Progress Report: Critical Security Controls Adoption

By on

This blog was written by Barbara Kay.

Today the SANS Institute released its survey on adoption of the Top 20 Critical Security Controls (CSCs) for Effective Cyber Defense. It’s a worthwhile read for CISOs and security analysts charged with overseeing security and risk management. The survey documents adoption highlights and hurdles, primarily experienced by financial services and government organizations. Three sets of findings underscore the importance of “horizontal” elements that act across infrastructure and organizational silos. First, the top measured benefits all pay off the most when systems and data are unified:

  • 24% cite clearer visibility as their top improvement
  • 16% cite improvements to overall risk posture, vulnerability reduction, and compliance improvements
  • 11% cite detecting advanced attacks as an area of improvement

Secondly, the issues that are holding people back the most are often best addressed by integration and automation across controls: Graph1             Finally, the survey also examined the steps organizations had taken to adopt the controls, and I was struck in particular by the top technologies that were added. SIEM, vulnerability management, and threat intelligence are all capabilities that concentrate insights to make decision-making easier. The latest incarnations of these capabilities substantially advance an organization’s ability to automate decisions with confidence. [Read my Black Hat blog for more on this topic.] Graph2             This emphasis on horizontal integration across point defenses is a great sign of the maturation of risk management. It matches our discussions with customers who have indicated that the more optimized and integrated a security architecture is – an approach we call Security Connected – the less organizations spend on security operations while still achieving a better risk posture. A final comment: I’m pleased to point out that McAfee, now part of McAfee, contributes its expertise to support development and maintenance of the CSCs as an industry framework. As the 2014 SANS Critical Security Controls poster shows, we also offer the broadest available product support for the controls directly, and we team with partners to provide complete coverage. Download your copy of the survey, our CSC white paper, and more at Graph3

Leave a Comment

Similar articles

This blog was written by Peter Elliman. I’m proud to say that McAfee has received recognition from our customers with the 2018 Gartner Peer Insights Customers’ Choice for the Security Information and Event Management (SIEM). This is a recognition of high satisfaction from a number of reviews by verified end-user professionals. To ensure fair evaluation, ...
Read Blog
In security operations, we frequently talk about the difficulties in separating the signal from the noise to detect legitimate threats and disregard false alarms. Data overload is a common problem and triage becomes a critical skill to hone and develop. As the chief information security officer (CISO) for McAfee, I am aware at multiple levels ...
Read Blog