CISOs have an impossible job.
They are faced with securing data across thousands of complex devices and services. They are often brought in after a bad breach and are asked to make sure “it never happens again.” Add to that the complexity of simultaneously meeting ISO 27001, PCI, SOC 2, and FedRAMP compliance standards, and it can quickly lead to a despairing question:
When it comes to developing a roadmap for my company’s security program, where is the best place to start?
I’m a big fan of first principles thinking. In terms of setting up a security program, that means starting with the six “foundational” SANS’ 20 CIS Controls1For a true first-principles approach to security as a discipline, I’d recommend starting with Bruce Schneier’s Beyond Fear, followed by Secrets & Lies.. When these six controls are done well, everything else falls into place. When these controls are glossed over or ignored completely, Buyer Beware.
In fact, let’s go out on a limb here, shall we? Security programs that focus on these six controls will have far better security than programs that are aligned to common security frameworks like NIST or SOC. The reason for this is probably worthy of its own post, but the short explanation for why meeting 6 controls could be better than meeting 600 is because security is a game of completeness, not a game of comprehensiveness. It doesn’t matter if you have ITIL-compliant change management practices if you missed a critical security patch.
This series will pick apart each of the foundational 6 controls in order, sharing two things.
First, I’ll explain the crux of the control. Namely, “what is this control really trying to achieve?” This part is incredibly important, as it will help you transcend the common foibles in security leadership and articulate a clearly defined goal for your security staff.
Second, I’ll include some practical insights learned on the job implementing these controls (or in some cases missing the mark and causing all sorts of wasted time and money), which will hopefully save you from making costly mistakes down the road.
I hope you enjoy this read! Without further ado, Core Control #1.