THE NIST CSF VS THE TOP 18

Kip Boyle:
Hi, welcome. This is Your Cyber Path. We are the podcast that helps you start and accelerate your cybersecurity career. Thanks for being here. Hey, Jason, how’s it going?

Jason Dion:
Hey, Kip, great to be here. How are you doing?

Kip Boyle:
Doing really well, thanks. So we’re recording this at the end of December. Yesterday was my, we’ve got two twin girls and it was their birthday and they just turned nine years old. And it was really cute because for the first time ever they came to us and said, “This is what we want to do for our birthday,” and they gave us a plan. We want to do this and this, and then we want to go here, then we want to do that. It was all completely reasonable, go figure. So we were excited and we’re like, “Okay, great, let’s do it.” And man, it was a lot of fun. So I’m still thinking about that. What are you up to?

Jason Dion:
Just preparing for the holidays. As you said, it’s December here, so we’re going into the holiday season and into New Year’s, and as a business owner end, of the year also means end of the year financials. So been a lot of late nights trying to close out all the books and get everything done before I take off for the holidays and the new year. And then just excited about what we’re doing in 2024 as we keep moving forward. And so I’m just looking ahead and getting lots of stuff done.

Kip Boyle:
Oh yeah, I’m thinking about those things as well, particularly, and I just want everybody to know that as we continue to release Your Cyber Path episodes, you’re probably going to hear us talking more and more about Accolade. That’s something that Jason and I are doing to provide certifications for folks that are going to, we believe, really help them learn skills that they will be able to apply on the job and to solve real problems as soon as possible.

And we are doing that with an advisory council of experienced hiring managers because we want to make sure that when they see that you have an Accolade certification, that your resume goes to the top of the pile because they know what it means to have an Accolade certification. So yeah, my head is just full of all the cool stuff that we’re going to be doing in 2024. And in fact, I’ll just hold this up right now. So I just ordered-

Jason Dion:
I was just going to say the ISO compliance.

Kip Boyle:
Yep, yep, yep. So now for anybody who’s heard of ISO 27001, well, it turns out that ISO publishes so many standards on so many different things. And so one of the things that they publish on is called 17024. And this is guidance, well, the book here that I have is guidance and templates for personnel certification bodies. And so that’s what Accolade is, is we’re certifying people against bodies of knowledge.

And so Jason and I have made a commitment that we want to operate Accolade in a high quality way. And so one of those things means that we want to be ISO certified so that people can have even more trust that we’re doing things the right way. So anyway, yeah.

Jason Dion:
Because it’s [inaudible 00:03:31] two guys in their basement taking an exam and going, “Hey, you’re certified now.” That doesn’t meet ISO compliance. We built this thing from the ground up with lots of stringent testing and quality control and advisory councils, all those things to make it a valuable certification that is worth your time and money and not just something that is a money grab to separate you from [inaudible 00:03:51] dollars because there’s too many of those in the certification world and we’re not going to operate that way.

Kip Boyle:
Right. Well, Accolade’s going to have its own podcast and we’ll tell you about that later on. But anyway, sorry, just can’t help but to talk about something that’s really exciting.

Here’s something that’s also exciting, which is the topic of our podcast episode for today. So what we want to talk about and explore is two different standards. And as we were creating this episode, we were kind of thinking of it as a standards death match. What if each one of these standards could be like a little bot and they go out and battle each other to see which one’s better?

And so in one corner we’ve got the NIST Cybersecurity Framework, CSF, and in the other corner we’ve got the Center for Internet Security Critical Security Controls, and currently that’s a top 18 list. And so they’re in the other corner and we’re going to see which one is going to be the supreme choice for our listeners. But first, let’s just do a quick definition, right?

Jason Dion:
Before you do that, I have to do an aside, I’m sorry, but when you said the match thing, it brought [inaudible 00:05:09] back to my childhood of MTV’s Celebrity Death Match. We had Marilyn Manson and Fred Durst going at it, these claymation things, ripping each other’s heads off.

And the time I knew that I quote “made it” as an online instructor was about three years ago, my wife was scrolling Reddit and she found my name on there, my name’s on there a lot because people are always like, “Oh, you should go to Jason for Security Plus,” or this or that or whatever. But she had found one that had gotten to pretty high up, that it was an instructor death match, and the students of Jason Dion, Mike Meyers, and Professor Messer were arguing over who would win in a celebrity death match if all three of us were in the ring.

Kip Boyle:
Okay. Well, now that you’ve teased it so well, what was your takeaway from that conversation? Did you stick around to find out?

Jason Dion:
Yeah, I read through all five different comments because I got invested. But yeah, it was a lot of people going back and forth. I would say, I think I got about 40% of the things because people were like, “Oh, he’s foreign military. He knows how to kill a man seven ways with his hands,” or whatever. I’m like, yeah, that’s not me. I wasn’t that kind of military guy. And then people were like, “Oh, Professor Messer, he’s from Tallahassee, Florida area.” It’s like, “Oh, those folks down there, they know how to hunt and fish and kill and everything else.”

