Progress Report: Critical Security Controls Adoption

Today the SANS Institute released its survey on adoption of the Top 20 Critical Security Controls (CSCs) for Effective Cyber Defense. It’s a worthwhile read for CISOs and security analysts charged with overseeing security and risk management. The survey documents adoption highlights and hurdles, primarily experienced by financial services and government organizations. Three sets of findings underscore the importance of “horizontal” elements that act across infrastructure and organizational silos. First, the top measured benefits all pay off the most when systems and data are unified:

  • 24% cite clearer visibility as their top improvement
  • 16% cite improvements to overall risk posture, vulnerability reduction, and compliance improvements
  • 11% cite detecting advanced attacks as an area of improvement

Secondly, the issues that are holding people back the most are often best addressed by integration and automation across controls: Graph1             Finally, the survey also examined the steps organizations had taken to adopt the controls, and I was struck in particular by the top technologies that were added. SIEM, vulnerability management, and threat intelligence are all capabilities that concentrate insights to make decision-making easier. The latest incarnations of these capabilities substantially advance an organization’s ability to automate decisions with confidence. [Read my Black Hat blog for more on this topic.] Graph2             This emphasis on horizontal integration across point defenses is a great sign of the maturation of risk management. It matches our discussions with customers who have indicated that the more optimized and integrated a security architecture is – an approach we call Security Connected – the less organizations spend on security operations while still achieving a better risk posture. A final comment: I’m pleased to point out that McAfee, now part of McAfee, contributes its expertise to support development and maintenance of the CSCs as an industry framework. As the 2014 SANS Critical Security Controls poster shows, we also offer the broadest available product support for the controls directly, and we team with partners to provide complete coverage. Download your copy of the survey, our CSC white paper, and more at mcafee.com/securityconnected. Graph3

Leave a Comment

18 − 14 =