The Center for Internet Security (CIS), in collaboration with the SANS Institute, developed the CIS Top 20 Critical Security Controls (CSC) to help organizations prioritize their efforts in information security and protect their organization from the most common attack vectors. These controls are grouped into three broad categories. Basic controls are the starting block for any information security program, and should be in place for any organization. The basic controls include things like ensuring an accurate inventory is in place, continuous vulnerability management, restricting the use of privileged accounts, and ensuring logging is in place. Next are the foundational controls, which are technical best practices to help secure your network and usually build upon the basic controls or require more resources to implement. These controls include a myriad of topics from securing your boundary and wireless environment all the way to data recovery. Finally, the third group of controls are the organizational controls, which include things like ensuring the proper policies and organizational structure is in place to support your security program. While the CIS Top 20 controls are a great starting point overall, especially if there is no security program in place today, I would not recommend them to everyone. Let’s take a look at what types of organizations might find these controls most useful and where they might not be a great fit.
When to use the CIS Top 20 Critical Security Controls
Simply put, if you are not following an industry recognized best practice framework for your security program you are in trouble. Whether it is NIST, PCI DSS, HIPAA, or another compliance standard, your organization most likely falls under some sort of privacy or security requirements to mandate how you protect the information you hold. Even if you don’t fall directly under a compliance directive, it is easy to see that there will be a significant reputation hit these days if you suffer a data breach, if not direct financial consequences like fines and lawsuits. If a security incident happens, you need to show that you were taking adequate steps to protect that data. This is much easier to do if you have an industry-recognized framework you are following to guide the conduct of your security program. Then, instead of saying “well we thought everything was secure,” you can point to that industry-recognized standard that you were following to secure that data, helping prov that you are doing your due diligence when it comes to security.
For those organizations who do not fall directly under a specific regulatory requirement like the ones we mentioned above, the CIS Top 20 Critical Security Controls can fill this gap. Because they are broken down into 20 easily understood controls, it is less cumbersome than trying to implement a standard with hundreds of controls such as the NIST SP 800-53. The CIS controls are easier to digest, track, and implement. Additionally, if you find yourself with a compliance requirement to provide adequate security but isn’t very prescriptive as to what controls you need to have (for example, GDPR), the CIS Top 20 Critical Security Controls can provide a great approach, as it is an international body that you can use to define adequate security.
The Challenges with the CIS Top 20 Critical Security Controls
The main challenge with these controls is that they are all likely not worth the cost to implement for your organization, resulting in questionable ROI for some. For example, the CIS Controls require application white-listing be in place. This means that each computer has a list of applications/software that are approved and allowed to run on it, and if a user tries to install anything else, it won’t be allowed to run. While this may make sense for the most critical technology in your network and can be a great security control, for most small to mid-size businesses, the risk (especially with a next generation antivirus in place) is not worth the cost in employee productivity and the administrative overhead required to implement application white-listing throughout the environment. Similarly, one of the controls requires periodic red team exercises. Again, while this is a great control, and we certainly recommend it for some of our clients, it is hard to say it is worth the cost to every organization, especially those who are just establishing their security program. Therefore, for some of our clients, all of the CIS Top 20 Critical Security Controls simply are not a good fit. For some organizations, it’s important to show a “clean report card” or 100% compliance, so their not going to go in front of their board and show that some controls are non-compliant. In a perfect world, they would be able to explain to the board that the ROI for those controls is not worth it based on their organization’s size, maturity and resources, making accepting the risk for that particular sub-control the best move. But the board is not so easy to work with many times and it can be very difficult to convey business concepts around security controls to a non-technical audience.
Another challenge with the CIS Top 20 Critical Security Controls is if there is another compliance requirement in place. For example, the PCI DSS (for organizations accepting credit cards) is very specific regarding the security controls that have to be in place. Similarly, if your organization is required to meet DFARS or NIST SP 800-53 requirements anyways, then the CIS controls may not be a good fit for you. Although the CIS has worked extensively to map these controls to other compliance requirements, trying to maintain multiple security requirements and frameworks can be cumbersome and add to the complexity of simply trying to secure your network. For that reason, if you are already following a framework or requirement that is more prescriptive in nature, it may be best to avoid the CIS Controls, at least until you have a good handle on the other standards.
In summary, the CIS Top 20 Critical Security Controls are a great resource. I would recommend them to most CISOs or IT Directors who are trying to implement a security program from scratch, grow a program in maturity, or looking to base their security program off an industry-recognized standard. With that being said, don’t expect to be 100% compliant with these controls within the first quarter or even year of implementing them. Additionally, don’t take every sub control as mandatory. For each of these controls, it is important to first understand the risk. Conduct a risk assessment to analyze what your biggest risks are, and then decide if the control being considered is tied to one of those risks. After you have a good handle on the risk a control addresses, make sure to understand the costs of implementing and maintaining that control both financially and in terms of manpower. Then decide if that control is worth implementing. For some controls, they may need to be pushed back until you have a more mature program in place and can budget accordingly. For others, they may not make sense for your organization ever. That’s OK, but it is important that you make that decision with full knowledge of the risk, instead of simply guessing. If you want a third-party to assist in determining your compliance with the CIS Top 20 Critical Security Controls, we offer a gap analysis based off this standard, which can help you better understand the controls and how to work through this process.