Kip Boyle:
Wrestle alligators.

Jason Dion:Mike Meyers is from Texas with big trucks and big guns and all that kind of good stuff out there. So it was a fun read as people were going back and forth, making up reasons why they thought that their instructor would win. And literally it was all about strength and size and cunning is what they’re going for, not based on how well an instructor we are.

Kip Boyle:
Okay. Well, I would pay to see that, just so you know. For reals, I would. Okay, so-

Jason Dion:
Anyway, back to the episode at hand. We were going to talk about the NIST Cybersecurity Framework and the CIS Top 18.

Kip Boyle:
That’s right.

Jason Dion:
As you said, we’re going to start out with doing some basic definitions here, and then we’re going to work our way through and start talking about what is the NIST CSF, what is the CIS Top 18? And then we’ll talk about how are they different, how are they the same? What’s the benefits of each one, and can you use them together, or do you have to pick one as the winner of the death match?

And as we go through, you’re going to hear Kip doing a lot of the talking here because these are both things that he is using a lot in his daily work as a cybersecurity consultant running his cybersecurity consulting firm. Whereas I have used the NIST CSF, the Cybersecurity Framework quite a bit, but the CIS Top 18 is one I don’t really have a lot of experience myself hands on in because it just wasn’t something that we implemented where I work. So that being said, I guess we’ll start with a couple of key definitions. What is the NIST Cybersecurity Framework and what is the CIS Top 18? Kip, what is the NIST Cybersecurity Framework?

Kip Boyle:
Okay, great. I love how you took control. So first of all, NIST stands for the National Institute of Standards and Technology. And just like ISO, they are involved in many, many, many different areas, even to the point where if you buy a gallon of milk at the store or a gallon of gasoline at the gas pump, you never worry, am I really getting a gallon? Am I getting more, am I getting less? Because NIST has standardized what is the US gallon of liquids, and so they’re involved in a lot of things.

Well, so they’re also involved in cybersecurity. And so high level, the framework is really a framework and it’s a set of guidelines designed to help organizations become more cyber resilient. Jason, you and I have unpacked what the cybersecurity framework is before. We’ve got a whole course on it over on Udemy that folks can take. So I’m not going to go any further into finding what it is at this point. Let’s talk about-

Jason Dion:
And that’s a good starting point, and we will talk a little bit more about NIST as we go through this episode. We just want [inaudible 00:09:19] two definitions real quick, and I will point out that the NIST Cybersecurity Framework, we did do an episode on that in episode 62, so if you want to go back and listen to that, we spent about 45 minutes really diving deep into the NIST Cybersecurity Framework. We’re not going to rehash all that today, but we are going to talk a little more about it in a moment. And to get to that, just go to yourcyberpath.com/62.

All right, the second one we have is the CIS Top 18, and when we talk about CIS, this is the Center for Internet Security, and the Top 18 is literally the top 18 critical security controls that they have created. And this list is essentially just a set of prioritized actions that help protect organizations and data from known cyber attack threat vectors. And that’s really what we’re talking about, the top 18. If you’ve ever dealt with the OAS Top 10, those are the 10 most common programming errors. Well, the CIS Top 18 takes it a little further. They’ve got 18 things, and these are the controls to stop a lot of these attacks, and they categorize into these security controls as opposed to the errors. These are the things you can do to protect yourself. Did I do a fair job of covering that part, Kip?

Kip Boyle:
Yeah, absolutely. I would like to add something to it, build on what you’ve already said, which is if you’ve been in the industry for a while now, you probably remember, and maybe you even hear some people talk about the SANS Top 20. Guess what, well, that’s the predecessor of the CIS Top 18.

Because what happened was SANS, the system administration and network security organization, that’s what SANS stands for, they actually created this about 20 years ago, and then they owned it for a little while, and then they actually handed it off to the Center for Internet Security. They handed off as a top 20, and then later on it got slimmed down into the top 18. So I wanted to say just a little bit about its origin.

Jason Dion:
Nice. Yeah. All right, so let’s go into our NIST CSF, which is the Cyber Security Framework. Why was it actually created, Kip? Why does the National Institute of Standards and Technology go you know what, I understand why I need to know what a gallon of gas is, because if I go to Shell or BP, I should get the same amount of gas for my dollar, my $3.20 per gallon. But why do I need this CSF? Who cares?

Kip Boyle:
Well, so I’ll try to give you the short version here. Of course, we have that other episode and an entire course that unpacks it. But in, gosh, I think it was 2013, then President Obama signed an executive order and he said, hey, we, the United States government, need to do something to help people become more cyber resilient because it’s getting very dangerous doing business on the internet. We’ve got ransomware, we’ve got [inaudible 00:12:12] denial of service attacks. There’s all kinds of issues. And so people would need to be more cyber resilient because you cannot assume that they can build digital walls high enough, digital walls thick enough that they’re never going to have an incident. And so that’s where it came from.

