So, I got this new role in cybersecurity management (“CISO”) at an SME. My experience in a sole cybersecurity role is limited, and so is the experience of the company in cybersecurity. Put differently, they (or we) got NO adequate cybersecurity controls or measures in place. Of course, we got the usual antivirus and so on, but awareness is very limited and cybersecurity is most of the time no concern for the IT department. I was brought in to change this (together with the CIO and CEO, which work very closely with me).

My first approach was to bring in the CIS Controls and “start from the top”. I’d limit ourselves to IG1 as just not to overwhelm everyone. However, what I’m missing in the CIS controls (also in the NIST CSF) is the mapping from threats to controls or vice versa. A simple example to make my point clear:

Say we identified phishing attacks as our biggest current risk. Controls that would help in mitigation are:

* 9.5 Implement DMARC
* 14.1 Establish and Maintain a Security Awareness Program
* 14.2 Train Workforce Members to Recognize Social Engineering Attacks

now this controls of course help to mitigate other risks (n to no relationship).

What I’m looking for is an n to n map between threats and controls. This would help us to identify situations where we can kill ‘the most birds with one stone’ and it would also help to defend the mitigations before the board (it’s easier to argument from concrete threats and then show which mitigations can be implement to mitigate it than to argue that mitigation xy has to be implemented ‘because I say so’).

Is there such a mapping? The only comprehensive list of cybersecurity threats was in the ‘Guidebook on Best Practices for Airport Cybersecurity’ ([https://www.nap.edu/download/22116](https://www.nap.edu/download/22116)).

Or do I think ‘in the wrong direction’? How would you approach this situation?

Share This Discussion

3 Comments

  • VeryLucky2022

    November 23, 2021

    Implement 100% of CIS controls. That should be a minimum baseline, mapping to threats is just a waste of time at this stage.

    Reply
  • Songbringer90

    November 23, 2021

    Depends on the framework you want to map CIS to. ATT&CK is probably the most well known. Quick Google search and here ya go. I have never used tripwire products and I didn’t download this so I can’t tell ya how good this mapping is.

    https://www.tripwire.com/solutions/configure-and-harden-your-systems/mitre-attck-matrix-with-cis-controls-and-tripwire-mapping-register

    Reply
  • bitslammer

    November 23, 2021

    While that’s a great idea just keep in mind some things like ” CIS Critical Security Control 1: Inventory and Control of Enterprise Assets” don’t really have a clean 1:1 mapping to exact threats, but rather these are fundamental processes needed to carry out other controls effectively.

    I would also make sure to only do this for **your** threats and not all threats in general. Look at your org and pick out the top 10 threats that apply to you. Don’t have any service providers? Then don’t worry about 15 at all.

    Reply

Leave a Comment

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.