Practical Cybersecurity for Merchants: CIS Controls
Host Jen Stone talks with Curt Dukes from the Center for Internet Security (CIS) to discuss how businesses can implement good enough security without unlimited resources.
Host Jen Stone talks with Curt Dukes from the Center for Internet Security (CIS) to discuss how businesses can implement good enough security without unlimited resources.
In this episode of Practical Cybersecurity, host Jen Stone talks with Curt Dukes, EVP and GM of Security Best Practices at the Center for Internet Security (CIS). Drawing on his 30-year career at the NSA, Dukes breaks down how small and medium businesses (SMBs) can implement "good enough" security without unlimited resources. The conversation focuses on Implementation Group 1 (IG1)—a prioritized set of safeguards that provide essential "cyber hygiene". Dukes introduces free resources like the CSAT (Controls Self-Assessment Tool) and CIS Workbench to help leaders move past the intimidation of technical jargon and establish a "standard of reasonableness" for their organization's defense.
00:00 - What is “Good Enough?”
00:20 - Welcome [Back] to Practical Cybersecurity
00:48 - From the NSA to CIS
01:50 - Security Best Practices & Benchmarks
02:48 - Prioritizing Actions with IG1
03:29 - How Threat Data Informs the Controls
05:14 - The "Jack of All Trades" Challenge
06:25 - Free Tools: CSAT & Workbench
08:20 - Understanding the "Standard of Reasonableness"
10:25 - Risk Assessments & Cyber Insurance
12:36 - The Real Cost of Cyber Defense
14:30 - Tool Categories for Small Businesses
15:30 - How to Get Started at CISecurity.org
Jen Stone (MCIS, CISSP, CISA, QSA) is a Principal Security Analyst at SecurityMetrics with over 25 years of experience in the technical information sector. She has completed over 100 high-level security assessments, specializing in PCI, HIPAA, and CIS Critical Security Controls.
Jen started her career in IT operations and has worked across various sectors, including DevOps and development. This broad background allows her to bridge the communication gap between non-technical business leaders and their IT teams. As the host of Practical Cybersecurity, Jen is dedicated to demystifying complex data security and compliance trends to make them actionable for businesses of all sizes.
When she isn't helping organizations secure their data, Jen is a "Women in Technology" mentor, runs the largest aerial arts competition in the world, and is an enthusiast of chicken-keeping and motorcycle riding.
Host: Jen Stone, Principal Security Analyst, SecurityMetrics Guest: Curt Dukes, EVP and GM of Security Best Practices, Center for Internet Security (CIS)
Curt Dukes: I’ll be upfront with you, Jen. Small and medium businesses just want to be told what to do. Equally important is knowing what is "good enough," because they don’t have unlimited resources.
Jen Stone: Tell us a little bit about your background and how you came to work at the Center for Internet Security.
Curt Dukes: I spent five years in the United States Air Force and then signed on with the National Security Agency (NSA)—or, as some like to say, "No Such Agency". I thought I’d be there for three to five years; 30-plus years later, I finally said I’d had enough. I’ve now been with the Center for Internet Security (CIS) for eight years.
My title is Executive Vice President and General Manager for Security Best Practices. We create and promulgate cybersecurity guidance in two main ways:
We have three Implementation Groups. Implementation Group 1 (IG1) is where you get started.
Curt Dukes: CIS also has an operational arm called the ISAC (Information Sharing and Analysis Center). We run sensors that give us actual threat data. We look at new and emerging threats, but we also see the same threats year in and year out.
Take ransomware: there’s not a lot unique about it from my lens. Attackers are still exploiting known vulnerabilities for which there’s already a patch available. That threat data directly informs our cybersecurity best practices.
Jen Stone: Small business leaders are often jacks-of-all-trades. Cybersecurity can be intimidating because it’s so technical. Where do they start?
Curt Dukes: Start with the CIS Critical Security Controls. They are available for free as a download. We recommend starting with Implementation Group 1 (IG1). We also offer:
Curt Dukes: There is a legal term called the "standard of reasonableness". If you suffer a cyber incident and end up in court, you want to be able to say that what you did was reasonable for the resources you had.
We’ve published a piece on reasonable cybersecurity based on the controls. If you are implementing IG1 and measuring yourself against it, you can show the court the specific, reasonable actions you took to protect your business.
Curt Dukes: Every business owner wants to know: "How much is this going to cost me?" We looked at this through three use cases:
In our "Cost of Cyber Defense" paper, we call out ten tool categories. You may not need all ten—some vendor products cover multiple categories—but it helps you tie the safeguards to actual technology.
Jen Stone: Where do we send people to find these resources?
Curt Dukes: Visit our website at cisecurity.org. You can find both the ISAC and our Security Best Practices there, or just search for "Center for Internet Security" in your browser.
I'll be upfront with you, Jen. Organizations, small and medium businesses, that's what they want. They just wanna be told what to do. And equally important with that is what's good enough because they don't have unlimited resources.
Hello, and welcome to Practical Cybersecurity, a podcast for business leaders and cyber security professionals in the small and medium business space.
