4 Business Goals You Can Achieve While Scaling Cybersecurity

By Sean Atkinson, Chief Information Security Officer at CIS

Recently, I discussed how taking a layered approach to cybersecurity scaling helps your organization in the long term. Doing so enables you to implement complementary security controls that protect what's important to your business. By extension, you can use cybersecurity to support, not hinder, profitable business growth as your priorities evolve, your compliance obligations change, and your digital footprint grows.

But don't take my word for it. In this blog, I'll tell you how organizations use the layered resources in CIS SecureSuite® Membership to achieve four business goals.

Goal #1: Make Life Easier for Your IT and Security Teams

As we all know, your IT and security teams are extremely busy. They're trying to uphold day-to-day security operations while keeping an eye out toward changing regulatory obligations, emerging threats, and other new developments. By gaining access to layered cybersecurity resources that scale, you can help these teams maximize their time and reduce the risk of things like burnout.

A CIS SecureSuite Membership can help in this regard. As an example, one bank downloaded the security recommendations of the CIS Benchmarks™ in machine-readable formats. Here's what they had to say afterwards:

Doing this allowed us to quickly and easily deploy industry-recommended security best practice configurations. Without this resource, the hardening of our devices would have taken a lot longer and required many meetings between IT and security to debate which configuration settings to change and the impact they could have. 

The speed of deploying the CIS Benchmarks enabled the bank to get more granular with their hardening efforts. Specifically, they were able save time and allocate resources to create documentation and define if and where exemptions in their implementation exist. This helped them to develop an even more comprehensive understanding of how their business, industry, and cybersecurity processes relate to one another.

It was a similar story with a state government. The Member made life easier for their IT and security teams by using CIS-CAT® Pro, the pro version of our configuration assessment tool, to evaluate their compliance to the CIS Benchmarks. Doing so helped them simplify their audit preparations and complete their security scans more quickly.

Goal #2: Find and Plug Gaps in Your Customers’ Cybersecurity Maturity

Layered resources aren't just useful for strengthening your own cybersecurity defenses. They're also instrumental to protecting others' systems and data, which is why MSPs, MSSPs, consultants, and product vendors can use these CIS SecureSuite capabilities to identify critical security gaps and support their customers' cybersecurity needs in an ever-evolving threat landscape.

One consulting firm turned to CIS-CAT Pro toward this end:

CIS-CAT Pro is a real solid foundation by which you can go to any customer and tell them, "Look. Here’s what the Center for Internet Security tells us we need to be doing to lock your systems down. You can read what Tony Sager says – Stop chasing shiny objects and get back to the basics.”

Through the use of CIS-CAT Pro, the firm found that it was able to steer some of their customers clear from the newest "shiny object" and to foundational security embodied in the CIS Benchmarks.

Meanwhile, another consultancy concentrated on the Implementation Groups of the CIS Critical Security Controls® (CIS Controls®). They explained that they did so to grow their customers' cybersecurity maturity scores.

We start chipping away highly effectively at the risk and where most of the attacks are coming from...and get them to a point that’s actually safe for them to conduct business in.

In the process, they succeeded in bumping up the maturity scores of many clients from a 0.7 to 2.5 on a 0-5 point scale with minimal investments and significantly improve overall client security posture.

Goal #3: Achieve SOC 2 Compliance

System and Organization Controls (SOC) 2 is a reporting framework that evaluates an organization's information systems according to five principles – security, availability, processing integrity, confidentiality, and privacy. These principles aren't mutually exclusive. A single control can advance two or more of these principles simultaneously.

One CISO took this to heart in preparing their organization for its SOC 2 audit. They began by using the CIS Benchmarks to develop a policy for system hardening and workstation security. At the same time, they leveraged the CIS Controls to develop a path toward growing the organization's maturity. The CISO then drew upon several of the resources available via CIS SecureSuite to optimize the implementation of those security best practices.

Fast forward to audit time. The auditor wanted to understand how the organization was tailoring the CIS Benchmarks in various environments. To  address compliance status with evidence of this process, the CISO provided an assessment report from CIS-CAT Pro to the auditor. This proved instrumental in helping the organization achieve its SOC 1 and SOC 2 certifications and demonstrate a strong security foundation to auditors.

Goal #4: Gain a Competitive Advantage

Finally, the act of implementing layered resources says that you're serious about your organization's cybersecurity posture. You communicate this message not only to partners and internal stakeholders but also to customers and business prospects. As such, you can use the capabilities of CIS SecureSuite to gain a competitive advantage over those who don't take a layered security approach.

management company's CISO realized as much, and like many of the examples discussed above, they used the CIS Benchmarks to harden their technologies. They then went ahead and established a "gold build" that employees could use demonstrating their expertise in cybersecurity.

Internally, Membership resources helped spare engineers from needing to create a gold build manually. But externally, it also helped them win an engagement in which they'd run cybersecurity assessments. A key part of that engagement was the company's use of the pro version of the CIS Controls Self Assessment Tool  (CIS CSAT) to assess the security posture and maturity of their client and identify remediation actions.

The Possibilities Are Endless!

As the examples discussed above demonstrate, there's no limit to the goals your organization can pursue using a CIS SecureSuite Membership as you scale your cybersecurity programs.

Ready to get started?

 


 

Sean Atkinson
Chief Information Security Officer

Sean Atkinson is Chief Information Security Officer of CIS. He uses his broad cybersecurity expertise to direct strategy, operations, and policy to protect CIS’s enterprise of information assets. His job responsibilities include risk management, communications, applications, and infrastructure. Prior to CIS, he served as the Global Information Security Compliance Officer for GLOBALFOUNDRIES, serving Governance, Risk and Compliance (GRC) across the globe.

Prior to GLOBALFOUNDRIES, Atkinson led the security implementation for the New York State Statewide Financial System (SFS) implementation from 2007 to 2014, and his last role and responsibility was as the Internal Control, Risk and Information Security Manager.

Atkinson was born in Brooklyn, N.Y. and lived in England for 18 years, graduating from Sheffield Hallam University in 2000. After moving back to the United States, he has pursued multiple degrees and certification in the IT arena.

In addition to his work with CIS, Atkinson is also an adjunct professor of Computer Science at the College of Saint Rose.