In the last four years, a consortium of government and privatised organisations has compiled a list of 20 critical controls for cyber-security defence. However, according to a recent survey, implementation of these controls is not yet “mature”.
The list of controls was first published in 2009 and has been updated periodically since then. The controls were initially developed in order to help make work done by the NSA available to non-government organisations. Its goal is to prioritise a threat-focused approach to cyber-security, rather than targeting regulatory compliance.
According to GCN, a misconception regarding the list is that it is in direct competition with government regulatory requirements. This is not so as the list of controls is intended to complement such measures, rather than replace them.
73% of those surveyed said that they have adopted, or are planning to adopt some of the controls on the list, but fewer than 20% have a comprehensive plan for doing so.
This may not be a problem believes John Pescatore, who was behind the study, He said “The majority will focus their efforts on near-term implementations of the highest-priority controls and on upgrading existing implementations of some of the lower-level controls”.