EpiOn Blog

Measurably Better IT: Why EpiOn Aligns to the CIS Controls

Written by EpiOn | October 02, 2023

The threat of cyber security risks to your business is at an all-time high. With IT becoming more essential to your business, the risk of ransomware, wire fraud, identity theft, extortion, and complete data loss increases. It may seem like a cliché, but in the world of cyber security, your business is only as secure as its weakest link. To ensure security, your IT team must follow a structured approach to assess and mitigate risks.

 

Related Blog: Measurably Better IT: Why It Matters

As a business leader, it can be challenging to determine your IT security status if it's not within your expertise. Your IT team may assure you that you're secure, but how do they evaluate and manage risks? Moreover, how do they ensure that they're adequately addressing all potential areas of concern?

When IT teams don't have a proper framework for their cybersecurity strategy, they tend to focus too much on one threat area and neglect others. For example, they might prioritize external defenses, such as firewalls, while leaving your internal network vulnerable. This creates an opportunity for ransomware attacks to exploit these weak areas.

The Measurably Better IT (MBIT) Framework, developed by EpiOn, offers a comprehensive and structured approach for managing all aspects of IT, with a strong emphasis on cybersecurity. To ensure the highest level of security standards, the MBIT Framework has incorporated a portion of the CIS Controls framework, a well-recognized and widely used security framework in the industry. The choice to use the CIS Controls framework was made due to its proven effectiveness and reliability. This article will discuss why the CIS Controls framework is suitable for your organization and how the MBIT Framework applies it to real-world scenarios.

Understanding Cyber Security Frameworks

Several groups have established best practices for security in the IT industry. These frameworks include hundreds of policy recommendations for selecting, configuring, monitoring, and managing the security of your data and IT assets. The three leading frameworks are:

  • CIS Critical Security Controls (CIS Controls) – published by the Center for Internet Security.
  • NIST Cyber Security Framework (NIST-CSF) – published by the National Institute of Standards.
  • ISO 27001 – published by the International Organization for Standardization.

From one perspective, the framework you choose to follow is not particularly important as long as you adhere to one. There are connections between different frameworks, so if you adhere to NIST and someone requests evidence of ISO compliance, you can use cross-mapping to demonstrate that your policies align with both standards. 

Each framework is tailored to a distinct audience. ISO is optimal for global organizations and is frequently implemented as a manufacturing and distribution standard. Meanwhile, the NIST framework is highly recognized in the United States and is best suited for large companies with an internal IT department or those that engage with the government or military.

In EpiOn's view, the NIST and ISO standards are often excessive for small and medium-sized businesses (SMBs) with less than 500 employees. These standards can seem either too vague or overly complicated. They require significant interpretation for you to apply them to your specific environment. Therefore, EpiOn suggests that the CIS Controls may be a more suitable choice for most SMBs.

 

Three Reasons SMBs Should Follow the CIS Controls

1. The CIS Controls are Comprehensive

Implementing the CIS Controls ensures that your IT environment is comprehensively secured against potential cyber threats. The CIS Controls consist of 18 Control areas and 153 Safeguard policies, which are categorized according to implementation simplicity and risk level. Moreover, each Safeguard policy correlates with the MITRE ATT&CK framework, managed by a separate non-profit group that monitors the frequency of specific cyber-attack techniques. CIS and MITRE work together to help your IT team evaluate and quantify cyber risk, enabling you to determine the potential cost or impact of a particular security recommendation for your organization.

2. The CIS Controls are Actionable

The CIS Controls are commonly referred to as "tactical" or "prescriptive" controls. This sets them apart from the NIST CSF and ISO standards, which can be more theoretical. By reading the CIS Safeguard policy statement, it's simple to identify if a particular policy is being followed. If it's not being followed, it's also straightforward to comprehend what measures are required to adhere to the policy.

The CIS Controls are also categorized into three Implementation Groups (IGs). Implementation Group 1 (IG1) outlines the basic cyber hygiene standards that all businesses, big or small, should follow. IG2 standards are tailored for businesses that prioritize their data and IT security for smooth operations. IG3 standards are in line with organizations that come under regulatory oversight or where IT plays a crucial role in their operations.

3. The CIS Controls are Practical

For SMBs, it's not always practical to adhere to every single CIS Safeguard policy. Eventually, the cost and impact of following a certain policy will outweigh the marginal risk it addresses in the MITRE ATT&CK framework. EpiOn has found that achieving material compliance with the IG2 policies can effectively protect against over 90% of common threats without breaking the bank. As you pursue the incremental gains of IG3 compliance, the costs tend to increase exponentially.

Measurably Better IT and the CIS Controls

It should now be clear why EpiOn has integrated the CIS Controls into its Measurably Better IT framework. These controls provide a comprehensive approach to IT security that is specific and actionable. We can easily assess compliance with each Safeguard and relate it to the associated cyber threat level. This measurability makes it a practical management tool for you as a business leader.

At EpiOn, we provide managed IT and cybersecurity services based on the Measurably Better IT Framework. Our EmPower and Co-Managed IT management programs effectively tackle 77% of the most prevalent threats found in the MITRE database and enable you to achieve material compliance with CIS IG1 and more than half of the IG2 Safeguards. Additionally, our Cerberus Advanced Security service can be added to enhance your defenses and combat 92% of the most common threats.

Download our white paper to learn more about the MBIT Framework and how it delivers measurably better security.