Speaker: Russell Eubanks
Event: RSA Conference
Date: July 20, 2021
YouTube Link: https://www.youtube.com/watch?v=H0dUMzIpz6E
As cybersecurity threats continue to evolve, so must the frameworks and controls designed to defend against them. In a recent webcast titled “What’s New with the CIS Controls v8”, Russell Eubanks and Randy Marchany shared insights into the latest updates to the CIS Controls. Designed to simplify and strengthen cybersecurity practices, these updates address the changing technological landscape and the evolving needs of security teams.
Whether you’re familiar with the Critical Security Controls (CSCs) or exploring them for the first time, this blog post highlights key takeaways and actionable advice to help you implement CIS Controls v8 effectively.
Introduction to the CIS Controls
The CIS Controls have been a cornerstone of cybersecurity best practices since 2008. Unlike general lists of good practices, the CIS Controls offer a prioritized roadmap that maps directly to reducing non-compliance and improving security postures. Version 8 reflects technological advancements, particularly in cloud computing and data protection, while aligning with compliance frameworks like NIST and ISO.
Key changes in version 8 include:
- Reducing the number of controls from 20 to 18.
- Introducing a new control specifically for cloud services.
- Reorganizing the first three controls under an “inventory” category.
Here’s what cybersecurity professionals need to know to leverage these updates effectively.
Key Takeaways and Practical Advice
1. Focus on Prioritized Actions for Quick Wins
One of the strengths of the CIS Controls is their emphasis on prioritization. As Russell Eubanks put it, “We don’t just want to stay busy—we want measurable, impactful actions.” Version 8 continues this focus by:
- Mapping actions to measurable outcomes: Each control includes metrics to help demonstrate progress.
- Interfering with attackers’ objectives: The controls aim to disrupt attackers at three stages—getting in, staying in, and causing damage.
Actionable Tip: Start by identifying your organization’s critical assets and focusing on high-priority controls that protect these areas.
2. Enhanced Alignment with Compliance Frameworks
Version 8 strengthens its mapping to global standards like NIST 800-53, ISO 27002, and GDPR. This ensures that implementing the CIS Controls can simultaneously help meet regulatory and compliance requirements.
Actionable Tip: Use mapping tools like those available on AuditScripts.com to align your controls with multiple frameworks, creating efficiencies and “double wins” for your organization.
3. New Cloud-Specific Control
With the rapid adoption of cloud technologies, CIS Control 15 (“Service Provider Management”) addresses the unique challenges of securing cloud environments. This control emphasizes:
- Understanding and managing third-party cloud services.
- Aligning cloud configurations with organizational security policies.
Actionable Tip: Leverage the newly developed Cloud Companion Guide for practical steps in securing cloud services.
4. Restructuring of Core Inventory Controls
The first three controls now fall under a unified “inventory” category:
- Hardware Asset Inventory
- Software Asset Inventory
- Data Protection
By elevating data protection, CIS highlights the criticality of safeguarding sensitive information, aligning with the rise in privacy laws and data breach notification requirements.
Actionable Tip: Ensure your organization maintains accurate hardware, software, and sensitive data inventories. This foundational step simplifies subsequent controls like vulnerability management and malware defenses.
5. Implementation Groups Tailored to Organizational Size
Version 8 retains its three-tiered implementation group (IG) framework:
- IG1: Small organizations with limited resources.
- IG2: Mid-sized organizations with moderate resources.
- IG3: Large organizations with mature security programs.
Actionable Tip: Identify your organization’s IG level and focus on implementing controls appropriate to your resource capacity and risk profile.
6. Metrics and Continuous Improvement
Metrics are at the heart of CIS Controls v8. By measuring your current state and tracking progress, you can demonstrate improvement to leadership and secure ongoing support for your initiatives.
Actionable Tip: Develop a “current state vs. future state” assessment to visualize your progress. Use metrics to communicate effectively with executives and board members.
7. Practical Implementation Steps
Here are several practical tips for getting started with CIS Controls v8:
- Take time to digest the changes: Review the updated controls and supporting resources.
- Start small: Focus on two to three controls at a time to build momentum.
- Find a champion: Engage an executive sponsor to advocate for your efforts.
- Leverage existing tools: Audit your current technologies to identify untapped capabilities that align with the controls.
- Engage cross-functional teams: Involve IT, application owners, and security awareness officers in the implementation process.
Closing Thoughts
The release of CIS Controls v8 marks an essential milestone in cybersecurity best practices. By emphasizing prioritization, alignment, and practical implementation, version 8 empowers organizations to strengthen their security postures efficiently and effectively.
To learn more, watch the entire webcast: “What’s New with the CIS Controls v8” to learn more. Additional resources, including mapping tools and companion guides, are available on the CIS website.
Your Next Steps:
- Review the CIS Controls v8 documentation.
- Identify your organization’s implementation group.
- Develop a roadmap for adopting the controls.
- Leverage resources like AuditScripts.com to map your efforts to compliance frameworks.
By taking these steps, you can create a repeatable, measurable process for improving your cybersecurity program—and make a meaningful impact on your organization’s security resilience.