. Establishing a competitive advantage due to the greater focus on security and protection of their own and customer assets.
  3. To meet compliance and/or regulatory requirements. Often necessary in specific vertical industries like healthcare or financial.
  4. To free up budget and purchasing ability around security. Once a business decision has been made to pursue a CSF, the subsequent budget required to meet the CSF requirements is frequently easier to receive.

IT security leaders can leverage the CIS Controls to quickly establish protections providing the highest payoff in their organizations. They guide you through a series of foundational and advanced cybersecurity actions where the most common attacks can be eliminated.

Want to learn more? Read a blog post discussing What is a Common Security Framework (CSF) and why is it important to your organization’s enterprise security. Then learn How to Benchmark Your Enterprise Security Using the Critical Security Controls Framework in another post at our Enterprise Security blog. Perhaps it’s time to step up your security game? Don’t be held hostage by ransomware; read these 10 tough security questions every CIO must be able to answer.

 

Leave a comment

Your email address will not be published. Required fields are marked *

Shares