Image of lock with circuit traces

Breaking through the noise:

The 20 Controls.

It seems that every professional association, organization, or group has their own definition of CyberSecurity and a corresponding checklist to implement foolproof IT security. If it were really that easy, we assert that Target, JP Morgan, CIA, DOE, DOJ, and nearly every major retailer would likely have gone through “the checklist”. They wouldn’t have suffered the public embarrassment and major financial losses associated with a substantial breach. What doesn’t make the news cycle are the tens of thousands of small businesses which are hit with often more devastating results. These stories are the ones that we’re going to focus on in this blog. Not to victim shame or further bolster fear, rather, to shed light on what did and didn’t work from a cybersecurity perspective. Operating under the theory that an informed defense often gathers substantial insight from a robust offense, we’re going to take a hard look at the CIS 20 Critical Security Controls and how they apply into small-to-midmarket organizations. More importantly, we’re going to see where they fall short and what can be done to most cost effectively safeguard your critical information and computer systems.

First up, the 20 CSC. 

The 20 Critical security controls, 20CSC, were originally developed by a collaboration of experience from academia, education, industry, government, and law enforcement through the SANS Institute. Using the gold-standard of technical standards, the NIST SP800-5x, SANS combined government-derived information security and real-life attacks in businesses of all sizes to inform appropriate defense. This effort by SANS formed the original list of 10 then 20 security controls. Over the years this list has evolved. A lot. Today, the depth and complexity of attacks are such that the 20CSC have been broken down into much smaller and easy to implement sub-controls to more effectively permit organizations to best address their specific cybersecurity risks.

The 20 CSC are founded around several core principles:

1.) The controls must address current attacks, emerging technologies, and the changing mission  & business requirements for IT.

2.) Focus must be given to key topics within and highly impactful throughout the life-cycle of information protection

3.) The controls must easily align to other related frameworks, such as that provided by NIST.

4.) Each sub-control is a single implementable action or activity. One and only one per sub-control.

5.) The controls must, will, rapidly grow and change within the security ecosystem

6.) The controls must be relevant and adapt to organizations of various sizes and configurations

7.) The controls are directly influenced by real-life attacks experienced by a global volunteer working group.


The 20CSC are more relevant today than ever before. Every organization, large or small, must combat the ever-present onslaught of attacks against their valuable information and technology assets. The nature of a threat has changed and evolved over the years. As an (admittedly overused) example, banks used to fear armed robbery as a major source of financial loss. Today, the FBI reports that the arrest rate for bank robbery is second only to that for murder. Banks adapted to the threats against their business assets with some incredible security measures, like specialized architecture, motion-sensing and high resolution color security cameras, time-locked heavy vault doors, silent alarms, exploding dye packs, bait money, GPS tracking devices, armed and unarmed security guards, and complex biometric time-based interdependent locking  systems which make non-violent methods of gaining access into vaults, even by the most experienced safe hackers and code crackers, nearly impossible. The point is that they adapted their business and the defense thereof to the threat. Today, the tactics used by The Dillinger Gang, the Barrow Gang, the Barker–Karpis gang, or other infamous bank robbers like Pretty Boy Floyd, or Machine Gun Kelly would be almost entirely useless in a modern bank. This is where the 20 CSC intend to lead us – the modern equivalent of “Deterring & Responding to Robbery”. Seriously, this was a real thing. Troy Evans, a convicted serial bank robber  published it in 2009 Using the experiences of the attackers and those attacked to gain insight on appropriate defense is where the 20 critical controls intend to lead us. What’s the first step? To understand the framework of the controls and then what each intends to defend | protect | safeguard | detect.

The Framework

We’ll conclude this blog with an overview of the three principal control categories -Basic, Foundational, and Organizational.

We must first understand what each of these categories intend to define:

Basic (CIS Controls 1-6): These controls provide essential – fundamental – cyber defense and should be implemented in every organization.

Foundational (CIS Controls 7-16): These controls provide the technical best practices which provide clear (read that demonstrable) security benefits.

Organizational (CIS Controls 17-20): These controls are different in character from 1-16; while they have many technical elements, CIS Controls 17-20 are more focused on people and processes involved in cybersecurity. These are applicable from the smallest to largest organization. what changes? the scope, scale, and size of what defines “meaningful” adoption

The critical controls are only as good as the thoroughness of their adoption. We refer to this as “meaningful” adoption. An organization can say they practice CSC1 – an inventory of hardware assets – by simply having an asset tag created for each device. Is that a meaningful adoption of the first critical control? Likely not. Often such practices will “keep the honest people honest” but are wholly ineffective against any others.

Next up: Control 1

Corporate Information Technologies provides small to mid-market organizations with expert I.T. services including compliance assessment, cybersecurity penetration tests, and comprehensive business continuity planning services. Corporate Information Technologies can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised. 

Contact us to learn more and let us show you how good I.T. can be!

Comments are closed

Learn More

Learn More
error: Alert: This Content is protected!