Using the CIS Top 20 Controls to Implement Your Cybersecurity Program
By Kes Jecius, Senior Consulting Engineer
I have the privilege of working with security groups at many different enterprise companies. Each of them is being bombarded by many different vendors who offer security solutions. No surprise, the common estimate is that there are approximately 2,000 vendors offering different products and services to these companies.
Each of these companies struggles with determining how to implement an effective cybersecurity program. This is made more difficult by vendors’ differing views on what is most important. On top of this, companies are dealing with internal and external requirements, such as PCI, SOX, HIPAA and GDPR.
The Center for Internet Security (www.cisecurity.org) offers a potential solution in the form of a framework for implementing an effective cybersecurity program. CIS defines 20 controls that organizations should implement when establishing a cybersecurity program. These controls fall into three categories:
- Basic – Six basic controls that every organization should address first. Implementation of solutions in these 6 areas forms the foundation of every cybersecurity program.
- Foundational – Ten additional controls that build upon the foundational elements. Think of these as secondary initiatives once your organization has established a good foundation.
- Organizational – Four additional controls that are that address organizational processes around your cybersecurity program.
Most organizations have implemented elements from some controls in the form of point security products. But many don’t recognize the importance of implementing the basic controls before moving on to the foundational controls – and their cybersecurity programs suffer. By organizing your efforts using CIS’s framework, you can significantly improve your company’s cyber defenses, while making intelligent decisions on the next area for review and improvement.
Although no single product can be the solution for implementing and managing all CIS controls, look for products that provide value in more than one area and integrate with your other security solutions. RedSeal, for example, is a platform solution that provides significant value in 7 of the 20 control areas and supporting benefit for an additional 10 controls. Additionally, RedSeal has pre-built integrations with many security products and easy integration with others via its REST API interface.
Download the RedSeal CIS Controls Solution Brief to find out more about how RedSeal can help you implement your program using the CIS Controls.