CIS 20 Controls

Cyber security is a new but enduring business function. Just like all other business functions, it must measure how well this function is being performed. Yet for many “Main Street” organizations today, there are no processes in place to measure where they stand, no way to measure progress towards a goal and no vision of what the goal is. 

This is most likely a result of the relative youth of the cyber security function. It isn’t because there aren’t ways of measuring ourselves – thankfully there are a lot of peer-reviewed methods to assess cyber security posture. It’s just that the word hasn’t gotten out yet – at least not to “Main Street” America. Threats have been communicated (and cyber criminals have communicated it even more clearly), but the communication of solutions to said problems hasn’t been handled well.

Note: If you already have a standards-based framework that measures your cyber security posture, then this article probably isn’t for you. Bookmark our page and pass it along to a friend that needs it.

How to Measure Your Cyber Security Program

Cyber security is a broad and complex subject, and even the experts argue about what is most important and how we should measure ourselves. So…when trying to decide how to measure your cyber security health, it’s probably not a good idea to re-invent the wheel. The good news is that whatever your business type, there is an existing set of standards that are tailored to measure your cyber security posture. In fact, if you are in certain verticals, you most likely have regulatory requirements to use a published standard such as NIST 800-53, PCI-DSS or SOC 1 / 2. 

But the majority of “Main Street,” privately held businesses don’t have these regulatory requirements, and thus many haven’t had a measurement system introduced to them. Quite frankly, most of the regulatory frameworks are onerous and overly complicated for what most businesses need anyway. The great news: there is a free standard that any organization of almost any size can use as the foundation for their cyber security program. It’s called the Center for Internet Security’s 20 Critical Controls (a.k.a “CIS 20”).

What are the CIS 20 Controls?

The Center for Internet Security is a 501(c)(3) non-profit formed in 2000 to promote and sustain best practices in cyber security. The CIS benchmark controls are a collaborative effort of security experts from industry, government, and academia who regularly review and revise the controls in response to developments in technology and the threat environment. The benchmark is prioritized, guiding oranizations to establish a rock-solid foundation first and prioritizing ROI. The CIS 20 benchmarks and supporting documentation are provided at no cost, and there are many community-generated technical and non-technical tools to support sustained implementation. Finally, the CIS 20 framework is ideal for immature cyber security programs, as it prioritizes establishment of a strong foundation from which future efforts can grow.

It’s called the “20 Critical Controls” for two reasons: 1) They are critical – there is no “fluff” here, and 2) There are 20 of them.

Jumping into the CIS 20 Controls

So over the next 20 articles, the CIS 20 Controls are going to be broken down, one by one. Even though these controls are designed for “Main Street,” the jargon can be intimidating even if the concepts are relatively straightforward. We will cut through the lingo and get to the point in a clear and concise fashion. If you stick along for the ride, it is a fact that you will emerge with a solid understanding of not only the CIS 20 standard, but a solid understanding of the pillars of cyber security.