Cyber Security

The 85/20 Rule of Cyber Security

Share on facebook
Share on twitter
Share on linkedin
Share on whatsapp

The CIS 20

The CIS 20 is perhaps the most important IT framework I’ve ever come across in my career and was introduced to it while leading a Program Management initiative for a mid size accounting firm. During a bi-weekly call we were addressing their interest in Two Factor Authentication as part of their newest security initiative. For those not familiar, ‘Two FA’ as it’s affectionately known is a security mechanism that requires two types of credentials for authentication. For example, signing into online banking might require a password and bank card number as one factor. A second would be a temporary number code texted to your cell phone.          

No alt text provided for this image


As the discussion continued, it became apparent that the firm needed to take a much broader view regarding cyber security because of issues such as associate and partner productivity during tax season. 

Who You Gonna Call?

As soon as the meeting concluded I placed a FaceTime call to my brother in London, England who was a director in PwC’s cyber security practise. In relating to him the need and challenge we faced, he mentioned the CIS 20.

Founded by the National Security Agency (NSA) in 2008 as a project requested by the Department of Defense (DoD). It started with a gathering of some of the smartest and best IT security folks in the world asking a simple question which went something like this. 

  • “Through the ‘fog of more’ in the IT security world, if there were only 20 things we could do to give us the maximum defensive impact what would they be?”  
No alt text provided for this image

The goal was to prioritize the multiple cybersecurity controls that existed based upon the prevalence of attack methods and frequency. Through collaboration between the public and private sectors an initial draft was published in 2009. 

The draft was circulated to several hundred IT firms for evaluation, and then validated by the US State Department. A project was then launched to implement the controls across the entire State Department’s cyber environment, which resulted in great success. 

With a very rapid achievement of a more than 88% reduction in vulnerability-based risk across 85,000 systems, the State Department’s program became a model for large government and private sector organizations.

No alt text provided for this image

Brilliant at the Basics

CSC 1 through CSC 6 are the basic controls that should be deployed to create a strong foundation for any cyber security program. According to CIS, a number of studies have shown that implementation of the first five CIS controls provides an effective defense against 85% of the most common attacks.

For the purposes of this post, I’ll begin with the first six, categorized as “Basic.” Any size organization can perform the following with commitment, an organizational process, and discipline. Yet with minimal or no investment. I’ll list the first six and then provide a link to the remaining controls and more information about the Center for Internet Security.

1. Inventory of Authorized and Unauthorized Devices: Actively manage (inventory, track and correct) all hardware devices on the network so that only authorized devices are given access and unauthorized and unmanaged devices are found and prevented from gaining access. 

2. Inventory of Authorized and Unauthorized Software: Manage (inventory, track and correct) all software on the network so that only authorized software is installed and can execute and that unauthorized and unmanaged software is found and prevented from installation or execution.

3. Secure Configurations for Hardware and Software: Continuously acquire, assess and take action on new information in order to identify vulnerabilities, remediate and minimize the window of opportunity for attackers. 

4. Continuous Vulnerability Assessment and Remediation: The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications. 

5. Controlled Use of Administrative Privileges: Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.

6. Maintenance, Monitoring and Analysis of Audit Logs: Collect, manage and analyze audit logs of events that could help detect, understand, or recover from an attack. 

Resolve to Begin

Like with any good methodology, the best approach is a simple one and so establishing a weekly schedule beginning with the first control is key. The following week, move on Control Two and inventory the Authorized and Unauthorized Software. Note that into the third week, your resolve and that of your organization will be tested to keep going.

If you struggle at this point and you’d like assistance in implementing the remaining controls in a timely manner, get in touch with me. Just give me a call at +1 778.317.8064 or send me an email at and we’ll arrange for a complimentary 1/2 day session to help you set up the structure you need.

For more information and to get your own copy with details of the CIS 20 click here

Don’t forget to leave a comment and have a good week!