The law of unintended consequences strikes again. In an effort to address security risks in enterprise IT systems and the critical data in them, numerous security standards and requirement frameworks have emerged over the years. But most of these efforts have had the opposite effect — diverting organizations’ limited resources away from actual cyber defense toward reports and compliance.

Recognizing this serious problem, the U.S. National Security Agency (NSA) in 2008 launched Critical Security Controls (CSCs), a prioritized list of controls likely to have the greatest impact in protecting organizations from evolving real-world threats.

This SANS Institute survey of nearly 700 IT professionals across a range of industries examines how well the CSCs are known in government and industry and how they are being used.

Major findings include:

  • The majority of respondents (73 percent) are aware of the CSCs and have adopted or are planning to adopt them. Meanwhile, 15 percent are aware of the controls, but have no plans to adopt them. Only 12 percent had not heard of the controls before the survey.
  • The respondents’ primary driver for adopting the controls is the desire to improve enterprise visibility and reduce security incidents.
  • Operational silos within the IT security organization and between IT and other business departments are still the greatest impediment to implementing repeatable processes based on the controls.
  • Only 10 percent of respondents feel they have done a complete job of implementing all of the controls that apply to their organizations.

Download your copy of the SANS 2013 Report on Critical Security Controls Survey: Moving from Awareness to Action to learn about how the CSCs are already driving changes in cyber security.

SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness to Action

Complimentary Report

Download the Report

© 2018 FireEye, Inc. All rights reserved. Privacy Policy. FireEye on Facebook    FireEye on Twitter    FireEye on LinkedIn    FireEye Blog: Malware Intelligence Lab