I was on a Slack Ask Me Anything (AMA) this week with Phil Stupak, a cybersecurity consultant who knows his stuff. One of Phil’s key messages was to encourage everyone to organize your cybersecurity work with CIS Controls. (Yoiu can find them here.)
We recently used these controls to help a customer look beyond all the detail and organize their cybersecurity efforts. So I thought I’d review the controls and how they work.
The Goldilocks Approach to Cybersecurity
Let’s say you want to organize your cybersecurity work with CIS controls. But you’re concerned that these controls are going to be too complicated and expensive to implement. Turns out, you’re in luck. That’s because the controls are prescriptive but flexible.
There’s no “one size fits all” approach to using the CIS controls. In fact, the CIS controls are filtered according to “implementation group.” Think of these implementation groups as corresponding to small, mid-sized and large businesses. Many of CGNET’s customers are in the Implementation Group 1 category, described as
An organization with limited resources and cybersecurity expertise available to implement Sub-Controls
Here’s an example off how you tailor the way you organize your cybersecurity work with CIS controls.
- The first control tells you to manage your inventory of hardware assets. Makes sense; if you don’t know what hardware assets you have, it’s hard to know what should or shouldn’t be connecting to your network.
- Once you know what hardware assets you have, the control directs you to limit network access to only authorized hardware assets. Hard to argue with that logic.
- The Sub-Controls specify how to accomplish these tasks. Some Sub-Controls suggest using more complicated tools like DHCP logging to identify hardware assets. These Sub-Controls are suggested for Implementation Groups 2 and 3.
- But we’re going for something simpler. For Implementation Group 1, a Sub-Control essentially suggests creating an Excel spreadsheet to tally and keep track of your hardware assets.
What Are the CIS Controls?
Tim Haight posted a nice description of CIS Controls earlier; you can find it here. The CIS controls are twenty suggested actions that you take to improve your cybersecurity defenses. Each control has several sub-controls. And these sub-controls represent alternative ways to achieve the overall control. Along with this, CIS describes procedures and tools to implement the control and sub-control. Oh, and they also tell you why you want to implement the control; more on that later.
Here’s a sampling of the controls.
- Conduct continuous vulnerability management.
- Control the use of administrator privileges.
- Collect, maintain and examine audit logs that would help understand a potential or recent cyberattack.
Start with a Gap Analysis to Organize Your Cybersecurity Work with CIS Controls
Organizations typically have some cybersecurity defenses in place. If the CIS controls are a roadmap of where you want to end up, the key question is, “where are we starting from?” Here’s where a gap analysis comes in handy.
Take each of the CIS controls and turn them into a question.
- Do we have a means of identifying our hardware assets?
- Next, do we know what hardware assets are active vs. inactive?
- OK, do we have audit logging turned on?
- When was the last time we looked at the logs?
The answers are not going to be yes/no types. They’ll be more like, “well, we’re collecting some audit logs but not others, and we don’t have a regular schedule to review them.” That’s fine. You want to develop a picture of where you are right now. The CIS controls will tell you where you’d like to be. The distance from here to there? That’s your gap.
So the gap analysis is your “punch list” of items to work as you organize your cybersecurity work with CIS controls. Now you know what to do. And the CIS controls have information about why you need to do these things.
Use These Controls to Talk About Cybersecurity
As Phil said during the Slack AMA, you can use the CIS controls to talk with the organization (especially leadership) about cybersecurity. Executives want to have that conversation. But they don’t know where to start, and they don’t want to sound dumb. The CIS controls let you craft the conversation to focus on business outcomes; the “why” and “for what” part of the discussion. No one else (besides you) has to understand penetration vs. vulnerability testing in order to join the conversation.
And holding those conversations will help you as you organize your cybersecurity work using CIS controls. You’ll be able to get your executives on side. And you’ll be able to get staff bought into cybersecurity as everyone’s concern. Best of all, you’ll sleep better, knowing you have a plan and you’re working it.