Building a cybersecurity program with the NIST Cybersecurity Framework and CIS 20 Critical Security Controls.
Many organizations lack a cybersecurity framework or standards to follow. Their security strategies are often outdated, if they have a strategy at all. They also struggle with due diligence programs for third-party vendors. One of the most common vulnerabilities Olsen sees is a lack of multifactor authentication.
The core functions of the framework are meant to help organizations identify risk, protect critical services, detect cybersecurity events, respond to cybersecurity incidents, and recover from these incidents.
The first six CIS Controls, are 1) inventory and control of hardware assets; 2) inventory and control of software assets; 3) continuous vulnerability management; 4) controlled use of administrative privileges; 5) secure configuration for hardware and software on mobile devices, laptops, workstations, and servers; 6) maintenance, monitoring, and analysis of audit logs.
These are followed by ten foundational controls, which include technical defenses such as email and web browser protections, malware defenses, and various types of configurations and access control settings.
Finally, the four organizational CIS controls include security awareness training, application software security, incident response and management, and penetration testing/red teaming.
Olsen noted that, after the first six, the guidelines aren’t necessarily organized in order of importance. Human training, for example, is very important, despite its placement at #17 on the list of controls.
A lack of security expertise among IT personnel is one of the major weakness facing organizations. IT employees can be extremely skilled in certain areas, but this can create blind spots within organizations which assume that these employees are knowledgeable in security as well.
Internal audits can also be a weakness if they aren’t rigorous enough to highlight the vulnerabilities that an attacker would be able to spot.