web analytics

CIS Controls Cost of Cyber Defense

Enterprises looking to implement cyber defenses wish to know three things:

  1. Which protections will we start with?
  2. Which tools will be needed to implement those protections?
  3. How much will an implementation cost?

In response, CIS has published this guide, The Cost of Cyber Defense: Implementation Group 1 (IG1), to help answer those questions.

Every enterprise wants a reasonable starting point at a reasonable cost for cybersecurity. The CIS Critical Security Controls® (CIS Controls®) are a prioritized set of actions that can be implemented to form an effective cyber defense program. The key word here is prioritized. CIS recommends starting with Implementation Group 1 (IG1) of the CIS Controls, which constitutes essential cyber hygiene for any enterprise. IG1 is a “must do” list of actions to take as a foundation for more complex countermeasures, such as a Security Information and Event Management (SIEM) service, needed by larger enterprises that face more sophisticated adversaries and protect more sensitive data or services.

This guide organizes the IG1 Safeguards into logical categories and identifies the types of tools needed to deploy and maintain these security actions. To estimate the cost to implement these Safeguards, we researched the cost of licensing the commercial versions of the required tools for each of the 10 categories.

Our estimate shows that obtaining and deploying commercially-supported versions of the tools should be less than 20% of the Information Technology (IT) budget for any size enterprise. Even with adding in the overhead of implementing the necessary policies to support them, IG1 Safeguards can provide a reasonable, necessary, and effective starting point for cybersecurity by any enterprise.

The purpose of this guide is to provide enterprises with a picture into how realistic and cost effective it can be to achieve essential cyber hygiene (IG1). In turn, this information will help enterprises make informed and prioritized decisions when it comes to cyber defense. Several different audiences can benefit from this guide including members of the executive team (e.g., CEO, CFO, CISO, CIO) and IT administrators.


advisor pick´S post