Issued by the Center for Internet Security (CIS), the so-called Critical Security Controls for Effective…
Security Controls in a Nutshell: Improve Your Organization’s Security Maturity
Now more than ever, organizations need to strengthen their defenses to protect their critical data assets against security incidents and data breaches. Security controls are frequently cited as effective safeguards or countermeasures to avoid, detect, counteract or minimize “security” risks to a company’s assets. Depending on the industry you operate in, your organization may be subject to a specific set of information security controls, such as PCI DSS for payment processors, NIST for federal agencies in the United States, or more broadly applicable security control frameworks such as the 20 CIS Critical Security Controls or ISO 27001.
We’ve gathered a collection of the most frequently asked questions around security controls that may help your organization identify the types of controls that will be most helpful to improve your security maturity, achieve compliance and strengthen your defenses against data breaches and security incidents.
Which security control framework should I implement?
What’s the difference between security control frameworks? While many organizations are aware of security control frameworks in general, only few actually know which ones they should adapt and implement in order to improve their security maturity. Our blog article “NIST, CIS/SANS 20, ISO 27001 – Simplifying Security Control Assessments” was written with specifically this challenge in mind. It outlines the most commonly-known security control frameworks and provides recommendations for which framework makes sense for your organization, depending on your industry, business objectives and level of security maturity. If you’re looking to conduct a control assessment, the article may provide helpful information on where to start.
How can security controls help secure my organization?
The primary objective of security controls is to help organizations manage their risk and protect their critical data assets from intrusions, security incidents and data loss. If you’re wondering how exactly security controls can help secure your organization, check out this blog article explaining each of the 20 security controls as recommended by the Center for Internet Security (CIS), and provides detailed examples for how they can help organizations reduce their risk, strengthen their security posture and lower operational costs.
Why aren’t more organizations using security controls?
Despite the obvious benefits of implementing controls (see above), many organizations are still hesitating to take the leap. Why is that? What are the challenges that organizations may face? And would it be better to implement controls yourself or outsource the project to an external provider? We’ve compiled an article about the numerous obstacles in deploying cybersecurity frameworks that companies face. This post will help you understand the challenges that you may encounter and what you can do to overcome them.
How can I measure the effectiveness of my security controls?
Although organizations are starting to implement security controls, many are still at a loss when it comes to measuring their effectiveness. Too often, they rely on good old Excel spreadsheet to document which controls they’ve implemented – spreadsheets which require manual updating and lots of time. Instead, what organizations need is a cybersecurity analytic tool that will provide an at-a-glance overview of how well your security controls are working and how they impact your security maturity overall. In our blog article “How to Measure Controls Effectively”, we talk about how you can track controls to understand your current security posture, see it evolve over time and lower your cybersecurity risk in line with your business objectives.
If you would like to learn more about security controls and about which controls tend to be most useful to effective cyber defense, check out our webinar hosted in collaboration with the SANS Institute about “Managing the CIS Critical Security Controls within Your Enterprise”.