In this episode of the Business of InfoSec Podcast, we talk to Center for Internet Security editorial panel member Rick Doten about the version eight updates to the organization’s CIS Controls
The Center for Internet Security (CIS) is a non-profit organization with a mission to develop and disseminate cyber defense best practices to organizations of all kinds around the world.
Earlier this year, CIS released the latest version of their CIS Controls, a prioritized list of key cybersecurity safeguards designed to mitigate the most pervasive threats to modern network security.
In this week’s episode of the Business of InfoSec Podcast, Centene Corporation VP of Information Security, Carolina Complete Health CISO, and member of the CIS editorial panel Rick Doten outlines the key changes to the CIS Controls in version eight, and why they are relevant today.
Modernizing the CIS Controls
Today’s cybersecurity ecosystem is fast-changing, and the most recent updates are designed to bring the CIS controls up to date.
Format changes to the controls include organizing them by activities instead of by who manages the devices and making them more task-focused. The number of controls has also been reduced to 18 from 20.
“We had three controls that were outdated: the limitation of ports and protocols, boundary defense, and then the wireless access control,” Doten says. “It was confusing. And so, we got rid of those and we split up the safeguards that were in it into more relevant things.”
One of the most important changes for version eight is a change to the way the controls approach identity and access management.
“Six years ago, when version six came out, most people still an exchange server or an email server on-premise. Now, almost nobody has it,” Doten recalls. “And so that really big change is why we wanted to do an overhaul and relate things to [modern network infrastructure].”
The CIS Crowdsourced Model
There were many people and organizations involved in the most recent update to the CIS controls, but some of the most important feedback comes from the people who use the controls every day.
“One of the things I love about the controls is [that] we have a crowdsourced model,” Doten says.
When downloading the controls from cisecurity.org, users can join the workbench where they can ask questions and provide feedback that may be incorporated into the next version of the controls.
The controls are written in priority order, starting with control number one. And this is where Doten recommends that people get started with the CIS Controls.
“Certainly, start with the implementation group one controls, they are the fundamentals meant for everybody,” Doten says. “Then look ahead to see things that may be aspirational that you can work towards, but don’t try to hit it all at once. It becomes overwhelming.”