Telenet and the CIS Controls
Telenet Uses the CIS Controls Version 6.0 to Build a Security Compliance Road Map
Telenet, the largest telecommunications company in Belgium, adopted the CIS Controls to build a road map to align with its ISO-27000 compliance program. Its business includes providing analog and digital cable television, along with fixed and mobile telephone services, primarily to residential customers. Telenet also offers services to business customers.
Telenet relies on the CIS Controls as a bridge to prioritize the ISO framework. Christophe Demoor, CISM, learned of the CIS Controls from a peer. Mr. Demoor stated: “I’m a huge fan of the CIS Controls.” He added: “The people in Europe aren’t that familiar with the CIS Controls framework.” He quickly realized that the CIS Controls could be used to build a roadmap to support its ISO program.
Gap Analysis
“I’m a huge fan of the CIS Controls. … CIS Controls provide a strong story and framework.”
– Christophe Demoor
CISM, Telenet
Approximately two years ago, Telenet recognized the need for a security road map and selected the CIS Controls. Mr. Demoor said they needed a framework to help them prioritize the “very technical” and extensive ISO requirements. He appreciated the CIS Controls because “security experts already did the prioritizing for me.” The initiative began with an internal assessment to determine their current state and identify gaps. Since some departments in the organization were using the NIST Cybersecurity Framework, they categorized their initiatives into the CSF core functions of identify, protect, detect, respond, and recover. Outside consultants were on-site for five days to assess Telenet using the Controls as a baseline. They created a spider chart showing the organization’s status against each control, which will assist in determining the necessary steps for a multi-year implementation road map.
A Great Story for Budget Justification
Mr. Demoor went on to share that, like many organizations, most of Telenet’s business units were facing budget cuts. Each manager was required to present a justification for their projects to leadership. Although all departments had their budgets cut, the cut in Mr. Demoor’s department was less severe. “The CIS Controls provide a strong story and a framework which are complementary to the ISO standards for the need to mitigate security,” he said. With this information, there was little resistance from the IT Team, Managers, and CIO, which allowed for a budget and shifting of priorities to begin with the first five controls right away. Telenet is interested in how it stands today and in the future. They plan to conduct another audit to measure the progress of CIS Controls adoption and ensure tools are not missing. Their goal is to have the first 10 CIS Controls in place within a two- to three-year window, and 90 percent of the Controls in place by 2018. Along with this initiative, they also plan to implement automated controls processes.
Mr. Demoor also indicated that governance would be more specific for metrics and new projects. For example, in lieu of yes/no questions, the governance will look for requirements, design, and implementation with checks and balances to make sure everyone is going in the right direction. He was assuring in that governance would not be heavy with difficult to answer questions.
Mr. Demoor stated that “CIS Controls are predominantly used by U.S. companies,” and he hopes that more European companies will develop an awareness of the CIS Controls. It is nice to hear from our European community that the CIS Controls are providing practical and effective solutions for cyber defense that include specific and actionable methods to stymie the most pervasive attacks.
About Christophe Demoor
Christophe Demoor has been with Telenet for two years, and has multiple certifications with more than 15 years in information technology. Mr. Demoor received his degree from Hogeschool Gent.