In a survey of CIOs, system administrators, and compliance auditors, SANS Institute found that the awareness of the Critical Security Controls is very high, and many organizations are actively implementing all or parts of the controls. In fact, only 12 percent of the respondents said they hadn’t heard of the Critical Security Controls before, according to the survey, which was jointly commissioned by Tenable Security, IBM, Symantec, and FireEye.
About 73 percent were already planning to adopt some of the controls within their organizations, and only 10 percent believe they are done with the process. About 54 percent of the respondents said they have some form of implementation roadmap in place, the survey found.
The Critical Security Controls from SANS Institute are 20 different controls that cover a range of activities, such as managing an inventory of network assets, regularly conducting penetration tests of all the systems, and properly tracking changes to configurations. They are effective because they start with very basic audits that have a synergistic effect of dramatically increasing the true visibility of risk so it can be mitigated, Ron Gula, CEO of Tenable Security, wrote in a company blog post announcing the survey results.
The controls are not intended to be a one-size-fits-all prescription for everyone. About 80 percent of the survey respondents said they are focusing on implementing the controls that make the most sense for their organization and their environment.
The primary driver for adoption was to reduce incidents as the result of advanced threats and to improve enterprise visibility, the survey found. About 80 percent believed adopting these controls would help them manage vulnerability and improve risk posture.
In fact, 80 percent of the respondents who have implemented the Controls believe they have reduced risk. Nearly half, or 47 percent, of the participants are reassessing replacing older technologies while 43 percent have identified gaps and are purchasing the appropriate technology to fill those holes, the survey found.
Senior management buy-in was also high, with about 55 percent of respondents saying they have CIO awareness and support and 32 percent saying they have support from the CEO and COO levels.
This survey finding matches what John Pescatore, the director of SANS Institute, told attendees at the Gartner Security & Risk Management Summit in Washington, DC earlier this month. He said CISOs are the most aware of the critical controls, followed by the security and IT administrators. Business groups are generally not aware about the controls, as are privacy officers and compliance auditors.
“More people need to know” about the controls, Pescatore said. Operational silos between IT, security and other business departments pose some impediments to implementing “repeatable processes,” the survey found. A little over half, of 52 percent, of the respondents said they are conducting outreach to other business groups to integrate the Controls into existing IT and security processes.
Organizations are increasingly deploying the Critical Security Controls and finding immediate benefits, Pescatore said at the Gartner summit. The recent Data Breach Investigations Report from Verizon (DBIR) found that 97 percent of breaches could have been prevented if the default and weak passwords had been changed, and that many organizations give administrator privileges to end-users and are running outdated software.
If organizations implemented even the first four or five of the 20 controls, they would see an improvement in their security postures, said Wolfgang Kandek, CTO of Qualys and moderator of the panel. For example, the Department of Industry Innovation Science Research and Tertiary Education, an agency with 5,000 seats, embarked on a six-month project after a data breach to implement some of the controls. They were able to get all their systems patched in two weeks and rolled out whitelisting for all the users, Kandek told attendees.
Pescatore described how a health care organization was recently fined $400,000 for exposing patient healthcare information. The breach occurred because someone had changed the firewall configurations and no one had noticed the impact, Pescatore said. The incident corresponded to three of the controls on the list, and if the organization had implemented any one, the costs would have dropped by 20 percent. And implementing all three would have seen costs drop by 50 percent.
In real world estimates, the organization would have saved $1 million over two years, Pescatore said.
While Gula originally thought the industry did not need another framework or standard when the SANS Institute originally released the Consensus Audit Guidelines (the original names of the Critical Security Controls), he now believes these controls are effective and help organizations improve their security posture, Gula wrote in the blog post.
Related: Top 10 Security Myths: Misconceptions & Exaggerations About Threats and Technologies
Related: New Tool Provides Automated Analysis of SANS Critical Security Controls