Worms, viruses, phishing, advanced persistent threats (APT), IoT devices, users clicking on bad links, attacks from organized nation states…where do you start to defend?

The Center for Internet Security (CIS) has a great guide for prioritizing your defense-in-depth with best practices – CIS Controls v7. It has twenty security controls broken down into three functional areas: basic, foundational and organizational. These controls offer five critical tenets for effective cyber defense, prioritization, measure and metrics, continuous diagnostics and mitigation, and automation.

The first 6 CIS Controls are great for the cyber-hygiene of your environment and are meant to give you a strong foundation:

      • Inventory and Control of Hardware Assets
      • Inventory and Control of Software Assets
      • Continuous Vulnerability Management
      • Controlled Use of Administrative Privileges
      • Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
      • Maintenance, Monitoring and Analysis of Audit Logs


These controls work together to give you visibility into your cyber environment and potentially prevent up to 85% of attacks.

The next 10 CIS controls are foundational. Once you have a handle on what’s in your environment, you can then graduate to what comes in to and out of your environment.

      • Email and Web Browser Protections
      • Malware Defenses
      • Limitation and Control of Network Ports, Protocols, and Services
      • Data Recovery Capabilities
      • Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
      • Boundary Defense; Data Protection
      • Controlled Access Based on the Need to Know
      • Wireless Access Control
      • Account Monitoring and Control


Effort in this area increases your security posture and decreases the areas that an attacker can gain a foothold in your environment.

The last 4 CIS controls focus on organizational controls to highlight people and processes.

      • Implement a Security Awareness and Training Program
      • Application Software Security
      • Incident Response and Management
      • Penetration Tests and Red Team Exercises


Again, these controls inform and test your people and processes. An important part of any mature cybersecurity program is the security awareness of your workforce members and the processes of your IT Cybersecurity team. The last control, Penetration Tests and Red Team Exercises, is critical to confirm the quality of the implementation and the efficacy of all recommended controls.

See also  How Investing in Proactive Cyber Operations Helps You Save

These twenty controls are so critical that we’ve architected our Cybersecurity Governance Program to assess your organization’s existing posture, creating a roadmap for achieving cybersecurity maturity and resilience based on the CIS Controls. Contact us to learn more.

Learn More