Microsoft unveils Windows 365 — ushering in a new category of computing
July 15, 2021
How cloud technology can boost Malaysia’s digital economy
July 19, 2021

Why Implementation Groups Are So Important to CIS Controls v8

Scratch two things off the list!

The Center for Internet Security (CIS) recently dropped the number of Critical Controls from 20 to 18. Some of us still think of them as the SANS Top 20, so that’s kind of a big deal.

There really aren’t fewer things to do, of course. CIS updated the Controls to better address modern technology and to help you prioritize. There’s no magic in the actual number of Controls that you need to implement.

Pay Attention to Implementation Groups

I’ll forgive you if you didn’t notice Implementation Groups (IG) before, but you should definitely know about them now. Here’s a little bit of context:

Introduced back in Version 7.1, the IGs encapsulate recommended guidance that organizations can use to prioritize their implementation of the CIS Controls. They consider an organization’s risk profile and available resources as factors that affect where security teams can direct their focus.

Which brings us to the change made in Version 8. In that iteration, CIS designates the first Implementation Group, IG1, as “basic cyber hygiene.” You can use the 56 Safeguards of IG1 to create a minimum standard of security for your operations.

Note the word minimum in the sentence above. With more resources, you can move onto IG2. That Implementation Group includes all the Safeguards of IG1 along with 74 additional Safeguards for building an even stronger security posture. And for the most comprehensive protection against digital threats long term, you can embrace IG3 and implement all 153 Safeguards.

Putting This Change into Context

Cybersecurity is an ongoing effort – security teams simply can’t do everything they need to do upfront immediately. A better approach is to figure out where you are currently and not get overwhelmed by all that you could do to strengthen your security posture. It’s a point that echoes across all of cybersecurity, and one that the CIS is increasingly highlighting now. Organizations need to find out where to start. That’s why you should consider focusing on IG1 first before progressing to IG2 and IG3.

Why is this important? After talking with customers at various companies over the years, I’ve come to see that many organizations don’t always know what to do when it comes to their cybersecurity efforts. Many don’t know where their holes are, and many others don’t have a roadmap to guide where they need to improve. While others know what to do but feel the pressure of trying to figure out which best practices to implement first.

Focusing on IG1 can help you overcome all of those obstacles. There’s something from 15 out of the 18 CIS Controls in IG1. So, if you are looking at IG1, you’re looking at Safeguards from most of the Controls. IG1 can also guide organizations that don’t have a formal security strategy. In this scenario, IG1 becomes the roadmap. You can use it to do what’s missing. If five things are missing, you can do those. And if you have more than that, you can do five and then figure out what you want to do from there.

Guidelines for an Individual Success

All that said, it’s important to remember that IGs are just guidelines.

No two cyber security professionals will ever agree on what exactly should fall into each Implementation Groups. That’s because everyone has a different perception of risk.

Effective cybersecurity isn’t one-size-fits-all; it’s a game of risk management. There’s an increasing need for organizations to do it effectively because they don’t have infinite resources. What are your organizations priorities? What risks can you accept as you bring other risks to an acceptable level? Those are questions that we need to look at individually and answer for ourselves.

Self-sovereignty doesn’t end there. It’s also important to filter out all the FUD from vendors. It can be easy to let fear drive security priorities or cause a mixture of complacency and paralysis. By filtering out the FUD, you can figure out what solutions you need—whether those are new products, processes, or compensating controls.

Ultimately, it’s up to you to use the IGs to guide what you’re doing. Take what you need and leave the rest.

See how Cisco’s broad security portfolio offers extensive support for CIS Controls and other best practices by visiting our Cybersecurity Framework Guidance page.

We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels