Building a Reasonable Cyber Defense Program
By Sean Atkinson, Chief Information Security Officer (CISO) at the Center for Internet Security® (CIS®)
If you do business in the United States, especially across state lines, you probably know how difficult it is to comply with U.S. state data privacy laws. The federal government and many U.S. state governments require you to implement "reasonable" cybersecurity controls around how you handle data breach notification and the data privacy of your customers. But these mandates don't discuss how you can meet the standard of reasonableness in your cybersecurity efforts. More specifically, they don't identify frameworks to which you can align your controls implementation program.
Such ambiguity around reasonableness in cybersecurity complicates your efforts to create a robust cyber defense program. Lacking clarity on how to proceed, you could inadvertently duplicate effort around your implementation tasks as you try to meet the requirements of different U.S. state data privacy laws. This could waste time, money, and resources — all without necessarily fulfilling the intent of the laws themselves. You therefore might not be able to demonstrate that your cyber defense program meets the standard of reasonableness in the event of a breach, exposing your organization to lawsuits and other damages.
What can you do to navigate this ambiguity?
In this blog post, we'll identify and discuss several policy elements you can incorporate into your cybersecurity program that meet the standard of reasonableness.
The 7 Steps of Your Reasonableness Policy Checklist
Step #1: Understand Your Organization's Mission, Stakeholders, and Obligations
As a dimension of cybersecurity more generally, reasonable cybersecurity varies in its implementation from business to business. What it will look like for you will reflect what makes your organization unique. Don't try to implement reasonable cybersecurity according to what you think it should look like. Instead, spend the time getting clear about your organization's mission, the buy-in of your stakeholders, and your compliance objectives. You can use this perspective to inform how you'll fulfill the steps that follow.
Step #2: Develop and Implement a Cybersecurity Program
This step requires you to implement several other supporting elements, including the following:
- Roles and Responsibilities: Who in your organization will help to manage your reasonable cyber defense program? How will they support this initiative?
- Internal Policies and Enforcement Requirements: Which policies will support your implementation of a reasonable cybersecurity program? To whom will those polices apply? How will you enforce the requirements of those polices?
- Regular Cybersecurity Training and Awareness for Personnel: Do you use one general cybersecurity awareness training program for all your employees? Or do you apply several role-based programs? How often do you conduct training with your workforce?
Step #3: Identify Resources, including Funds, Personnel, Outsourced Roles, and Automated Tools
You need to identify resources that will help you to make the most of your time and effort. This will help you to sustain the momentum of growing your reasonable cyber defense program.
A CIS SecureSuite® Membership can help you at this step and in steps to follow, as shown in the following infographic.
CIS SecureSuite provides you with access to the CIS Build Kits. Available as Group Policy Objects (GPOs) for Windows and bash shell scripts for Linux/Unix, CIS Build Kits enable you to rapidly deploy the secure configuration guidelines of the CIS Benchmarks™. In doing so, CIS Build Kits help you to automate your secure configuration management program, thereby streamlining your system hardening efforts.
Step #4: Follow an Industry-Recognized Cybersecurity Framework or Standard
You need a route for where you want to take your reasonable cyber defense program. You could plan out this route on your own, but you could miss out on important lessons other organizations have learned in the process.
This is why we recommend you follow an industry-recognized cybersecurity framework such as the CIS Critical Security Controls® (CIS Controls®) and CIS Benchmarks. Let's explore each of these sets of security best practices below.
CIS Controls
The CIS Controls are prescriptive, prioritized, and simplified security measures you can implement to strengthen your cybersecurity posture. The Controls consist of 153 individual actions, or CIS Safeguards, that map to HIPAA, NIST CSF 2.0, and other frameworks and regulations.
CIS Benchmarks
The CIS Benchmarks consist of secure recommendations that help you to remove the guesswork out of hardening operating systems, mobile devices, cloud service platforms, and more across 25+ vendor product families. The CIS Benchmarks map back to the Controls, and several other standards including PCI DSS specifically reference the Benchmarks as an effective means for system hardening.
Step #5: Measure Conformity to the Framework and Mitigate Findings to Ensure Your Ongoing Compliance with Its Program
A CIS SecureSuite Membership comes with benefits, tools, and resources designed to help you continuously evaluate your implementation of the Controls and Benchmarks. These tools include CIS CSAT Pro and CIS-CAT® Pro.