My name is Jen Stone. I'm a principal security analyst at SecurityMetrics. Today's topic is practical cybersecurity resources for SMBs. I am delighted to have Curt Dukes from the Center for Internet Security with me today. Curt, thank you so much for being willing to come on and talk to us today about the CIS. Can you tell us a little bit about your background, how you came to work at the Center for Internet Security?
At the ripe old age of seventeen, I enlisted in the United States Air Force, spent five years in the Air Force, and got the GI Bill. And with that, I was able to go to the University of Florida, go Gators, and got my undergraduate degree in computer science. And then from there, I wanted to go back into public service. And so I signed on with the National Security Agency, or as some people like to say, no such agency.
And so signed on with the NSA and thought I'd only be there for three to five years. Well, thirty plus years later, I finally said I've had enough. That was a career. And then from there, I went on to the Center for Internet Security.
And I've actually been here for eight years now at the Center for Internet Security.
Can you maybe tell us a little bit about your role at CIS? Like, what do you what's a day to day thing look like for you?
Yeah. So I have the title of executive vice president and general manager for what we call security best practices.
You could say, well, what the heck is security best practices? Well, it's really about creating and promulgating cybersecurity best practice guidance. And so we do that in two ways. One is the CIS benchmarks, which if you think about it, it's a set of configuration recommendations for the major operating systems.
So think Windows eleven, Windows Server, any of the Linux distributions, any of the network devices. Cisco or Juniper has Junos for that. And our other product is the CIS Critical Security Controls, which is if you think about cybersecurity, you need a framework. Most folks are familiar with NIST and the cybersecurity framework.
Well, what CIS has done is said, hey. You know, we like that set of controls and underlying safeguards, but what we wanna do is actually prioritize the actions that we want individuals or individual organizations to take. And so with that, we actually script it out for them. We have three implementation groups.
So implementation group one is where you get started, and then you actually follow in each one of those controls and underlying safeguards, and we want you to actually implement that and measure yourself against that.
So the benchmarks and the security controls are what I'm most familiar with, and with our new focus on giving small and medium businesses actionable, practical advice, that's why I was really excited to talk to you about CIS because I think that's what that offers. But also, I get the feeling that the Center for Internet Security might have a broader mission than benchmarks and the security controls.
Yep. You're a hundred percent right. So the beauty of this little small, as I like to say, scruffy nonprofit headquartered in upstate New York is the fact that we have an ISAC, the Information Sharing Analysis Center.
So that's really, if you will think about it as our operational arm. And so as part of that ISAC, we run a number of sensors within the SLTT community.
What that gives us is actual threat data.
And so, I mean and over the number of years that we've been operating the ISAC supporting the SLTT community, we've amassed a very large amount of threat data. And so what we do as part of that is we actually look at new and emerging threats.
And, yes, there are new and emerging threats, but there's also a lot a lot a lot of just, you know, threats that we've seen year in and year out, you know, and you can't get you can't be on any any any speaking engagement, not mention ransomware. Right? And there's not a lot of unique about in my from my lens, ransomware. They're still extorting non known vulnerabilities for which there's a patch already available, to them. But so that threat data actually informs our cybersecurity best practices.
Okay. So let's imagine that I am in a small business or a medium business, and and I know that I need to have cybersecurity. I need to have some sort of a framework. I need to have something in place to protect against these threats.
This is it's so it's **** ** especially small businesses, you know, the leaders in these business leaders have to be, you know, really a jack of all trades. They have to learn so much. And the cybersecurity world for, you know, working with a lot of groups, this can be one of the most intimidating because it's very specific knowledge. It's very technical knowledge.
And a lot of times, they don't know where to start. Where do I start in implementing a cybersecurity program? So if they go to CIS, where do they how do they start?
Start with the CIS critical security controls.
Right? And so that is your cybersecurity framework. You could also use CSF or cybersecurity framework. You could use the International Standards Organization has another framework.
It's twenty seven thousand and one for that. But you come to CIS, it's available for free, it's a download and within that, we typically have how to guides, how they'll start using and implementing the critical security controls. We would tell you to start with what we call implementation group one. We have a free tool called the control self assessment tool and you basically it's online, a SaaS based application.
You would come to the CIS website and you could register for a free account, you could start assessing yourself against that. So if you're some small business, let's say Acme Incorporated and you don't know where to start, you could go on to our collaboration platform called Workbench, just post questions, say, hey, I'm new to CIS, I really wanna start using implementation group, one of the controls, what do I do?
And I can tell you factually, you'll get more people responding to you that are non CIS employees than are CIS employees. Not that we don't wanna respond, but we don't have to. That community now actually has grown to a sufficient level that folks just wanna help you because at one point in their journey to good cybersecurity best practices, they were at that same spot and they actually said, where do I start? So start with those CS critical security controls, start with implementation group one of those controls, use our free tool called CSAT, and if you have any questions, use Workbench, which is that collaboration platform. That's, again, a free free resource available to you.
And that's terrific. I really like that about CIS as it has an easier entry point, especially for smaller, medium businesses.
One of the things that I get asked a lot is how do I prioritize putting in new security controls? And it sounds like you've already done that by having different implementation groups and and created that approach of you you already know as a first priority here's a starting place.
