Summary of recent SANS poll on the adoption of the Critical Security Controls
Symantec has been working closely with SANS on the latest revisions to the Critical Security Controls (CSCs) and adoption efforts (https://www.sans.org/critical-security-controls/). Established in 2008, the CSCs were created to help organizations prioritize security functions that are effective against the latest cyber threats and preventing security incidents. As part of the work undertaken to educate stakeholders and garner broad support, SANS conducted an online survey regarding the attitudes toward the adoption of the Critical Security Controls. 699 people responded. The largest group to take the survey (nearly 20%) came from government agencies. Financial Institutions, Education, High Tech, Healthcare, Manufacturing and Utilities were also well represented. Here is a quick summary of some of the findings:
- The primary driver for the CSCs adoption is the desire to improve enterprise visibility and reduce security incidents. From our engagement with customers, we see a similar set of needs. It doesn't hurt that DHS is about to roll out the Continuous Diagnostics and Mitigation (CDM) Program which will allow government agencies to go after $200 Million in grant funding for implementing one or more of the top 6 controls. However, while many agencies know about the controls, there are still many who do not. In a few recent keynotes and conference panels I participated in, I asked the audience the question "Who is aware of the SAN Critical Security Controls?" In each session, only 60% raised their hands. The effort to educate and raise awareness will be an ongoing effort, but a worthwhile one. We can all help here.
- The 20 CSCs are a great starting place for organizations to improve their overall security posture and reduce risk by upwards of 80-90%. Symantec can help agencies map the controls to other guidelines from NSA and NIST, like FISMA, etc.
- SANS is conducting a webinar on June 25th at 1 p.m. ET to review the results of the survey, discuss adoption drivers, understand how to obtain leadership buy-in, and overcome inhibitors to adoption. John Bordwine, Symantec's Chief Public Sector Architect, will be participating in the webinar. To register for the webinar, go to: https://www.sans.org/webcasts/critical-security-controls-survey-96452.