by Andrea Lee Taylor
We have considered individually the Center for Internet Security’s top 5 controls for effective cyber defense. Together, they are a force. Perhaps you’re already aware of CIS’s statistic. Of the 20 controls, to implement just the top 5 reduces known cybersecurity vulnerabilities by 85%. If I got that kind of return from the stock market I’d be retiring. Next week.
And it’s not that the recommended set of actions are impossible to implement--far from it! A shift in focus may be required, but we find most employees, most board members, are amenable. To implement procedures and processes means people may be inconvenienced, even personally so. But more often than not they are open to adopting and adapting when it is for the overall good, even the good of the organization.
When people are educated as to what is important, why it is important and, more importantly, how they can help—it’s been our experience they are more willing to be a part of what is being asked rather than a speed bump to greater security.
CIS has a resource that is not news; neither are the controls. Updated periodically, you can download the latest CIS Controls (V7) and read a white paper Practical Guidance for Implementing the Critical Security Controls (V6). It is a way and a place to start. The return on investment is in strengthened cyber defenses and protection, streamlined administrative security functioning and ultimately a savings in financial resources. That is not to say that this isn’t an ongoing work without financial backing. It is. But job security and interesting challenges are important, and being one breach away from exigency is no way to live or conduct business.
Someday the CIS Controls advice will not be revolutionary in its results because it will be boringly customary. Yet the controls have not been implemented to such an extent as to render their advice moot or their results less than stunning.
They’re that worth implementing.
Update: V7 of the Controls adds Control #6 to the basic list of controls. Their approach is always one that keeps an eye on the current threat landscape as well as the latest tools developed in cyber defense. And still, the essential remains the same--making sure the basics are covered makes an exponential difference in an organization's security stability.