The 20 critical controls are divided into three categories: Basic, Foundational, and Organizational.
- Basic controls (1–6) are the must-have measures for the most basic defense readiness.
- Foundational controls (7–16) are a level beyond the basic controls.
- Organizational controls (17–20) focus more on people and processes.
The CIS further outlines in the CIS Controls v7.1 that an effective approach to cybersecurity can be approached with these steps:
- Offense informs defense: Use knowledge of actual attacks that have compromised systems to provide the foundation to continually learn from these events to build effective, practical defenses. Include only those controls that can be shown to stop known real-world attacks.
- Prioritization: Invest first in Controls that will provide the greatest risk reduction and protection against the most dangerous threat actors and that can be feasibly implemented in your computing environment.
- Measurements and Metrics: Establish common metrics to provide a shared language for executives, IT specialists, auditors, and security officials to measure the effectiveness of security measures within an organization so that required adjustments can be identified and implemented quickly.
- Continuous diagnostics and mitigation: Carry out continuous measurement to test and validate the effectiveness of current security measures and to help drive the priority of next steps.
- Automation: Automate defenses so that organizations can achieve reliable, scalable, and continuous measurements of their adherence to the Controls and related metrics.
It’s Time to Move to a Risk Management Approach to Security
At OneNeck, we believe that no matter where you are in your security strategy execution, the CIS controls provide prioritized, actionable steps to define and implement a security strategy. While there’s no one-size-fits-all approach to security, today’s organizations can lower the risk of a breach by changing their approach from strictly meeting compliance mandates to a risk management approach that uses practical and proven best practices.
OneNeck CISO, Katie McCullough, puts it like this… “Customers don’t have unlimited spend to go after security. So, at OneNeck, we work with our customers from a risk management perspective. What are their biggest risks? How do we leverage the investments they’ve already made? And how do we maximize their budget? Because the answer isn’t always buying a new security product. It might be microsegmentation of your applications. So, we’re not here to sell them a security product. We are here to help them define and implement risk management for their particular needs.”
In addition to guiding our customers with CSC best practices, internally at OneNeck, we establish practices in alignment with the critical security controls. We follow the advice and recommendations we give our customers, and as an experienced Managed Services Provider (MSP), we’ve seen firsthand how alignment with proven best practices is key in preventing attacks.
If you’re still not sure where to start when assessing your risk, we’d be happy to discuss your options. With the help of our security team, you don’t have to go it alone. Using the CIS 20 Controls as a benchmark, we can help identify the security risks unique to your business, develop a prioritized plan to mitigate risk and assist you in implementing a plan that keeps you safe from current and future attacks.