“Critical Security Controls” is another term that’s getting a lot of attention these days – check it out for yourself, with a quick look on Google Trends.
The thinking behind identifying a list of security controls that are the most critical (i.e., that should be given the highest priority) to implement sounds reasonable enough. Given the overabundance of available security technologies from which to choose, the security team in any given organization can find it painfully difficult to sort through all the alternatives, and to select the mix of controls that represents the best fit for their specific context. In his talk at RSA Conference, Tony Sager referred to this embarrassment-of-riches situation as “The Fog of More.”
The basic idea behind the critical security controls movement is for organizations to simplify this complex process – i.e., to cut through “the fog of more” – by using the power of community to identify a small number of security controls that are proven to have a high payoff in terms of preventing known attacks.
In my view, this is all well and good – but only with the understanding that such lists are not a recipe to be strictly followed. What they can be is a quicker path to considering the successful choices that others have made – which organizations can then adapt in the way that works best for their own environment, and for their own appetite for risk.
More importantly, my suggestion would be that organizations should be thinking about an essential set of enterprise capabilities, rather than about a particular set of technical security controls. Why? Because specific security threats, vulnerabilities and exploits will continue to come and go – but having certain foundational capabilities will serve the business again and again over the long term. To me, this was one of the key lessons learned from the Heartbleed Bug.
For example, here are the eight higher-level capabilities that are enabled by the 20 Critical Security Controls (version 5):
- Understand what systems and applications are in your environment (CSC 1, 2).
- Keep your systems, applications and networks securely configured (CSC 3, 10, 11).
- Keep your systems, applications and networks patched and up-to-date (CSC 4, 5, 6).
- Back up and protect your important data (CSC 8, 17).
- Protect your network (CSC 13, 19).
- Manage your users, their accounts and their access to enterprise resources (CSC 7, 12, 15, 16).
- Maintain visibility into what’s happening in your environment (CSC 14, 20).
- Be in a position to respond when something goes wrong (CSC 9, 18).
For a more detailed discussion, see my report called Flash Forward: Putting “Critical Security Controls” in Perspective.