Now, NIST, which is a part of the Department of Commerce, a lot of people think that it’s military, it’s not. But NIST said, okay, let’s go out to industry and find out what works. How does industry currently become cyber resilient? And this is one of the things I love about the framework, is that it’s not a bunch of academics who sat around and said, in an ideal world, what should this be? They actually went out and talked to practitioners. So that there are five key components. One is identify, the next is protect, then there’s detect, and then there’s respond, and then there’s recover. So that’s how the framework is organized around the lifecycle of an incident. So I don’t know, how did I do, Jason?

Jason Dion:
I think you did pretty well. I think you missed one critical thing in your discussing, and I just gave you a hit there, but it’s critical [inaudible 00:13:26]. The reason that CSF was actually created wasn’t for people like CRO or Dion Training to use it in their businesses.

NIST created it because there’s this thing called critical infrastructure where there are 16 critical infrastructure areas, like healthcare, energy, transportation, et cetera. And these are things that are not government services, but they’re things that we need to function. Otherwise, we as a society break down. For example, if Bank of America, if I was able to hack into Bank of America and delete everybody’s credit card debt today, that would have a pretty significant effect on the US economy because-

Kip Boyle:
[inaudible 00:13:59] a robot.

Jason Dion:
So large and they have so many billions of dollars in assets in consumer debt. And so [inaudible 00:14:06] could do that, right? And that would be a really bad thing for the government because we’d then have to deal with the economic fallout of that. And so they created this NIST Cybersecurity Framework because things like power companies are individual companies across multiple states that affect the security of our power grid. And so the NIST Cybersecurity Framework was developed originally to help with that.

Now as they started rolling it out, people go, oh, that’s interesting. That’s pretty cool. That looks good. And they started using it in business. And by version 1.1, it was now a more generic framework. And version 2.0 is coming out in 2024. And in that case, it’s really not focused on critical infrastructure like it used to be, it is more focused on a general purpose framework.

Kip Boyle:
That’s right.

Jason Dion:
Critical infrastructure and business. And so they’ve made changes there, too. So I just want to point that out as well, because I think it’s important when we start talking about the NIST Cybersecurity Framework, that history and evolution, because I know when I first started using it and looked at it, I was like, how does this apply to my business when they’re talking about securing the power grid? Like, I don’t run the power grid.

And so over time, it’s evolved and it’s adapted and it’s a great tool. And again, as Kip said, you can learn more about that in episode 62, which is all about the NIST Cybersecurity Framework, as well as the course on implementing the NIST Cybersecurity Framework or the Accolade CCRF, which is the Cyber Resilience Fundamentals and Cyber Resilience Practitioner Certifications are all focused on the NIST Cybersecurity Framework and how you use it as a cybersecurity consultant.

Kip Boyle:
Yep.

Jason Dion:
That being said, Kip, what are some advantages of this cybersecurity framework? Because obviously, I’m a fan. You’re a fan. That’s why you use it in your consulting business. We use it as our first certification under Accolade because we saw a need in the marketplace. Why is the NIST CSF so awesome?

Kip Boyle:
Well, because it’s a framework is kind of the bottom line. And what is a framework? Well, a framework is not a checklist. And so a framework is, think of it as like a bolt of cloth, and you’re going to go get a tailored suit or a tailored dress. And so you’re going to go to somebody and you’re going to say, “Please make me an outfit that I’m going to look great in.” And they’re going to measure you. They’re going to make a pattern, then they’re going to cut the cloth, and ultimately they’re going to fit it to your body. Really, nobody else is going to be able to wear this suit or this dress, and it’s going to be made for you. And that’s what the opportunity is for the cybersecurity framework, is to adapt it to your organization to meet your specific needs. And so that’s one thing that’s fantastic about it.

The other thing is that it focuses on risk management, and it’s also comprehensive in its approach. And so these are some of the really crucial advantages of the framework. And quite frankly, there’s nothing out there in the world that’s quite like it, and that’s why we’re seeing it being adopted outside of the United States actually. I was a little concerned when I first started working with it back in 2016, two years after it came out, because I thought, well, I just wasn’t sure if Europe, Asia, other areas, if they would adopt it because you’ve got ISO in Europe is really strong, and anyway, but it turns out that it’s so practical and so useful that other countries are adopting it. The Japanese, for example, have already translated it into their language and they’re actively using it. So I think that speaks for all these advantages of the framework that we just covered.

Jason Dion:
Yeah, totally. And I think the other big thing with the NIST Cybersecurity Framework is that it’s free to implement. There’s no licensing fee, there’s no cost to use it. Now, there’s a lot of tools you can buy that will make your life easier in implementing it, and those do cost money. But the framework itself, you can go to nist.org today, nist.gov, excuse me, and you can go and download it and look at the entire framework and start implementing it today if you wanted to.

