Endsight provides a complimentary cybersecurity training. Our goal is to bring awareness of the latest trends and best practices to help reduce cyber risk for our customers, our business community, and their families.
I spend a lot of time talking with clients and in the natural course of those conversations, recommendations for improvement are a frequent topic. With the wildly varying budgetary, business, strategic, and leadership goals that an MSP like ours encounters, we also see wildly varying levels of acceptance and suspicion. Though I wish we’d all be welcomed warmly as fully impartial consultants, hoping only to help our clients be safe and protect their business, the reality is that our recommendations are always evaluated based on cost, appropriateness, and with a high degree of ‘what is this person trying to sell me and why?’
That’s where frameworks come in. There are several cybersecurity frameworks out there (NIST, CIS, Microsoft, CMMC, HIPAA, etc), When Endsight recommends a cybersecurity solution, we can always back up our recommendation with a publicly available framework outside any vendor – other MSPs should also be able to.
We’ve chosen CIS (The Center for Internet Security) as our framework. CIS is publicly available (for free), applicable to all industries, nonprofit, and globally recognized. When we approach a client with a CIS-backed recommendation, we can assure them it will map to regulatory, insurance, and industry standards. CIS also has Implementation Groups, which are collections of their recommendations sorted by security need. CIS Implementation Group 1 is applicable to everyone, Implementation Group 2 is applicable to those with a much higher cybersecurity need, and Implementation Group 3 is for very high security governmental, biotech, and similar organizations. With these groups, we can tailor recommendations to appropriate risk profiles and security budgets.
CIS and other frameworks help us make impartial decisions and recommendations, standardized across all clients, from a product agnostic standpoint. Approaching a client with “All the regulatory bodies, all insurance companies, and all the cybersecurity frameworks out there recommend or require protection X. Here’s what we use for that.”, rather than saying “please buy our product, it’s good” is a better way to demonstrate the appropriateness of a solution, rather than the profitability. Having backing from a public entity that has no financial interest in this transaction (a framework) or an authority with a substantial financial interest in the safety of their client (an insurance company) removes emotion from the equation – these are simply industry best practices.
As an example, let’s look at multifactor authentication, specifically in Microsoft 365. Microsoft 365 is the most broadly utilized Software as a Service platform in the world, and Microsoft notes that MFA is effective in preventing 99.9% of account compromise attacks. MFA is also another layer of security in the way of logging into cloud items (email, Sharepoint, etc), and can be problematic to implement for organizations who have ever only used usernames and passwords.
Fortunately, insurance won’t issue coverage without MFA, and every framework requires MFA to be compliant. This changes our conversation from “Steve, some guy, thinks MFA is great” to “this is what it will cost your organization to continue not having MFA (insurance coverage, regulatory and framework compliance”. That’s a very different conversation, and it’s backed by Microsoft (and other organizations) universally. We’ve gone from a sales call to an audit call.
Frameworks are universal to all our recommendations, and they should be for everyone. The next time you’re approached with a security recommendation, ask which framework and which control it’s applicable to.
To learn more about the CIS Framework take a look at this multi part series that we wrote. It breaks the Framework out into 3 broad chunks. Intended as a starter guide it will hopefully aid you with good questions to ask about security.