That's exactly right. My job is to make your life just a little bit easier when it comes to cybersecurity. I can't make your life easier for everything, but at least in cybersecurity, I can. And so we wanna remove certain, you know, questions you may have and just say, here.
Just do this. And I'll be upfront with you, Jen. Organizations, small and medium businesses, that's what they want. They just wanna be told what to do.
And equally important with that is what's good enough because they don't have unlimited resources. And so that's exactly right. We prioritize the things, the actions that we want you to take to be able to measure yourself against a cybersecurity framework, in this case, the CS Critical Security Controls in that regard. And I'll go one step further.
This concept, it's a legal term called the standard of reasonableness, right? And so whether we like it or not, things happen and say you suffer through a cyber incident, right?
Typically you'll probably get hauled into a court. Someone's gonna say there's liability and you want to at least be able to say, Well, what I did was reasonable for the resources I had available to me. So we've come out with a thought piece around reasonable cybersecurity and it's based on the controls. So if you're implementing the controls and implementation group one and you're actually measuring yourself against that, should you suffer a cyber intrusion, you can at least show to the court, These are the actions I had done and what I thought was reasonable given the resources I had available to me. So that to me is a very important concept and I think what we're finding is a number of states are actually starting to to adopt or understand reasonableness in the context of reasonable cybersecurity.
So let's say we have a company that they've done implementation group one.
They're growing. They feel like they have more budget. How difficult is it? And I'm assuming that you there is an implementation group two and beyond, but how difficult is it to move from group one to the next step?
Don't even think about it. Just do IG implementation group one first. Then we'd say you need to do a a risk assessment. And, CIS offers a free risk assessment methodology, CIS RAM, as part of it's based on the control.
So, you know, you you could then and what that would do for you is it would identify gaps you may have in your cybersecurity program based on, threats that are maybe specific to a certain industry vertical, that may be based on resources that you have available, but do the risk assessment And then from that, that will tell you which of implementation group controls and underlying safeguards that you need to then start prioritizing as part of your overall cybersecurity program. Or you may choose after implementation group one, given the resources you have available that I'm actually feel pretty good about this.
And then any other risk I may have, I may actually cover that using cyber insurance, having a cyber insurance policy. So that's another means for you to kind of buy down some of that risk through an insurance policy. And what you would do to the underwriter is just demonstrate, here's my cybersecurity program, here's how I've implemented implementation group one, these are the additional risks that I'd like to be covered through a policy. And that actually is music to insurers' ears because they won't because they're already getting proof that you're proactive and you actually care about your business and care about protecting the business as well as any personally identifiable information that you may be retaining on behalf of a customer or a member.
Sure. Yeah. The other piece I'll talk about very briefly is the cost of cyber defense.
Right? So every small and medium business really wants to understand, well, just how much of this cybersecurity stuff, how much does that actually cost me? Because it's the cost to the company, they gotta pay for it. And so we came up with the cost of cyber defense and we looked at it from three different use cases. One use case was that you provide all the IT and support yourself, so it's on prem, on premise and you're doing you're managing the servers, you're managing the endpoints, you're setting up accounts, things of that nature. And we defined here's a cost to actually implement IG One of that.
The second use case was, hey, this is kinda hard for me. I'm a small business so I'm simply just going to outsource it. So I'm gonna outsource this to a managed service provider.
Right? Very, very typical in small and medium businesses. And so what we did is said in order for that managed service provider to implement IG One of the critical security controls, we believe it would cost them about this much. And then the third use cases is that, hey, I don't wanna have to deal with either one of those.
I'm just gonna stick everything in the cloud and let that cloud service provider manage it on my behalf. And so that's the third cost that we have in this on the cost of cyber defense for that. But within that paper, we actually call out, if you will, ten tool categories. Right?
And so these are tools. I mean, I wanted to list actual vendor names because that's what most individuals and organizations are familiar with. Right? But it was easier just to break it out by tool category.
At some point in the future, we may actually list at least vendor products. We say it's good, better, best, we'll just say these are vendor products that fit within that tool category.
This actually is this would help you then say, okay, I've already got three of these tools. In order for me to fully implement IG One, then I'm gonna need to pick up a couple more of those. Now, the one difficulty in that is that you may not need all ten tools. Some of these vendors' products do multiple things, so it may be that one vendor product gets you three or four of the tool categories in and of itself, so you may not need to have to own and manage ten tools. But we actually try to tie the controls and the life safeguards with the actual tool technology that you need to understand in order to implement that program.
I think that at this point, there's probably a lot of people who are thinking, I want to learn more.
I wanna get started. Where do we send people so that they can find your CIS resources and jump in? Yeah. So we're we have a website, c I security dot org. Please do go visit. We break out for the ISAC, the Information Sharing Analysis Center, and we also have what we call security best practices. You could just Or you could just, in your browser, just search on Center for Internet Securities.
Well, this has been great. I really appreciate all of this. I learned things that I didn't know about CIS today, so I appreciate your time, and thanks very much for sharing with this.
You bet. Jen, it's been a pleasure meeting with you and having a good discussion with you.
.svg)