And like you said, very flexible, very adaptable. You can tailor it exactly to your needs, and you can make it as hard or as easy as you want as you go through and do this because you can select five controls or 5,000 controls, and it really is depending on your organization. And it’s really that emphasis on risk management, that’s really what made me fall in love with the NIST Cybersecurity Framework because I come from a military background, and normally when I get a framework, it comes with guidelines and procedures and a checklist for auditing.

And when they say there’s 5,000 controls, I literally have to go through and look at every one of those 5,000 controls. With NIST, I can look at that and go, you know what, controls 1000 to 2000 are all about air traffic control systems. That doesn’t apply to me. N/A. And off it goes. And now I can tailor down my list to the 50 or hundred controls that I actually care about in my business. So I could scale this up for things that are the government side or scale it down to something the size of a four or five person company. And either way, the NIST Cybersecurity Framework works really well in either environment because of that flexibility.

That being, let’s move on to the next thing, which is going to be to explore the CIS Top 18. So in about five minutes, Kip’s going to go ahead and give us the origin and the purpose and why do we use it. Maybe we’ll talk about what are some of these 18 controls.

Kip Boyle:
Right. Well, as I said at the top of the show, the CIS Top 18 used to be the SANS Top 20. Now, I’m not going to go back and give you a blow-by-blow of how it’s changed over time. Let’s mostly focus on what it looks like right now. So that’s its origin. Well, what’s its purpose? Well, the idea when it was first created was that we just didn’t have anything. Because this was created in 2000, 2001, 2002. And back then we really just didn’t have, as practitioners, we just didn’t have a checklist of what are the things that we should be doing to keep our organizations and our digital assets safe?

And so that’s when a bunch of SANS instructors who were very well respected and very high experienced men and women sat down and said, okay, we are going to make this because everybody keeps asking us for this in our classes and nothing like this exists, so we’re going to make it. And they said to each other, like okay, what should be in this thing? And so they came up with the 20 controls, and then those 20 controls actually got more granular. So each one of them would break down into smaller steps that you could take. And that’s one of the things that was really great about it, is it’s very practical and it’s actionable.

And so when you think about it from a project management standpoint, with the cybersecurity framework, you can’t just grab the cybersecurity framework, or I should say you shouldn’t, and then just turn it into a project plan and say, “Okay, let’s get busy. Let’s do this, and then let’s do that and let’s do that.” As we said, you have to tailor it. Well, the CIS Top 20 is skipping that step, and they’re kind of saying, no, no matter who you are, these are the 18 things that you should do if you’re on the internet. And so they’ve actually, this is going to sound gross, but they’ve sort of pre-chewed it for you so you don’t have to do that. And that’s quite frankly, that’s what some people struggle with, with the cybersecurity framework.

And so these are practitioners and they just wanted to get busy right away and start getting things done. They didn’t want to sit around and talk and think. They wanted to do things. And so that’s a big part of what’s going on here. And as far as what are some of the controls, well, it starts out with inventory. And that makes sense because if you don’t know what you have, then it’s difficult to provide asset protection. If you’ve got assets that are not in your field of view, then how can you possibly take whatever measures are necessary to protect them? And so control number one is enterprise assets and control number two is software assets. So the first two controls are all about what are your assets and let’s get them into an inventory.

And it goes on from there, data protection, secure configuration, account management, on and on and on, talks about, and I’m skipping ahead here, malware defenses, data recovery, security awareness, and skills training. And then finally, way down on the list, number 18, penetration testing. And that’s another thing about these top 18, is it is sequential. So you don’t want to pen test before you have your inventory. So it really is sequenced, it’s prioritized, and therefore you don’t need to spend any time tailoring what’s going on here. So anyway, there you go. There’s my five minute explanation of Top 18. What did I miss, Jason?

Jason Dion:
Love how you did all that in five minutes because if I did it, it would’ve been like 30, because we all know I go on rabbit trails.

But yeah, and so when I look at the CIS Top 18, one of the things I find with it is that it is very practical, it’s very actionable. It can be a lot, it’s a lot of controls and each of these 18 groupings as you go through. But you’re right, it goes from inventory all the way down. 17 is instant response, 18 is pen testing. And so it works its way through as you go through this thing. One of the big things that I find is that the idea here is more with compliance. It’s here’s all the things you must do. And then we have this checklist to say, I’m in compliance or I’m not, I’m doing it or I’m not. And it doesn’t really have the tailorability that you have within this cybersecurity framework where I can have more or less and I can really encapsulate things.

So I guess at this point, now that we’ve covered both of them, let’s talk about some of the differences between them. In your mind, Kip, as you talk about the NIST CSF and the CIS Top 18, is there a difference in the scope and the approach that they’re taking? And what are your thoughts around that?

Kip Boyle:
Yeah, there’s absolutely a difference here. On the surface, based on what we’ve shared so far, you might think that this is an apples to apples situation. It’s not at all. This is a very much apples to oranges situation. And so the reason why I say that is because they were designed by two completely different groups of people at two completely different times in the past with two completely different sets of circumstances and context. And I think what it boils down to is that the cybersecurity framework is a framework. CIS Top 18 is not a framework. It’s more of a checklist. And so that’s one fundamental difference.

Another fundamental difference is that the cybersecurity framework is more of a top down approach to cyber resilience, whereas the top 18 is really more of a bottom up approach. And what I mean by that is if you look at the top 18, it’s getting way down in the weeds right away. It’s saying, how should you securely configure your technology? How should your audit logs be configured and managed? How exactly should your email client and your web browser client be configured? And that’s what I would call by bottom up. Now, the cybersecurity framework is top down. You’re not going to find anything in there about how exactly should I configure my email client and my web browser. That’s not its purpose.

Now, in as much as I’m telling you how they’re different, one thing that I do want to say is that they’re complementary. So in the NIST Cybersecurity Framework, there is a lot of overlap. So the framework would say, yes, you do need to have an inventory of your digital assets, but the framework doesn’t tell you how to do that. It just tells you what you need to do. And you could go over to the CIS Top 18 and you could look at their inventory controls and you could say, okay, I want to create the inventory that the framework is encouraging me to create by following the top 18 method of creating that inventory.

Now, it turns out that the framework, you could pair it up with other sources of controls. For example, you could stick with a NIST only approach and you could go grab NIST special publication 800-53, which is a catalog of controls, and you could select controls out of that catalog in order to implement the framework. And you could completely avoid, if you wanted to, using the top 18, because if you were going to be framework focused, that would be completely reasonable. So all right [inaudible 00:27:20].

Jason Dion:
I just want to point out there, just like you said, Kip, when top comes to the NIST Cybersecurity Framework, when you go through it, there’s a section where it says, okay, you need to do access management, you need to do inventory, you need to do whatever the thing is. And then you go all the way to the right. There’s a list that says controls or suggested controls, and it will tell you the suggested control, 800-53, under the CIS Top 18 and under ISO 27001 because all three of those are competing control standards. But the NIST Cybersecurity Framework doesn’t care. You can use any control you want or none of those controls. You can make up your own. That’s okay, too.

Kip Boyle:
That’s right. That’s right. Or you could even actually say, you know what, because I’m not critical infrastructure, every item in the framework that talks about critical infrastructure, I’m just going to strike it right out. I’m not even going to do it. And so you can skip entire outcomes, which is the third level of detail in the framework, or you could even go to the second or the first level of detail and you could say, you know what? I’m not even going to focus on the recovery function right now, so strike all that out of there. This go around, I just want to focus on the other four. And so that’s the big difference.

And that last column that you mentioned in the framework core, that column, if you go to, it’s actually called informative references, and that’s where you’re going to find the suggestions for where you can go to get controls that will help you implement whatever the outcome is that you’re reading about in the framework.

And in version two of the framework, which as you said, Jason, is going to come out in 2024, they actually take that static listing of informative references out of the document, and they’re going to have an online database of those references. And so in the future when you’re looking for controls and control sources, you’re going to be able to go to a database online and query it. And NIST then has the opportunity to update that over time to add more and different control sources or to purge control sources that are not relevant anymore.

Jason Dion:
I love that they’re doing that. The one thing that worries me a little bit with that is if you’re like most organizations, you may take those things and create your own internal checklist in an Excel spreadsheet or something like that. I see this all the time, and they update control in the database and you don’t realize it, and now all your documents are now out of sync. Whereas in the old days, version one and version 1.1, it was literally a PDF. And it came out in 2015, it came out again in 2018, 2019. That was version 1.1 that we’re using today.

And this is something I think about because I’ve dealt with this with other things in my life and in my career where the source reference gets changed and everybody’s like, “Oh, but we’re running off this stock.” We’re like, “Yeah, that one’s been replaced for three years. You never saw the update. Here’s the update.” And that throws everybody into tizzy. So just keep that in mind if you’re working out there. Once things go dynamic, they can change on whenever basis they want, and there has to be some kind of notification system so you understand that.

So yeah. So I know we’ve done a good job so far covering the NIST CSF and the CIS Top 18 and talking about why you might use them, what the advantages are of them and how they link together. Is there any downsides to using one, the other, or both? For instance, I know NIST, there’s no cost with. For the CIS Top 18, you have to pay for that, don’t you, to get the controls?

Kip Boyle:
Well, you can actually download the controls and look at them, but you’re actually not allowed to use them without a license from the Center for Internet Security. That is a major funding source for them, is my understanding. And so yeah, you do have to become a member and you do have to pay them in order to be able to use it.

Now, could you download it and use it and not pay? Sure. I don’t think they have any way to really know. But one of the things if you’re going to be in the cybersecurity field, and particularly if you’re a CISSP, or if you’re going to become one, is you have to agree to support the code of ethics. And the code of ethics says-

Jason Dion:
Don’t lie, cheat, and steal.

Kip Boyle:
Yeah, yeah, you’re not going to steal stuff. So bear that in mind. Same thing, by the way, for ISO. If you’re going to go for 27001, 27002, there is a fee that you have to pay in order to gain access to the standard. It’s just like if you were to buy a book or a course online, you do have to pay a fee, and that covers the costs of producing the standards and maintaining them. And so bear that in mind.

Now, the US government has said, no, we’re not going to charge anybody for this NIST CSF. And also, they publish a tremendous amount of supporting information, including profiles. If you are in the manufacturing industry and you want to implement NIST CSF, there’s a ton of supporting data up there where they’ve actually profiled the CSF for you and they’ve said, oh, you’re in manufacturing, great. We’re going to go ahead and cut up the CSF so that you can get something off the rack instead of, I think about it, again, as a suit or a dress. You don’t have to do it from whole cloth. We’ve already done that for you. You just need to alter the length of the sleeves and the length of the pants and maybe take in or let out the waist a little bit and you’ll be able to go faster.

Jason Dion:
Yeah, so as we talked about those three standards, we’re talking about ISO 27001, we talked about CIS Top 18, and we talked about the 800-53 from NIST. Only one of those is free, and that’s the 800-53 from NIST because NIST gives everything away for free in a non-confidential, non-proprietary format that can be reused, resold, modified, whatever you want to do with it. They have that in licensing terms, and there’s no cost for you to do it.

So I’m going to ask a practical question, Kip, you do this on a daily basis with hundreds of different companies. When you’re doing this cybersecurity framework stuff, are you guys using 800-53 or the Top 18 or the ISO 27001, or do you use all of them depending on the client?

Kip Boyle:
Yeah, thank you for asking that because what we end up doing I think could help people. So first of all, Cyber Risk Opportunities mostly serves high-end mid-market companies, which would be companies say from $50 million of annual revenue up to about a billion dollars. And so what we have found is that what’s best for them is a little different than what’s best for giant enterprises, which is a little different than what’s best for smaller companies like startups or just companies under $50 million of annual revenue. What we find is that NIST CSF plus what we have is a deployment kit, we’ve actually created controls that are appropriate for that size of the market, and we’ve been inspired by 800-53. We’ve been inspired by all three of them, but we pick and choose because we’re trying to help these organizations have minimum viable controls.

And minimum viable is something that I completely stole from the startup world, where you want to build something that is good enough to get the job done, but no more. You want to move the needle, but you want to do it at the least possible expense. And you don’t want to wait for perfection to get something out there. You want to get something out there and then you want to iterate on it and get it to be better. And so that’s kind of what CRO does for our target audience.

If we’re working with somebody who’s a giant enterprise, then we’ll just ask them like, “Hey, have you already standardized on a control source?” Because many of them have. And so then we just go with that. With small companies, our guidance to them is be careful because it turns out that the CIS Top 18 is really expensive. If you are committed to it, you can expect to spend somewhere in the neighborhood of three to five million dollars just to implement all of those 18 controls as specified. That does not include operating the controls. So please be careful about making a commitment to CIS.

And by the way, that number that I just gave you came from a white paper that was published by SANS in their reading room because I had a customer ask me one time, “Hey, we like the top 18, but how much should we budget for that?” And I said, “That’s a great question. Let me go do some research.” And I found this paper and I brought it back to them and they said, “Holy moly, we had no idea how expensive this was going to be. We’re not doing that. Kip, help us figure out something more cost effective.” And so that really has informed what I already explained to you.

Another thing that I think is important for people to realize is that the Center for Internet Security Top 18 is old. It was really created at a time when the threats and the state of the art for cybersecurity was very different. And while it’s-

Jason Dion:
So while we were talking, Kip, I actually looked it up because I was curious how old the SANS Top 20, which is where it came from, was released in 2001 as a coordination between SANS and the FBI. So you’re right. I mean, it is 2001, it’s a completely different environment than the world that missed cybersecurity framework was invented in in 2015. 2001, we didn’t talk about cloud at all. 2015, cloud was everywhere, right?

Kip Boyle:
That’s right. Yeah.

Jason Dion:
Just that-

Kip Boyle:
And ransomware and business email compromise and just cyber crime in general.

Jason Dion:
These silly smartphones we all carry with us everywhere, right?

Kip Boyle:
Yep. Advanced persistent threats. I mean, this is a completely different world, and so I’m cautious about recommending the CIS Top 18 because of that. But some people say to me, “Well, 800-53, that’s a catalog. It’s not a checklist. I really need a checklist and I don’t want to make my own checklist because,” whatever, fill in the blank reason why they don’t want to make their own checklist. They just want to get a checklist. And I’m like, “I’m totally sympathetic to that.”

So what I recommend is go and get the Australian Signals Directorate’s Essential Eight, because that was created very recently and it was created in direct response to the kinds of attacks that we are seeing right now in the last three or four years. And that does include ransomware, business email compromise, and advanced persistent threats. So if you need a checklist and you want some controls that’ll let you get down in the weeds, that’s the one that I really recommend that you look at first. It’s doing what the top 18 is trying to do, I think, which is make something practical and actionable, but it’s more relevant and it’s not going to cost as much and it’s more suitable for smaller organizations as well.

Jason Dion:
Yeah. So as we’re wrapping [inaudible 00:38:32], so there’s two things I want to point out on what Kip was just talking about. One is you mentioned the Australian Signals Directorate, and if you’re not familiar with that term, the ASD is basically the Australian version of the NSA or the National Security Agency. The National Security Agency also puts out guidelines, which they call STIGs, on how to configure machines specifically. The one the Australian Signals Directorate has is a much more generic version, as Kip said, and it works really well to understand similar to the top 18.

The second thing I want to bring out is Kip said this and just drove right by it, but I thought it was a really critical point that we probably need to talk about just for a minute or two. And one of the big things about the cybersecurity framework that we point out in our textbook called Mastering Cyber Resilience, it’s another big point that we talk about in the NIST Cybersecurity Framework course, and that is the idea of a minimum viable control or a minimum viable posture set.

Now, when Kip said the minimum viable, if you’re a security person, the hair on the back of your neck’s probably like, oh my God, what do you mean minimum? No, I want the maximum. I want the best security. And I’ve worked in the military, in and around the military for 20 years, and that is the mentality that I need to protect everything equally. And it all needs to be done at the highest level.

And that is just a dumb thing to do, to be quite honest, because not everything needs to be protected as well. I’ve got two things on my desk right now. I’ve got a Pepsi can and a cell phone. The Pepsi can is worth 75 cents. The cell phone is worth a thousand dollars and has all my digital life on it. Which one do I want to spend money protecting? I don’t care about the soda can. Throw it away. I care about the cell phone. And that’s the idea.

So when you’re doing the NIST Cybersecurity Framework, you’re going to, as a consultant, you’re going to work with the company to figure out what is their risk appetite, what are they willing to accept? What is their threshold for pain? Because at the end of the day, that’s what it comes down to. The question of are you going to get a data breach at some point or attack, the answer is yes, you will. There is no getting out of this alive. We’re all going to die sometime. We’re all going to get a breach sometime. We can try to make it harder, but we could decide what stuff needs to be protected to what level.

And this does a really good job of that, where a lot of these other things, they say, you need these controls and whether the system is processing my kids’ artwork or my tax returns, they treat it the same. And those two things should have different levels of security because one has personal information and financial information and [inaudible 00:40:48] and all that stuff. And the other one is a picture that my kid drew in kindergarten, right? Well, probably very important, but they’re protected to different levels, and I think that’s a really important thing.

And when you say minimum viable or good enough security, and the security practitioner in me goes, “Oh no,” but the business person in me goes, “Yes, that’s exactly what we need,” because I talked about this before, and if you go into episode 62, we’ll talk about a lot more on the NIST Cybersecurity Framework, but that’s one of the major benefits. When you are going and talking with the CEO, the COO and the CFO, those folks are technology people, and all they see is that cybersecurity costs them millions of dollars a year in salaries, software, licensing, hardware, all the other stuff.

And so being able to say, well, depending on your risk level, we can get that down or we can increase it, and we can do that by segmentation, putting certain data in certain places, all those other technical controls we can do, that’s why I think that’s just a really important thing. It’s one of the critical differences with the NIST CSF because it was written by people who are not just technologists, but practitioners who understood the fiscal challenges of trying to get a company to fork over millions or billions of dollars to do cybersecurity.
Anyway, soapbox. I’ll get off my soapbox. Back to you, Kip.

Kip Boyle:
I love it. Thank you for saying something about that because that’s one of the things that I really enjoy about making this podcast series with you, is it’s been so long since I’ve been in the military that I sometimes forget that folks who are coming out of government service or DOD do really think about this stuff differently.

And especially for those who are transitioning into the private sector, we really do need to say this stuff and make it clear to them. Because I can tell you that people in the private sector who’ve never been in the military, a lot of them are biased against veterans because they think that they’re not going to be realistic about security. They think they’re going to bring a military attitude to it. And thank you. I think you made a great case for why you’re going to [inaudible 00:42:54].

Jason Dion:
And there are places that you need to have that level. If you’re working on the software code that runs a CPAP machine that people are going to breathe at night, and if that turns off, they die, that’s pretty important. You probably want to have good security controls on that so nobody’s hacking in over the wifi into the person’s sleep mask.

But if we’re talking about, I don’t know, something else that’s just not nearly as important, you can have less controls. You don’t need to spend millions of dollars to protect the church bulletin that comes out on Sunday, that’s going to be public knowledge on Sunday anyway, right? So there’s decisions you get to make in all of this.

That being said, I want to thank everybody for joining us for another episode of Your Cyber Path. Before we end, I’ll just pass it one more time to Kip. Any last parting thoughts or words of wisdom on the NIST Cybersecurity Framework or the CIS Top 18?

Kip Boyle:
Yeah, just one final thought. It’s just a capstone thought. A lot of people come to me and say how much they’ve struggled with NIST CSF and that struggle, because they’re not tailors, they don’t know how to tailor it, has sort of caused them to veer into the top 18. And so I take that time to tell them, look, it’s not the same, the choice that you just made. Let me help you understand why you were frustrated with CSF, but let me also explain to you why I don’t think you should just rush right into the arms of top 18 without understanding what you just experienced. People find that to be very helpful is the reaction that I get.

So if that’s an experience that you’ve had, I would encourage you to take a step back and rethink that decision that you made. And especially if you’re trying to get buy-in at the higher levels of your organization, CSF is the way to go because you can talk to them in ordinary business language, you can talk to them about the business value of cyber resilience, because there’s a lot of it, and they may not understand top 18, they may not understand secure configuration log management. Doesn’t mean anything to them. So I also want you to consider that as you go forward.

Jason Dion:
Yeah. And my last final thought is one thing we didn’t cover in the episode, if I may get that chance real quick to talk about, is that implementation guide. So Kip talked earlier in the NIST Cybersecurity Framework, how his company CRO has taken this 800-53, as well as other control [inaudible 00:45:26] they’ve looked at and distilled it down and already done a lot of this tailoring to make this almost like a template or a worksheet that they use with these different companies that they work with.

So I know some people in the audience here are people who work at companies that may need that kind of service. And if you’re just trying to get your NIST program off the ground, I don’t know where to start, sometimes it’s helpful to bring in a consultant, like CRO, Cyber Risk Opportunities. People come in and help with that. But they can, I know [inaudible 00:45:50] guys do both guidance as well as hands-on, walking them through the whole process.

Kip Boyle:
Oh, yeah.

Jason Dion:
Long consulting engagements, short term, but all that goes back to your CRM process. And when I saw your CRM process, I really liked it because one of the things I struggled with NIST at the beginning was how do you actually do this in the real world in an organization? Because the NIST framework, it’s free, but it’s 55 pages and it’s very generic.

And we took that as we wrote the Mastering Cyber Resilience textbook, and it’s got 200 pages and it expands on that, explains how to use it, how to operationalize it, and a large part of that is the CR-MAP that CRO developed. Can you talk to the two minute elevator pitch? What is a CR-MAP and why should a company care? And if somebody in the audience wants to learn more about it, who do they talk to?

Kip Boyle:
Right. I appreciate that, Jason, for asking. So what is a CR-MAP? It’s a cyber risk management action plan because guess what, that’s senior decision makers want to see. They want to see action. They want to see you secure stuff and to get busy and they want to see a lot of business value. They want you to tell them what’s the business value of the money that they’re spending on cybersecurity.

And so that’s what a CR-MAP will allow you to do, and it’s highly repeatable and it’s highly structured and it scales. So no matter what size organization you are, we can help you use the cybersecurity framework to create for you a cyber risk management action plan. And then when you’re all done, you have a prioritized list of mitigations, you’ve got starting points for every one of them in the form of a template or a procedure or what have you, or a set of communications tools, and then you have an implementation plan and you know exactly where you’re going. You can decide how long you want to get there. If this is a six month journey, 12 month journey, three year journey, whatever makes sense for you, and that’s what we can do.

Jason Dion:
Awesome. So that being said, if they want to reach you, is that just Kip at? Where’s the email?

Kip Boyle:
At cyberriskopportunities.com or you can go to cr-map.com and there’s a button there where you can ask to get some time with me.

Jason Dion:
Sounds great. Awesome. Thanks, Kip. And so once again, I want to thank everybody for listening to this episode. This episode was 114, and so if you want to see all the show notes, you can go to your yourcyberpath.com/114. Next time we’ll be back to complete our series on the system design principles, or SDP. We’ve been going through that over the last 18 episodes. We’ve been interlacing a lesson like today, where we teach something or interview somebody and an SDP principle the following time. And next time we’ll be finishing up with episode 115, which will be the 10th system design principle.

That being said, I want to thank you again for listening to Your Cyber Path. If you found it helpful, please go ahead and subscribe to the podcast, follow us, or share the podcast with people you think this would be beneficial to, whether that’s your coworkers, your peers, your friends, people trying to break into cybersecurity. That’s the best thing you can do to help us spread the word to others and we can help more people break through into the cybersecurity industry.

Also, if you have any feedback for us or topic suggestions or just questions for us, you can ask that over at yourcyberpath.com/ask. That’s A-S-K. You can record a short 30 to 60 second voicemail for us and that way you can share your feedback. Any topics you’d like us to cover on the show as we come on the future episodes, as well as anything you have directly for us and we can answer it for you here on the show. That being said, we are going to be wrapping up season two here in the next couple of episodes, and so we are looking for topics on season three, so if you have any suggestions, please let us know. We’d love to hear it. That being said, thanks for listening to Your Cyber Path, and we’ll see you next time.

Kip Boyle:
Bye, everybody.