Just when you feel you understand the CIS controls, a new version is released. In this case, the new version of CIS controls hopes to improve by separating them into three distinct categories and giving a more concise description for each. This should be good news!
That said, those that have tried to implement controls standards whether they are within the NIST, ISO, or CIS frameworks understand the immense challenges. We all understand the need for these processes. However, the act of rolling out these controls requires a very in-depth strategy, and an investment of resources, money, and time.
Specific to this latest revision, I can give some background. The Center for Internet Security (CIS) is a forward thinking, non-profit entity formed in the early 2000’s with the purpose of sharing information around data protection. CIS provides 20 of the most effective steps an organization can take to protect their and their customers’ data. Included are a range of info-sec issues every security leader should know, implement, and monitor.
CIS has hundreds of members with varying degrees of membership and cooperates and works with a variety of organizations and members at both the national and international levels. Organizations both in the public and private sectors share insight into attacks and attackers. They identify root causes and translate that into classes of defensive action; document stories of adoption and share tools to solve problems; track the evolution of threats, the capabilities of adversaries, and current vectors of intrusions.
Many enterprises across all sectors follow the CIS controls recommended actions for cyber defense. The relatively short list of defensive actions is designed to provide a starting point for every enterprise seeking improvement in their defense to cyber-attacks. I believe the impact and necessity of this will prove to be very valuable over time. Given the threat landscape is always evolving so will we.