Before chewing through Compliance, nibble the Critical Security Controls

Opinion by Mark Kedgley

Unlike compliance mandates, the Center for Internet Security's Critical Security Controls enable you to easily see where holes exist in your current security armoury before you engage external expertise says Mark Kedgley

Before you chew through Compliance, maybe nibble the Critical Security Controls?

Have you heard of the CIS Critical Security Controls? Even though they're not part of any specified GRC (Governance, Risk Management, Compliance) mandate, they could actually be used as the foundation for them all. A light, straightforward hors d'oeuvre before you take on the mega-calorific, piled-high, full-fat platters of the multi-course feast that is a full Compliance standard.

Put simply, Compliance is about ensuring your organisation operates IT systems in a way that minimises their vulnerability to cyber-attack. In the unfortunate event that a breach does succeed, Compliance also confirms that you can quickly identify the offence and respond properly.

How you achieve this can be complicated. Since every company is different, with varying levels of risk, security measures are also naturally distinct for everyone.

GRC standards - plenty to get your teeth into

One of the key faults with our compliance mandates - think PCI DSS, NERC CIP, NIST 800-53 – even GDPR - is that they are documented as a ‘one size fits all'. This single version of the regulations, written in abstract terms, ends up as difficult to read, leaving us to interpret hundreds of pages for ourselves.

As an example, one of the better written documents is NIST 800-53. But it describes itself as:

“A catalogue of security and privacy controls for federal information systems and organisations and a process for selecting controls to protect organisational operations (including mission, functions, image, and reputation), organisational assets, individuals, other organisations, and the Nation from a diverse set of threats including hostile cyber-attacks, natural disasters, structural failures, and human errors.”

Most studies on legibility say 20 to 25 words is the recommended limit: “when average sentence length is 14 words, readers understand over 90 percent of what they're reading. At 43 words, comprehension drops to less than 10 percent”. The more complex the subject matter, the worse this becomes.

The result? A typical compliance standard is a heavy, blunt instrument for tackling cybersecurity. Not because the guidance is poor, but because articulating it for the masses is so difficult to accomplish.

A healthy alternative? The CIS Critical Security Controls

By contrast, the Center for Internet Security's Critical Security Controls

1.      Explain what the security threats are and how to counteract them

2.      Prescribe the 20 most essential security best practices

3.      Specifies technological solutions to use where needed

4.      Are concise and clear (just 96 pages)

A good grounding in cyber-security controls has other benefits too, for example, reducing dependency on external auditor resources. An experienced auditor will be invaluable when conducting a Gap analysis and formal audit. But consulting an auditor on a day-rate to assess your adoption of fundamental security controls is like paying a Michelin-starred chef to boil an egg for you. By working through the CIS CSC's and evaluating your adoption of them, you can easily see where holes exist in your current security armoury before you engage external expertise.

A menu to please all

In fact, the beauty of the CIS Critical Security Controls is that, while they are not specifically designed to be part of any particular compliance mandate, they're absolutely perfect for all.

Being such fundamental security controls means they are universally powerful components for any corporations' cyber-security programme. Even if you're not currently mandated to prove compliance with any formal GRC guideline* but just concerned with defending against Ransomware and phishing, then the CIS CSC's are for you (*this is now a non-argument – laws protecting personal identifiable information such as the GDPR mean that everyone must implement cyber-security measures)


The CIS Critical Security Controls aren't an alternative to meeting your responsibilities for Compliance, but they most definitely provide more pragmatic guidance than any long-winded GRC publication. They deliver the universal, lowest-common denominator in security controls, suitable for any IT department seeking to improve their cyber-security foundation. By adopting CIS CSC's you will also find the push to meet any formal compliance requirement a significantly easier goal. 

As an initiative that helps simplifies the understanding of cyber-security controls, the CIS CSC's should be welcomed by all IT Professionals as accepted know-how. Maybe then Compliance won't be such an indigestible prospect?

Contributed by Mark Kedgley, chief technical officer at New Net Technologies (NNT) 

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events