In today's threat landscape, every organization must commit to investing in a certain level of cybersecurity to protect their private data and technologies. Implementing the required controls correctly and then maintaining them is crucial to fostering trust between organization and client while also avoiding litigation. In the Center for Internet Security's (CIS) "Guide to Defining Reasonable Cybersecurity", experts from CIS seek to define what "reasonable cybersecurity" is and how organizations can achieve it.
What is "Reasonable Cybersecurity"?
What is reasonable cybersecurity? The answer to that question is -- it's complicated. One of the key issues with defining what reasonable cybersecurity entails is that there is no national standard or framework that lays out what reasonable cybersecurity is. This makes it difficult for organizations to accurately protect themselves from cyber criminals in addition to litigation. This lack of a unified standard means that organizations are forced to rely on a collection of disparate state laws and industry standards which in turn makes compliance much more difficult to achieve.
To create a better definition of reasonable cybersecurity, the CIS guide looks to safe harbor laws to better understand how organizations can protect themselves from cyber incidents and litigation that may follow. These safe harbor laws base the scope of an organizations cyber defense policy on the size and complexity of the company, the scope of the activities of the company, the sensitivity of the data being protected, and the cost and availability of security resources to the company. Understanding these factors help organizations determine the next best steps in creating a cyber defense plan. Once the scope of an organization's cybersecurity surface has been established, companies should adhere to recognized industry standards and frameworks.
There are also other key principles to keep in mind when determining what constitutes reasonable cybersecurity. Firstly, organizations must look at their security measures in the context of their businesses size, capabilities, and types of data in need of protection. Businesses should also base their practices off of a verified security framework such as the CIS Controls, NIST Cybersecurity Framework, or ISO/IEC 27000. These frameworks offer tangible guidance and guardrails for how organizations are to handle their security posture. Reasonable cybersecurity measures must also take into account compliance and legal requirements. Many industries require a standard level of data protection and failure to comply may result in lost contracts or litigation. Ideally, the framework your organization chooses to adopt will both strengthen your overall cybersecurity posture while also ensuring your security practices are compliant. To achieve a reasonable level of cybersecurity, organizations must bolster their existing cybersecurity defense while also pursuing compliance.
Achieving Reasonable Cybersecurity through the CIS Controls
To achieve a level of reasonable cybersecurity, organizations should consider implementing the safeguards included within the CIS Critical Security controls framework. Why the CIS Controls specifically? The Controls are operational, meaning that they refer to policy rather than industry specific protocols. They also provide actionable safeguards that aren't industry specific and can be applied to organizations of all sizes. The Controls were also designed with compliance in mind, meaning that implementing the CIS Controls allows your organization to also align with a number of regulatory requirements. Through the implementation of a trusted framework like the CIS Controls, organizations can increase their overall security posture while also maintaining compliance.
However, starting from ground zero is difficult, especially for small-medium sized businesses. As a CIS accredited organization, CorpInfoTech utilizes the controls in all our managed IT and security services. We've implemented the Controls since their inception in 2008 and have proven our ability to apply them to organizations of various industries. Our services include security and risk assessments, manage firewall services, vulnerability management, compliance, and managed IT. All of these services utilize the CIS Controls as their North star and work together to help create "reasonable cybersecurity" within an organization.
To learn more about how the CIS Controls can benefit your organization, contact CorpInfoTech today!