So, I got this new role in cybersecurity management (“CISO”) at an SME. My experience in a sole cybersecurity role is limited, and so is the experience of the company in cybersecurity. Put differently, they (or we) got NO adequate cybersecurity controls or measures in place. Of course, we got the usual antivirus and so on, but awareness is very limited and cybersecurity is most of the time no concern for the IT department. I was brought in to change this (together with the CIO and CEO, which work very closely with me).
My first approach was to bring in the CIS Controls and “start from the top”. I’d limit ourselves to IG1 as just not to overwhelm everyone. However, what I’m missing in the CIS controls (also in the NIST CSF) is the mapping from threats to controls or vice versa. A simple example to make my point clear:
Say we identified phishing attacks as our biggest current risk. Controls that would help in mitigation are:
* 9.5 Implement DMARC
* 14.1 Establish and Maintain a Security Awareness Program
* 14.2 Train Workforce Members to Recognize Social Engineering Attacks
now this controls of course help to mitigate other risks (n to no relationship).
What I’m looking for is an n to n map between threats and controls. This would help us to identify situations where we can kill ‘the most birds with one stone’ and it would also help to defend the mitigations before the board (it’s easier to argument from concrete threats and then show which mitigations can be implement to mitigate it than to argue that mitigation xy has to be implemented ‘because I say so’).
Is there such a mapping? The only comprehensive list of cybersecurity threats was in the ‘Guidebook on Best Practices for Airport Cybersecurity’ ([https://www.nap.edu/download/22116](https://www.nap.edu/download/22116)).
Or do I think ‘in the wrong direction’? How would you approach this situation?