The Center for Internet Security’s Critical Security Controls (“the CIS Controls”) are incredibly useful in helping organizations defend themselves against digital threats. By adopting the first five controls alone, it’s possible for companies to prevent 85 percent of attacks. Adopting all 20 controls can prevent as much as 97 percent of attacks.
Unfortunately, a majority of organizations still haven’t implemented industry standards like the CIS Controls into their security strategies. That’s one of the findings from Tripwire’s State of Cyber Hygiene report. The survey found that two-thirds of organizations do not use hardening benchmarks like CIS or Defense Information Systems Agency (DISA) guidelines to establish a secure baseline.
Tim Erlin, vice president of product management and strategy at Tripwire, said this finding wasn’t expected:
These industry standards are one way to leverage the broader community, which is important with the resource constraints that most organizations experience. It’s surprising that so many respondents aren’t using established frameworks to provide a baseline for measuring their security posture. It’s vital to get a clear picture of where you are so that you can plan a path forward.
For the report, Tripwire surveyed 306 IT security professionals in July 2018 in partnership with Dimensional Research to examine how organizations are implementing security controls that the Center for Internet Security (CIS) refers to as “Cyber Hygiene.” Specifically, Tripwire’s State of Cyber Hygiene explored how organizations are implementing security practices related to network visibility, vulnerability management, configuration management, administrative privileges and logging.
Given the lacking adoption of the CIS Controls and other hardening benchmarks, it’s not surprising the survey found that organizations were falling short in many of those key areas identified above, as well:
- More than half (57 percent) of respondents said it takes hours, weeks, months or longer to detect new (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Ray Lapena. Read the original post at: https://www.tripwire.com/state-of-security/security-data-protection/security-hardening/organizations-hardening-benchmarks-secure-baseline/