The 7 CIS controls you should implement first

Implementing security controls has long been used to mitigate risk? However not all security controls are created equal. To help prioritize the most critical security controls, sources have emerged. Easily the most notable are the 18 Critical Security Controls from CIS, which formerly was the SANS Top 20. While all 18 of the listed CIS critical controls are indeed just that, organizations realistically operate with limited time, resources and attention. For that reason, here are the seven CIS Critical Controls you should implement first.

CIS Controls 1 & 2: Inventory and Control of Enterprise and Software Assets

Yes, we cheated a bit by merging two controls, but they are closely related and highly relevant. CIS Control 1 is Inventory and Control of Enterprise Assets and CIS Control 2 is Inventory and Control of Software Assets. While on the surface these two seem the most straightforward, asset inventory has remained among the top-ranked critical controls for years due to the reality that it is not always easy yet absolutely critical.

Organizations these days have myriad assets with connectivity to enterprise resources and data and it is only increasing with the push for IoT, BYOD and more connected devices. These devices and assets all pose a risk to the enterprise since attackers can use them to introduce malicious software, exfiltrate sensitive data or introduce a slew of other risks.

CIS Control 2 is undeniably critical in today’s IT enterprise environments. With the push toward software-defined everything, largely driven by the growth of cloud computing, enterprise assets are inevitably becoming intertwined as software.

Assets aside, organizations are consuming large amounts of software, whether from proprietary software vendors and increasingly from open-source software maintainers and creators. This is great in the sense that it is driving a diverse ecosystem of modular and flexible software development, but the major drawback is an ever increasingly complex software supply chain.

As we saw with SolarWinds and now Log4j, both proprietary and open-source software components (and the pipelines they feed through) can introduce tremendous risk to enterprise systems with a cascading effect across the supply chain, and if you don’t have an accurate inventory of software running in your systems, you’re left both blind to the risk you currently face and helpless in terms of prioritizing specific systems for remediation or triage. Efforts such as the software bill of materials (SBOM) are gaining more traction due to this reality. Building on the BOM concept is also the need to have attestations, to verify the quality of a software artifact, independently of the producer of the software, such as proposed by TestifySec.

CIS Control 3: Data Protection 

In the modern security paradigm with a push for data-centric security, being championed by zero trust, it would be hard to not put data protection at the top of the list. There’s no denying that we’re in a digitally driven economy, with all organizations essentially being technology companies, especially if they want to stay relevant. At the center of that shift is the lifeblood of it all, data. It is what helps business value for your organization and it is ultimately what the adversaries are after. This is why it is critical to have a plan to identify, classify, securely handle, retain, and dispose of data, just as the control advocates for. 

CIS Control 6: Access Control Management 

Building on the requirement to protect data is the need to control access to enterprise systems and data. This is where CIS Control 6 – Access Control Management comes into play. With data breaches at record highs, most involve compromised credentials. This is why it is critical to have proper account lifecycle management, access control, least permissive access and shift to a contextually driven zero-trust model for access to enterprise assets and data. This need for access control applies to not just humans as well, including non-person entity (NPEs) such as software, virtual machines and serverless functions that can still have identities and associated permissions. 

CIS Control 8: Audit Log Management 

While the goal of cybersecurity is to prevent bad things from happening, the inevitable reality is that they will still happen. This is where the critical control of Audit Log Management comes into play. This is key to detect, understand and recover from incidents when they occur, and it is closely tied to CIS Control 17, discussed later. Without the ability to understand what occurred, by whom, and involving what assets, your organization is totally in the dark and unable to conduct effective incident response activities. 

CIS Control 14: Security Awareness and Skills Training 

We live in an industry that is overwhelmed with technical buzzwords and jargon. That said, the reality is that tools don’t lead transformations, people do. Ask any security practitioner who has been around awhile and they will tell you just how critical the human factor is in cybersecurity and making security initiatives successful.

A tired trope is that humans are the “weakest link” in cybersecurity, but the truth is humans are the most pivotal link. Leading researchers such as Dr. Margaret Cunningham, Dr. Calvin Nobles and Dr. Nikki Robinson are leading the charge for a shift for human-centric security. This is shifting to the reality that humans are our most critical line of defense. This means empowering people with proper security awareness and skills training, much like CIS Control 14 advocates. Beyond that, it also means avoiding poorly designed systems that put users in compromising and designing human centered technology systems that facilitate secure user behaviors.

CIS Control 17: Incident Response Management 

Much like was mentioned in the Audit Log Management discussion, while preventing incidents is ideal, effectively responding and recovering from them is a must. This is where CIS Control 17 – Incident Response Management comes into play. Organizations must have defined incident response plans, policies and procedures. Moreover, they must not just have these plans, they must facilitate efficiency in executing them through tabletop exercises. This is typically done by working through hypothetical scenarios with defined roles and responsibilities and determining how the organization would respond should something occur.

Taken a step further, organizations can implement methods such as chaos engineering which revolves around intentional fault injection in efforts to lead to more resilient and robust systems. Some fundamental sources to start with on incident response include NIST’s 800-61 r2 Computer Security Incident Handling Guide which lays out fundamental best practices for establishing incident response programs. 

While no security control list is immune to criticism or weaknesses, the reality is that securing complex IT systems is challenging. Without core activities, practices and capabilities, it is nearly impossible. Organizations can gain a lot of ground by focusing on the absolutely critical fundamentals and executing them effectively at scale.