There are numerous tools and services available to help companies achieve a higher level of cyber resilience and hygiene, which can make it overwhelming for business owners and even IT managers to determine the best approach. This “Fog of More” could actually result in reduced cyber readiness levels, since the tools and services selected do not have value unless they are properly implemented and managed on an ongoing basis.
Luckily, there are simpler paths available to assist middle market leaders in their quest for establishing a more secure and cyber-ready organizational environment. Years ago, methodologies began to emerge from organizations such as the SANS Institute due to increased cyber attacks on defense-related entities. In 2015, these methodologies were transferred to the Center for Internet Security, a non-profit organization focused on developing best practices for a safer cyber security environment. Their developments now serve as the leading guidelines for both public and private organizations, and they provide a basic roadmap for developing a more effective cyber security posture.
The Center for Internet Security guidelines consist of 20 key actions called critical security controls (CSC) that organizations should consider in order to reduce their cyber risks. The CSCs are designed so that all organizations – regardless of size or industry – can leverage them as the foundation of an effective and easy to implement cyber readiness program. Collectively, the controls are commonly referred to as the CIS Top 20 and are broken into three categories: Basic, Foundational, and Enterprise.
The Basic category examines the essential practices that must be put in place in order to have a meaningful approach toward security. For instance, it requires organizations to have a good handle on their hardware and software assets because in order to address vulnerabilities, you must know what machines and applications you currently have. The Foundational category builds on the Basic elements and introduces best practices such as having proper email and web protection and recovery tools in place. Finally, the Enterprise category introduces organization-wide elements and emphasizes the need for effective training, awareness, and incident response programs.
In order to successfully implement the CIS Top 20 approach, you do not have to strictly start at the lowest category and build up from there. Instead, you can select elements from each of the three categories that will be addressed in parallel, depending on organizational realities, priorities, and resources. Adopting a well-established methodology such as the CIS Top 20 offers a simple and effective approach with tangible results. Feel free to contact us to learn more about how to put this approach to work for your organization.
You may also like: