Top 5 questions I get asked about meeting the SEC requirements using CIS 18. How CEO’s and CISO’s can work together to solve this.

The Business Value of CIS 18

Implementing CIS 18 isn't just about security—it's a strategic business investment. For CEOs and CISOs, adopting these controls means mitigating risk, ensuring regulatory compliance, and protecting your organization's reputation. The CIS 18 framework provides a structured approach to cybersecurity that helps streamline operations, reduce costs, and improve efficiency.

 Understanding the SEC Requirements

The SEC's new cybersecurity disclosure rules require public companies to

Disclose Material Cybersecurity Incidents: Publicly report significant cybersecurity incidents that could impact investors.

Describe the Processes and Procedures: Explain the processes for assessing, identifying, and managing cybersecurity risks.

Board and Management's Role: Detail the role of the Board of Directors and senior management in overseeing and managing cybersecurity risks.

Enhancing Cybersecurity Posture with CIS 18

Mitigating Risks: CIS 18 provides a structured approach to identifying and managing risks. By implementing these controls, organizations can reduce the likelihood of cyber incidents that can disrupt business operations, cause financial losses, and damage reputation.

Protecting Critical Assets: The first few CIS controls focus on inventory and control of enterprise assets and software. This ensures that all hardware and software assets are known, managed, and protected, which is critical for maintaining operational integrity.

 Ensuring Regulatory Compliance

Meeting SEC Requirements: The new SEC ruling mandates that companies disclose material cybersecurity incidents and their impact. CIS 18 helps organizations establish comprehensive cybersecurity measures, making meeting these disclosure requirements easier and demonstrating due diligence in protecting shareholder value.

Legal and Regulatory Alignment: Many CIS controls overlap with other regulatory requirements such as CPRA, HIPAA, and PCI DSS. By adopting CIS 18, organizations can streamline compliance efforts across multiple regulatory frameworks, reducing redundancy and compliance costs.

 Business Value and Efficiency

Cost Reduction: Implementing CIS 18 can lead to more efficient resource use. For instance, continuous vulnerability management helps prioritize and address the most critical vulnerabilities first, often resulting in cost savings and better resource allocation.

Improved Decision-Making: By clearly understanding their cybersecurity posture through regular audits and assessments, CEOs and Boards can make more informed decisions regarding investments in security technologies and processes.

Enhanced Reputation: Implementing CIS 18 and demonstrating a robust cybersecurity framework can enhance an organization's reputation with customers, partners, and investors, showing that the company takes cybersecurity seriously.

 CIS Controls Tied to SEC Requirements

 Disclosing Material Cybersecurity Incidents

CIS Control 17: Incident Response Management: Establishes an incident response plan to ensure prompt and efficient response to cybersecurity incidents. This helps quickly identify and disclose material incidents as required by the SEC.

 Describing Processes and Procedures

CIS Control 6: Access Control Management: Manages and controls access to systems and data, which is crucial for assessing and mitigating risks.

CIS Control 8: Audit Log Management: This control ensures the collection and review of audit logs, helping to identify and manage security incidents.

CIS Control 7: Continuous Vulnerability Management: Continuously identifies and addresses vulnerabilities, aligning with the SEC's requirement for risk management processes.

 Board and Management's Role

CIS Control 2: Inventory and Control of Software Assets: Helps management understand the software assets and associated risks.

CIS Control 13: Security Awareness and Skills Training: Ensures management and staff know cybersecurity best practices and their roles in maintaining security.

CIS Control 18: Penetration Testing: Regularly tests defenses, providing management with insights into the effectiveness of their security measures.

 What to Do Next

Assess Your Current Security Posture: Conduct a thorough assessment of your security measures against the CIS 18 controls.

Develop an Implementation Plan: Create a detailed plan for implementing your organization's relevant CIS 18 controls. Based on your risk assessment, prioritize the most critical controls.

Engage Senior Management: Ensure that your leadership team understands the importance of cybersecurity and is committed to supporting the necessary initiatives.

Invest in Training: Provide regular training for your staff to keep them informed about security best practices and the latest threats.

Monitor and Review: Monitor your security posture and review your controls to ensure they remain practical and relevant.