CIS CSAT Pro
With CIS CSAT Pro, you can track and prioritize your implementation of the CIS Controls using a simplified scoring method. You can track multiple assessments against the Controls concurrently, and you can access all these assessments using a consolidated home page. CIS CSAT Pro also enables you to assign different roles to members of your team so that you can orchestrate implementation tasks across your organization.
CIS-CAT Pro
With CIS-CAT Pro Assessor, you can run automated scans of your systems' settings against the secure recommendations of the CIS Benchmarks. Assessor will return a report indicating a conformance score of your system to the corresponding CIS Benchmark. This report will also map your systems' results to the CIS Controls, thus helping you to situate the results of your system hardening within the greater context of your cybersecurity program.
Additionally, CIS-CAT Pro includes a Dashboard component you can use to graphically display the impact of your hardening efforts over a recent period of time. You can use this component to communicate the progress of your results with leadership and plan your next hardening tasks.
CIS WorkBench
CIS SecureSuite Members can download CIS CSAT Pro, CIS-CAT Pro, and other Member resources on CIS WorkBench. This centralized platform enables Members to access the tools discussed above, among others. It also helps them to tailor the recommendations of a CIS Benchmark according to their unique needs and export the revised document for their own use. Finally, within the platform itself, Members can connect with and learn from other organizations in Members-only discussion areas.
Now through November 1, save up to 20% on a new CIS SecureSuite Membership with promo code RCD24. Check out our promo page for more details.
Step #6: Conduct Periodic Risk Assessments in Accordance with Methodology Defined in Your Cybersecurity Program and Mitigate Findings
To make the most of these risk assessments, you need to leverage quantitative risk analysis. This methodology provides numerical data that you and your stakeholders can use for more objective decision making around risk prioritization. It's just not always easy to perform assessments using quantitative risk analysis on your own.
Our CIS Risk Assessment Method (RAM) can help. Available for free outside of a CIS SecureSuite Membership, CIS RAM helps all organizations, including CIS SecureSuite Members, align to a standard of reasonableness by assessing their cybersecurity posture against the Controls.
As discussed in A Guide to Defining Reasonable Cybersecurity,” many states have used CIS RAM to define reasonable cybersecurity safeguards in data breach lawsuits. You can take a proactive approach with this method to evaluate the measures you've implemented in defense against a breach.
Step #7: Conduct Periodic Independent Assessments of Your Cybersecurity Program and Mitigate Findings
As the final step, you need to bring the expertise of external parties into your approach to continuously improve your reasonable cyber defense program. You can do this by working with trusted organizations to perform penetration tests, vulnerability assessments, and/or other engagements. These types of services use deliberate testing to reveal gaps in your program you might have missed.
Take the First Step in Building a Reasonable Cyber Defense Program
Unlocking Your Reasonable Cyber Defenses with CIS SecureSuite
The steps discussed above will help you to align your cybersecurity program to the standard of reasonableness. To make the most of these elements, you need to document the steps you take to address, implement, and maintain each of these elements as well as perform those activities on a recurring basis. CIS SecureSuite can help you to simplify this process, providing you with benefits, tools, and resources you need to uphold a reasonable cyber defense program into the future.
Ready to take the first step?
Apply for CIS SecureSuite Membership Today!
About the Author
Sean Atkinson is Chief Information Security Officer of CIS. He uses his broad cybersecurity expertise to direct strategy, operations, and policy to protect CIS's enterprise of information assets. His job responsibilities include risk management, communications, applications, and infrastructure. Prior to CIS, Sean served as the Global Information Security Compliance Officer for GLOBALFOUNDRIES, serving Governance, Risk, and Compliance (GRC) across the globe.
Prior to GLOBALFOUNDRIES, Sean led the security implementation for the New York State Statewide Financial System (SFS) implementation from 2007 to 2014. His last role and responsibility was as the Internal Control, Risk, and Information Security Manager.
Sean was born in Brooklyn, N.Y. and lived in England for 18 years, graduating Sheffield Hallam University in 2000. Since moving back to the United States, Sean has pursued multiple degrees and certifications in the IT arena.
In addition to his work with CIS, Sean is also an adjunct professor of Computer Science at the College of Saint Rose.