Prioritizing CIS Controls for effective cybersecurity across organizations

In this Help Net Security interview, Randy Marchany, CISO at Virginia Tech, discusses the challenges and strategies associated with implementing CIS Controls in organizations of varying sizes.

Marchany explores the importance of securing top-level management support, breaking down data silos, and setting realistic timelines for project completion. The discussion also highlights the prioritization of key controls for inventory management, the use of metrics to measure implementation effectiveness and the adaptation of CIS Controls for different organizational scales.

What are the most common challenges organizations face when implementing CIS Controls, and how can they be addressed effectively?

The biggest challenge is getting top C-level management to authorize and support a CIS Controls implementation project. The implementation team(s) need to a) determine what data is needed to implement a particular control, b) find the unit within the organization that has control access to this data, and c) get this information from these units.

The team(s) may encounter some bureaucratic resistance to getting a copy of this data, and that’s why C-level support is very important. Another challenge is determining a workable timetable for completion of the project. This is a long-term, 3-5 year effort, depending on the organization’s size. Smaller companies usually don’t have an advantage over larger companies when setting a project completion date. One reason for this is smaller organizations, by their nature, have smaller IT teams whose time is already highly allocated to other projects.

Most organizations already have pieces of the information needed. The challenge is breaking through the data “silos” to combine those data elements into a source of truth.

For organizations starting with CIS Controls, which controls should they prioritize and why?

While the CIS doesn’t recommend any particular order to implementing the controls, I would recommend starting with controls 1-3, which determine your hardware, software, and most importantly, your sensitive data inventories. The three controls help you answer questions such as:

• Given an IP address, can we answer the 5 “W” questions?
• Where is the asset located?
• What software and data is stored and/or processed by that asset?
• Who is responsible for the asset’s care, maintenance, storage, and security?
• How is the asset accessed and used?
• Why is it critical to the company’s operation?

A reliable inventory of hardware, software, and data is critical to creating a workable security architecture.

What metrics or indicators do you recommend organizations use to measure the effectiveness of implemented CIS Controls?

There are several assessment tools that you can use to create a set of metrics that present the status of the implementation. To build an assessment questionnaire, you can use commercial GRC tools. For example, there are five safeguards for control 1 (Inventory and Control of Enterprise Assets). An assessment set of questions for these controls might include the following:

• Do you have and maintain a detailed hardware asset inventory?
• How do you handle unauthorized assets?
• Do you use an active discovery tool on all of your assets?
• Do you use DHCP?
• Do you use a passive discovery tool to find your hardware assets?

These results show your current state relative to the CIS controls.

How can CIS Controls be adapted for different sizes of organizations, from small businesses to large enterprises?

The CIS created Implementation Groups (IGs) that define a minimum set of control safeguards that should be implemented by any company regardless of size.

Implementation Group (IG1) 1 safeguards are the minimum steps organizations should apply to defend against common attacks. There are 56 steps in IG1.

IG2 safeguards (56) should be applied in addition to IG1 steps by medium-sized enterprises. The largest enterprises should implement IG3 steps (23). There are a total of 153 steps to implement the CIS Controls fully. IG2 includes IG1, and IG3 includes IG1 and IG2 steps.

How do CIS Controls integrate with other cybersecurity frameworks and standards?

The CIS Controls map to various national and international frameworks and standards. NIST 800-53a Rev 5 Moderate/Low, NIST 800-171, PCI 4.0, Australian Signal Directorate’s Essential Eight, UK NCSC Cyber Essentials v.2.2, CMMC 2.0, HIPAA, NERC-CIP, COBIT 5, SWIFT are among the standards that can map to the CIS Controls.

Read more: 10 cybersecurity frameworks you need to know about