detech-sans-top-20By: Bryan T. Newlin, CPA.CITP, CISA

“How do we compare against similar companies?” “Are we protected against cyber threats?” “What additional controls can we add to improve our IT security?”

These questions are incredibly common during our Audit Committee meetings presentations. I love answering them because they demonstrate the Board’s interest in learning more about cybersecurity and IT Risks. Often, these questions lead into terrific conversations about the state of technology and cybersecurity. I often find myself addressing similar talking points at different businesses, and they usually start with, “there is no one solution, tool, or fix to eliminate the risk.” At which point we discuss layered controls, user access, and all the minutia of a strong cybersecurity program. I wax poetic about IT controls, and only when the Board has glossed over do I dial it down a few notches.

While it’s true that no organization is completely impervious to threats, we all want to do the best we can with our limited resources. Enter SANS Institute’s Center for Internet Security (CIS) 20 Critical Security Controls (CSCs) for Effective Cyber Defense. This brief but valuable list outlines 20 “prioritized, well-vetted, and supported security actions that organizations can take to assess and improve their current security state”. The SANS Top 20 winnows a huge majority of the “in-the-wild” risks (read: stuff that has actually happened) down to controls that, if they were implemented, would have prevented, or otherwise more quickly detected actual attacks.

The benchmark report for data breach attacks is the annual Verizon Data Breach Investigations Report, which now maps their findings to these Critical Security Controls (the 2015 DBIR users CSC version 4.0; we’re now at version 6.0). In 2015, the Verizon DBIR noted that 40% of controls determined to be the most effective fell into the category of “Quick Win”, meaning controls that could have prevented an attack were easy to implement, but weren’t.

Based on our work with many of the deTECH readership companies and the industries that the Risk Advisory Services team serves, we think the following 5 CSCs are most relevant to your organizations-in very general and non-binding terms, of course. The reference numbers represent importance assigned by CIS. Nonetheless, we encourage you to follow the links or google the SANS Top 20 and read the full list. If your organization is looking for the next line of defense against cyberattacks, this is a great checklist to find the next control.

  • CSC 1: Inventory of Authorized and Unauthorized Devices
  • CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
  • CSC 5: Controlled Use of Administrative Privileges
  • CSC 7: Email and Web Browser Protections
  • CSC 8: Malware Defenses

That the governing bodies ask questions about the state of Cybersecurity, Information Technology, and their posture among their peers is a great sign. One truism of business is that tone at the top really matters, and if these issues are important to the Directors, then they’ll have weight throughout the organization.


Bryan is a Manager at YHB and serves on the Risk Advisory Services Team. Bryan focuses on assisting organizations in a variety of industries with internal audits and IT-related audit and consulting services.