 By following these steps, you'll be well on your way to achieving compliance and enhancing your overall cybersecurity strategy.

If you're looking to simplify compliance with data protection and cybersecurity laws, whether you operate only in the US or internationally, CIS 18 is a solid starting point.

 Here are the top 5 questions I have received this year on CIS 18 and the SEC requirements.

1. How can smaller organizations with limited resources effectively implement CIS 18?

Smaller organizations can implement CIS 18 effectively by prioritizing the controls based on their risk profile and resource availability.

Start with the most critical controls that address immediate threats and vulnerabilities, such as inventory and control of enterprise assets and software (CIS Controls 1 and 2). Utilize free or low-cost tools for continuous vulnerability management (CIS Control 7) and audit log management (CIS Control 8).

Leveraging cloud services and managed security service providers (MSSPs) can also help reduce the burden on in-house resources. Security awareness training (CIS Control 13) should also focus on empowering employees to be the first line of defense.

 2. What challenges might companies face when integrating CIS 18 with existing compliance frameworks like ISO or NIST?

Integrating CIS 18 with existing compliance frameworks such as ISO or NIST can present several challenges:

• Mapping and Overlapping: Organizations may need help mapping the controls from different frameworks to ensure no redundancy. However, using crosswalks available for CIS 18 can help streamline this process.
• Resource Allocation: Balancing the resource allocation between maintaining compliance with multiple frameworks and operationalizing CIS 18 controls can be complex.
• Cultural Shift: Implementing CIS 18 may require a cultural shift within the organization, especially if an established compliance framework is already in place.
• Documentation and Reporting: Ensuring that documentation and reporting meet the requirements of all frameworks can be time-consuming and complex.

 3. How does CIS 18 address the specific requirements of different industry sectors, such as healthcare or finance?

CIS 18 is designed to be universally applicable, making it adaptable to various industry sectors, including healthcare and finance. For example:

• Healthcare: CIS 18 can help healthcare organizations meet HIPAA requirements by focusing on protecting electronic health information through controls such as data protection (CIS Control 3) and secure configuration (CIS Control 4).
• Finance: Financial institutions can use CIS 18 to align with PCI DSS requirements, ensuring the protection of payment card information through access control management (CIS Control 6) and continuous vulnerability management (CIS Control 7).

Each industry can tailor the implementation of CIS 18 controls to address specific regulatory requirements and operational needs, ensuring a comprehensive security posture.

 4. What metrics should organizations track to measure the effectiveness of CIS 18 implementation?

Organizations should track the following metrics to measure the effectiveness of CIS 18 implementation:

• Incident Response Time: Measure the time taken to detect, respond to, and mitigate cybersecurity incidents.
• Vulnerability Remediation: Track the identified vulnerabilities and the time to remediate them.
• Compliance Scores: Assess compliance scores against various regulatory requirements and standards.
• Audit Log Reviews: Monitor the frequency and thoroughness of audit log reviews and the number of incidents identified through these logs.
• Employee Training and Awareness: Measure the completion rates and effectiveness of security awareness training programs.
• Penetration Testing Results: Track the findings from regular penetration tests and the time to address any vulnerabilities discovered.

 5. How can CISOs effectively communicate the benefits and importance of CIS 18 to their Board of Directors and senior management?

CISOs can communicate the benefits and importance of CIS 18 to the Board of Directors and senior management by:

• Aligning with Business Objectives: Explain how CIS 18 supports the organization's overall business objectives, such as reducing risk, ensuring compliance, and protecting reputation.
• Quantifying Risk Reduction: Provide data on how CIS 18 implementation reduces the likelihood and impact of cyber incidents.
• Cost-Benefit Analysis: Highlight the savings achieved through more efficient resource use and reduced compliance costs.
• Regulatory Compliance: Emphasize how CIS 18 helps meet SEC requirements and other regulatory standards, demonstrating due diligence and protecting shareholder value.
• Success Stories: Share case studies or success stories from other organizations that have benefited from implementing CIS 18.
• Transparent Reporting: Use clear and concise reporting to present metrics and progress in a way that is understandable and relevant to non-technical stakeholders.

By addressing these key points, CISOs can effectively convey CIS 18's strategic importance and secure the necessary support from senior management and the Board.