What is a reasonable amount of security? Is it good enough? These are the questions businesses have to ask themselves. There is so much news about organizations being breached that most SMBs and Enterprises know that they need cyber security. But knowing what to secure and how can be difficult to answer.
Government and industry regulations are constantly changing. Add to this the fact that many employees are now working from home has also changed the attack surface. Hackers have adapted and are changing their approach in some cases when it comes to attacks. Now businesses have to change how they protect their data.
The difficulty comes in trying to define what is “reasonable” security? Rick Lazio, former Congressman and RGCybersecurity & alliantgroup SVP and Mike Davis, RGCybersecurity & alliantgroup CISO, write about taking the approach of first defining what a lack of reasonable security would be and going from there. They suggest using the Center for Internet Security, Inc. (CIS) Critical Security Controls (CSC) list of 20 controls and try to map their reasonable definition to those.
The benefit of using the CIS CSC is that it is a recognized authoritative source to map your security environment and quantify risks; and a recognized methodology and approach to demonstrate and provide a reasonable and defensible security posture. Using the CSC will also help you determine which framework best suits your needs. The two frameworks that Lazio and Davis recommend are the National Institute of Standards and Technology (NIST) Risk Management Framework and NIST’s Cyber Security Framework.
Now that you have read through the various cyber security controls and frameworks, are you ready to address the gaps that may be keeping you from achieving reasonable security? If the process seems daunting, remember you don’t have to do it all alone. Uzado has been helping SMB and large enterprises reduce their cyber risk by ensuring they follow the appropriate cyber security frameworks and controls. Uzado can help you demystify the process of obtaining reasonable security for your business too.