Top 5 Steps To Guarantee CIS Controls Success

In theory, the CIS Controls are perfect for SMBs: They're straightforward enough for organizations with limited cybersecurity experience to implement, and they're comprehensive enough to significantly enhance the organization's daily security posture.

Bad News first: Implementation of the Controls often gets bogged down for a number of (avoidable) reasons.

Now the Good News: We had the privilege of talking with CIS Controls expert Tony Krzyzewski, and got his take on the most critical steps you can take to ensure your CIS Controls implementation goes smoothly.

Tony is a cybersecurity legend: He’s contributed directly to all the recent revisions of the CIS Controls, serves as New Zealand’s representative for ISO standards that govern cybersecurity, and is one of only four CIS Controls Ambassadors in the world. He co-founded SAM for Compliance, a consulting firm that offers a Cloud-based compliance management tool that’s helped hundreds of organizations work their way through the Controls.

Instead of focusing on the Controls themselves, he emphasized many intangibles that can make or break an implementation. Here are our Top 5.

#1: Have an Advocate

So you want to implement the CIS Controls. What’s the first thing you should do? According to Tony, you’re going to need help. As in, you need buy-in. “Buy-In” from leadership might be obvious, but Tony is specifically focusing on the “boots on the ground” here.

“Get Operations involved right away,” Tony implores. In other words, talk to the rest of your IT team and everyone else involved with day-to-day operations and let them know how critical they’re going to be in this process. You’ll need them to answer specific questions, implement required changes, and maintain the new standards going forward.

It’s about building relationships and trust at the top (how else will you get the support and dollars you need?) and throughout the rest of the organization, so there are as few surprises as possible, and you’re not fighting an uphill battle every time you ask someone to pitch in. (Sound familiar? Sounds like our Golden Vector to me.)

#2: Ask this question: HOW do you know what’s on your network?

It’s Security 101 and the very first CIS Control: Know what’s on your network … But read Tony’s question again, a little more carefully.

When you ask most teams if they know where all their assets are, they invariably answer ‘yes.’ But this inventory stage is so critical that it needs to be gone over with a fine-toothed comb. Says Tony, “[First] I’d say figure out a few basic things. One, find out where your assets are, and they need to be accessible totally at a moment’s notice. One thing I do is ask them, ‘HOW do you know where your assets are?’

This usually ends up in a bit of confusion, but I make the point because it’s critical that they all know where they are, conclusively, even if they choose to keep them in different locations. What I don’t like to hear is, ‘They’re in finance,’ or ‘We have these ones on our asset register.’ Wherever you keep them, you need to have one master register, or some assets are going to go unprotected. That's going to undermine the whole thing.”

When you get down to it - and here’s where having an “Advocate” comes in again - this entails assembling your operations managers, system administrators, and those on the “coalface,” as he states, and hearing from them firsthand where those assets are.

Tony also reminded us that you should prioritize the most sensitive data, and don’t forget about the Cloud.

Knowing what’s on your network is the first CIS Control for a reason: It makes every other control that much easier to manage.

#3: Avoid Binary Answers

This next suggestion was a more nuanced one, but integral, nonetheless. In many instances concerning standards, the answers to requirements may read as “yes” or “no.” While that sounds good on paper, it’s not very helpful in the real world.

Says Tony, “It’s best to think of your CIS implementation advancements as being on a spectrum,” Tony said. “We know it’s not always cut or dry, so I like giving organizations a chance to respond with options like ‘not started, not thinking about it, thinking about it, started, partially finished, etc.’ in every area. That gives them a chance to be honest about their self-evaluations and start from a more honest place.”

It’s also a more effective way to track progress and show improvement over time. Another critical component of this: Give yourself permission to be honest and critical of where you are. It’s OK to say “Haven’t started” or “Not thinking about it” … The most important thing is that you know where you really are in the process, so you can circle back and prioritize improvements over time.

#4: Be Patient

When they sit down to really integrate the CIS Controls into their overarching cybersecurity strategy, most people have no idea how long it’ll take to implement (is it ever really done, anyway?). Tony urges teams to be patient, because “it is usually three to four [years].” Here’s why, in his own words:

• Year 1: “You take the first year to realize how bad you are, or at least IT does. I get a lot of clients saying things like, ‘I knew we were off, but I didn’t know we were that far off.’ You get that all the time.”
• Year 2: “The second year, you’re proving to higher-ups how bad you are and how you need funding to close the gap. You’re trying to get buy-in, you’re trying to get budget, you’re showing execs reports, if you’re smart, and they’re believing you. This gives you the go-ahead to do what you’ve got to do the next two years.”
• Year 3: “Year three, you’re implementing the Controls and getting the bugs out. You’ve got support, you’ve got the budget at this point, and your maturity is building. It’s amazing how fast things go when you’ve got all that.”
• Year 4: “On year four, you could say you’re there. But, of course, in cybersecurity, that’s always a moving target. But it’s as good as it’s going to get, and everything’s up and running. You’re in pretty good shape. And then, the next year, we come out with a new version, and you’ve got to do it all over again! [laughs].”

And again, this gets back to #1. You need buy-in and trust to take people on a 4-year journey.

#5: Find an Expert

I asked Tony where the breakdown is between beginning the process of implementing the Controls (which many do) and actually successfully implementing them (which many don’t). The answer was two-fold: Have a solid tool to manage the process, and have someone that can serve as a guide (at least initially).

Tony said, “So many times, without this process or these Controls, you’d go in and consult with an organization, they’d see this big mountain of standards, you’d say, ‘good luck,’ and you’d come back in a year, and they’ve done nothing. They don’t know where to start.

I come into an organization (full disclosure: as a paid consultant), and it takes two, two-and-a-half days to really get things set up. They’re told, ‘This is where you are; this is what you need to fix,’ and then I spend time populating their CIS Controls with them. And then those are the people that want me to come back in a year, just to show me what they did and how it’s working in their environment. They’re proud because it’s working [for them].”

Leaning on a consultant to help you initially align with the CIS Controls can make all the difference, especially to a small organization. The other secret is a good tool to manage it all - gone are the days of using spreadsheets to keep track of something this complicated. Might be a shameless plug, but Tony’s company has developed just such a tool, and it’s invaluable for keeping things organized. As Tony said, “My biggest competitor is Excel.”

In Conclusion

The CIS Controls (currently in version 8) are designed to equip companies of any cyber maturity level with an “essential” level of cyber hygiene, and the various Implementation Groups (IG1, IG2, IG3) build on each other as they go. These are especially “essential” for small businesses, local government municipalities, and the like because they help teams go from zero to a solid level of defense. 

The Verizon DBIR continues to point out (year after year) the ways in which all the clichéd attack vectors – web application attacks, phishing, credential attacks, the exploitation of vulnerabilities - consistently lead to a high percentage of breaches. 

Simpler than NIST, the CIS Controls give organizations a foundation of cybersecurity that prepares them against the majority of challenges that they will face, whether from compliance requirements, external threats, or simply an unbearable level of risk.