Organizations have access to an extraordinary array of security tools and technology, standards, training and classes, certifications, vulnerability databases, guidance, best practices, catalogs of security controls, countless checklists, benchmarks, and recommendations. There is no shortage of information available to security professionals.
However, this might just be the problem. It can be quite hard to invest in the most effective tools, taking into account costs and benefits, as all this information has become a ‘fog of more’ in which competing options, priorities, opinions, and claims cloud judgment which leads to corporate inactivity or inefficiency.
In order to create the required clarity to effectively prioritize security control measures, we are able to conduct a SANS or CIS 20 critical controls assessment. The CIS 20 Critical Security Controls provide a very good open-source framework to analyze the effectiveness of your security controls using a bottom-up approach, while still being able to map them to governance frameworks such as the ISO27001 standard.
