CIS 20 101: The Essential Introduction to CIS Controls Implementation
This blog was coauthored by Ted Gruenloh, Sentinel COO and Scott Smith, CISO City of Bryan, Texas.
Everything you need to know about CIS Controls, including where to start.
Cyber threats will continue to appear in worldwide headlines for the foreseeable future. If you’re reading this, you’re likely looking to keep your organization from co-starring in them. We offer good news, however. Even organizations with tight budgets and limited resources can take proven steps to dramatically improve security, and they can begin today.
Best Practices Make Perfect
The Center for Internet Security® (CIS) is a non-profit that crowdsources various experts within the global IT community to safeguard organizations against cyber threats. Among other outputs, their list of CIS Controls™ (the “CIS 20”) is compiled and vetted by both public agency experts (think NSA) and private experts and is considered to be the gold standard for improving an organization’s basic cyber hygiene.
These basic guidelines are free to download, and the best part is that they are organized step-by-step to make it approachable for actual, living, breathing humans. State and local governments can even use the powerful scanning tool for free as well.
Why Sooner is Better than Later
Security threats to organizations of all types and sizes are now constant, pervasive, and dangerous to varying degrees. Even if infrastructure is not damaged or held hostage, one needs only to recall the great 2017 Equifax debacle (and the resulting $425 million settlement1) to find an illustration of how a failure to implement even a few basic CIS controls can derail an organization’s mission.
Sentinel has many municipal and public institution clients and has warned clients of an increase of state and local government ransomware attacks. Just this summer, there have been too many incidents to count, from the coordinated attacks in Texas to the two Florida cities that paid more than $1 million combined to free their systems2.
The short story is that serious threats are only increasing in frequency and sophistication, yet many can be avoided with a simple adherence to the most basic CIS Control implementations.
The Main Goal of CIS Controls and Who Benefits Most
The essential purpose of implementing CIS Controls is to increase the internal visibility of the organization’s digital operations, from physical infrastructure to the software it runs. After all, you can’t protect what you don’t know you have. Incidentally, Sentinel specializes in making entire networks “invisible” to threatening actors in the first place, but again, you must have a thorough understanding of all entry points in order to fully cloak complex infrastructure.
Any organization of any size will benefit from implementing CIS controls, but naturally those with fewer physical and human resources and smaller budgets will realize the greatest benefits of even basic protective measures. For CISOs and CTOs entering a new organization or role, CIS guidelines are an excellent roadmap for creating a sound, organization-wide, digital foundation.
Getting Started
Note: CIS Controls Version 7.1 was released in April 2019 and takes simplicity a step further. As the first version to include “Implementation Groups,” this offers an easier way to help organizations to classify themselves and focus resources on what matters most to their missions. Previous versions did not include this self-selecting sub-grouping of the CIS Control hierarchy.
The beauty of the CIS Controls is in its simplicity. You may laugh at that when you first glance at the number of sub-controls and the whole task feels Herculean. But the entire list is organized to be a linear guide, not a Choose Your Own Adventure. Just follow the recommendations in order and it will take you through the following phases:
- Basic: These include the most cost-effective actions and focus on inventory across the network. The network core is a top priority, and individual devices and workstations are necessary to account for.
- Foundational: These are spread across a number of special organizational operations, and sometimes require more time, effort and cost to implement properly. Expertise is often required to determine what are the right items for your organization to focus on.
- Organizational: As with any organization-wide roll outs, these are more expensive, ongoing, policy-related and testing items that ensure long-run, airtight effectiveness.
The most important step to take is the first one!
A Differing Opinion: If Sentinel Wrote the Controls
The CIS Controls are written by a vast network of the smartest network security experts available as a logical, linear guide, to be consumed item-by-item, but the Sentinel team of experts have one qualm about the stated priorities as they currently exist: If you have the opportunity, elevate the security threat awareness training of employees to the first group of CIS Controls that you tackle. An organization’s people are the most dangerous element of a network full of moving parts. In the end, they should be conscripted as allies in the fight against threats by educating them on common issues early and often.
Realistic Timing Expectations
Timelines for each CIS Control, sub-control, and phase of implementation vary widely according to specific organizational needs, available resources, and risk appetite. Clearly, a mid-sized municipality will have different priorities than a banking institution, and timing is affected by priority.
At the City of Bryan, we’ve prioritized getting through the six “basics,” or the first items in the CIS Controls guidelines. We approached the process with a mixed mindset of patience and urgency. It has taken time to implement but is worth doing to mitigate a large amount of risk.
While it is of utmost importance to begin (and begin soon), it may take years to implement the CIS Controls that make sense for your organization. You want to do it right, so make sure your stakeholders know what that commitment takes.
Overcoming Organizational Barriers
Resistance to change is a rule in any organization, and when policy is shifted or information is demanded across multiple departments, it is natural to expect pushback. The most successful leaders of network security overhauls follow a few simple rules of thumb:
- Communicate motivations transparently. There has never been a more important “same-team” effort.
- Educate yourself on each department’s business practices and goals to approach their concerns from an angle of support.
- Educate departmental stakeholders on their value as security advocates, encouraging early internal notification of possible threats.
Taking the First Step
Download the latest version of CIS Controls here and review them with your team. The most important action to take is to simply take action. Invariably, questions arise. That’s why Sentinel is here. We offer a free Network Gateway Assessment, which can help your organization narrow down your own list of prioritized CIS Controls to implement.
Sentinel Is Here to Help
Our mission is to provide expertise, focus, and firepower for organizations that may not have the resources of giant global players. CIS and the CIS Controls are built for people exactly like our customers, and we want them to be aware of every tool that is available. If you or anyone in your organization has questions about the implementation of CIS Controls or how we can help, please feel free to contact us.
[1] https://www.ftc.gov/enforcement/cases-proceedings/refunds/equifax-data-breach-settlement
Ted has worked with network security and web technologies for almost 30 years, beginning his career as a full-stack web engineer and transitioning to network security. He now guides Nomic and its supporting initiatives, including CINS Active Threat Intelligence.