Critical Security Controls adoption and implementation

A new SANS survey reports 90% of organizations taking the survey have adopted some or all of the Critical Security Controls (CSCs), and that financial and government industries are leading adopters of these controls.

“Organizations across a broad range of industries are making steady progress toward adopting, integrating and automating the CSCs,” says James Tarala, SANS Analyst and author of the survey results paper. “Still there are problems inhibiting adoption of all of the controls. Staffing issues, lack of budget and silos that limit communication between IT security and operations continue to be barriers adopters encounter.”

In this 2014 survey, 63% of respondents blamed adoption woes on insufficient staffing or personnel resources, 54% cited lack of budget, and 36% blamed adoption problems on the ongoing disconnect among operational and security silos. These are key problems identified in last year’s survey that haven’t gone away.

Not all have adopted all controls, nor are they following the order of the controls currently listed as 1-20. But of those who are able to measure improvement from the controls they’ve adopted, 24% cited clearer visibility, 16% noted the controls improved risk posture and 11% improved their ability to detect advanced attacks.

“The survey identifies a number of things the Council on CyberSecurity [which hosts the controls] can do to support the community of adopters, says Tony Sager, director of the SANS Innovation Center and chief technologist for the Council on CyberSecurity. “For example, they can use more guidelines and case studies, which we are working on.”

The need for more usable case studies of successful implementations was identified by 65% of respondents, while 54% said they need better operational best practices.

Because the primary sectors represented in this survey were financial and government, creating guidelines for these two sectors would be a great place to start sharing new information on best practices from those working in the front lines across these sectors.. Sager adds, “The Controls are not about having the best list of things to do—they are about members of a community helping each other improve their security!”

More about

Don't miss