Using the 18 CIS Critical Security Controls to Drive Cybersecurity Priorities

Dan Gregory
November 2, 2023
Blogs | Cybersecurity

“The changing threat landscape…” That phrase gets a lot of mileage in the cybersecurity industry. It is a simple truth that seems to require more and more complicated responses. You can clear the haze and put core security essentials back into focus with the Center for Internet Security (CIS) Critical Security Controls.

There are 18 CIS Critical Security Controls (CIS Controls) that most cybersecurity frameworks, standards, and guidelines use as a base. Understanding these controls and how they connect to your cybersecurity program makes it easier to decode a response to shifts in technology solutions, emerging threats, and your environment.

What are the 18 CIS Controls?

The CIS Critical Security Controls offer a clear, ordered, and straightforward collection of best practices for enhancing your cybersecurity stance. Global cybersecurity professionals utilize and/or aid in shaping the CIS Controls through a collective agreement method.

The guiding purpose of this list of controls is to provide prioritization that helps businesses quickly determine the best path toward building an organization’s defensible cybersecurity position. As the “Rosetta Stone” for other measures and methods, the controls don’t cover every use case, but they help re-center on cybersecurity’s true north priorities.

  1. Inventory and Control of Enterprise Assets
  2. Inventory and Control of Software Assets
  3. Data Protection
  4. Secure Configuration of Enterprise Assets and Software
  5. Account Management
  6. Access Control Management
  7. Continuous Vulnerability Management
  8. Audit Log Management
  9. Email and Web Browser Protections
  10. Malware Defenses
  11. Data Recovery
  12. Network Infrastructure Management
  13. Network Monitoring and Defense
  14. Security Awareness and Skills Training
  15. Service Provider Management
  16. Application Software Security
  17. Incident Response Management
  18. Penetration Testing

Thinking of all 18 controls as a connected mesh or honeycomb helps visualize the CIS domains. When a domain is weak or lacking in coverage, it creates a gap that weakens the overall structure. The first eight, shown in the lighter blue, are considered foundational and will determine the overall success of an organization’s ability to identify and remediate cybersecurity threats.

1.	Fig01-CIS-Honeycomb.png = numbered hexagon honeycomb of CIS security controls

Mapping security priorities with CIS controls

It’s a straightforward list that includes essential areas. Ending up in a good, defensible position to thwart current cybersecurity threats means getting each area right before moving on to the next.  

Knowing how the controls interconnect makes the process more straightforward and allows organizations to comprehensively address areas that build the firm foundation needed to move to the next area.

We group controls applying logic like that needed to be a safe driver. The car needs to be sound, the passengers need to be safe, the driver needs to be aware and alert, the roads need to be in good condition, and other drivers need to be considered.

Ensuring correct management, configuration, and scanning of assets

Fig02-asset-management.png =  four numbered hexagons listing asset protection security controls

Protecting data

Fig03-protecting-data.png = four numbered hexagons labeled for data protection CIS critical controls

Developing visibility, awareness, and preparedness across all domains

Fig04-SIEM-testing-controls.png = three numbered hexagons labeled for SIEM and IR security controls

Protecting endpoints and communication channels

Fig05-email-malware-protection.png = three numbered hexagons titled for email malware protection

Guarding and monitoring the network

Fig06-network-monitoring.png = two hexagons labeled for CIS controls for network monitoring

Managing third-party risk

Fig07-third-party-risk-control.png = hexagon graphic numbered 15 for CIS control third-party risk

Securing application development

Fig08-app-sec-control.png = single hexagon numbered 16 and titled application software security

Connecting CIS controls to your security program

Grouping the controls makes it easier to understand the relevant security areas and to prioritize the next steps.

  • Asset management with Controls 1, 2, 4 and 7
    Ensuring that you know your assets and that they are correctly configured and managed is the cornerstone for building an effective program. In the spirit of our driving analogy, this area establishes that the car is roadworthy.

    The primary focus here is software and hardware. While data is a critical asset, we use a different control grouping to address those safeguards. This area dials in on ensuring that software configurations are correct, that endpoints are protected, that you have a current asset inventory, and that continuous vulnerability scanning processes keep asset protection and configuration current.
  • Data protection with Controls 3, 5, 6, and 11
    Once the network assets are protected, you are ready to protect what will travel that network. Data is your environment’s most valuable and vulnerable element and requires protection at all points of the journey.

    Data needs to be identified and classified to protect it at the appropriate level. You need to know where it is, who or what is accessing it, and how to recover it.
  • Network visibility and awareness with Controls 8, 17, and 18
    What you see and hear impacts your reactions on the road. The same is true for your network. A security incident and event management (SIEM) solution monitors and listens to your network through the data gathered and fed into it.

    A properly optimized and configured SIEM provides continuous real-time diagnostics, detecting anomalies in the patterns of your network and providing prioritized alerts to let you know when an issue needs your attention.
  • Endpoint and communication channel safeguards with Controls 9, 10, and 14
    Managing what gets in and out of your organization through endpoints and communication channels includes managing email and web browser activity and security.

    These essential productivity tools are heavily targeted attack vectors, providing direct conduits to users. Users need training on safe practices and awareness of the risks and tactics used, and both users and systems must be protected from attacks that deliver malicious payloads and malware through emails and online activity.
  • Traffic management with Controls 12 and 13
    Anything moving across the network needs monitoring. Like roadways, networks need moderation of traffic flow and guardrails to prevent negative impacts.

    Maintaining network health and security involves reacting to and remediating traffic jams, infrastructure weaknesses, and incidents.
  • Directing third-party risk with Control 15
    No organization operates in a bubble. Third-party, fourth-party, and partner security practices directly correlate to your organization’s risk. It’s a complex area, and identifying the web of related parties your company engages with requires a multilayered approach.

    Distilled to its most straightforward equation, managing vendor and partner risk involves knowing and managing access between them and your data, users, and systems.
  • Securing application development with Control 16 (optional)
    This control can be optional in the sense that it applies to companies that focus on the development of software-based applications. This control is essential if your organization develops applications for internal or external use.

    Implementing DevSecOps processes to secure the software development lifecycle is crucial to minimize the risk and impact on your organization from insecure code.

Using CIS security controls to advance your security program

Most regulations and methodologies, including a myriad of separate yet similar frameworks, guidelines, and requirements, branch from these core controls. A solid understanding of the CIS Critical Security Controls translates into better insight into the frameworks and regulations specific to your organization.

Converge uses these controls to help customers understand their environments. We assess each domain and its associated controls, identify strengths and gaps, and then create a heatmap that prioritizes risks, actionable recommendations, and next steps.

If you’d like to develop a cybersecurity roadmap based on an assessment of your organization’s adoption of the CIS Critical Security Controls, contact us today for a free consultation.

Follow Us

Recent Posts

Unleashing the Power of the Cloud: Beyond a Migration

The pace of technology innovation is driving organizations, large and small, to continually seek ways to stay ahead of the competition and remain agile. One key transformation reshaping technology across the globe is the migration of workloads to the public cloud....

Inside the 2024 Red Team Penetration Testing Report

In the unending barrage of cyber attacks, keeping pace with current threats is paramount. A proactive approach that includes penetration testing raises the bar higher, finding exploitable weaknesses before attackers can exploit them. Our report condenses 12 months of...

Want To Read More?


You May Also Like…

Let’s Talk