Cyber Defense

Implementing the 20 Critical Controls on a Low-Cost Budget: Do It, Don't Worry About It!

By Princess Clark-Wendel, MBA

If you work in a small or mid-sized business or agency, trying to implement a cyber-security program might feel like pushing a boulder uphill, especially if you don't have a large staff or budget.

Implementing a cyber security program does not have to feel like an uphill battle.

Even selling the benefits of cybersecurity to upper-level managers can be difficult. Since managers are in the business of maximizing profit, their focus is on maximizing short-term gains and minimizing noncritical investments, maintenance costs, and discretionary spending unless they are absolutely necessary.

The problem is, cybersecurity is more critical and less discretionary than ever before.

The Necessity of Securing Digital Operations

In a 2010 article in the Washington Post, Harvard Law School Professor Jack Goldsmith, who served as an Assistant Attorney General in the George W. Bush administration, and Melissa Hathaway, who led President Obama's Cyberspace Policy Review, contended that reaping the economic gains from information technology while ignoring security costs had reached a crisis point. They argued that organizations that don't "adopt and embed" cybersecurity solutions into their core infrastructures are playing a game of chance that, sooner or later, they're bound to lose. Yet the authors predicted that the nation probably would not truly embrace cybersecurity until some part of the American economy was destroyed by a catastrophic cyber event.

Pick a Threat

Flash forward to 2014, when it seems like there has been one such catastrophic event after another, with cyber victims ranging from JP Morgan Chase to the U.S. Postal Service. Cyber threats and breaches have become the new reality. Today, more than ever, securing digital operations is necessary for both government and private sector organizations.

Many organizations don't have a large budget to implement all the Critical Controls.

How to Secure Your Organization on a Budget

You likely get the picture, but you may still be worried about whether you have the budget to implement the cybersecurity measures necessary. Renowned cybersecurity specialist and SANS Fellow Dr. Eric Cole has a simple message: Don't worry. Securing your networks does not have to be expensive. For example, Dr. Cole says that implementing the20 Critical Controls —a prioritized, risk-based approach to security designed by private and public sector experts from around the world — is not an all-or-nothing strategy. Rather, the Controls are a holistic set of security measures that can be put in place as needed and over time.

"Smaller organizations might only quickly implement a few controls, while larger organizations might do more," Dr. Cole explained.

While large organizations need comprehensive and consistent Controls across their enterprises, Cole suggests that budget-conscious firms focus on defense by addressing the most common and damaging attacks occurring today, as well as those they anticipate will occur in the future.

Cyber attack detected on digital interface

Dr. Cole also recommends that CEOs and owners of small to medium-sized business, as well as managers new to cyber-security, take courses to develop and deepen their cyber-security skills and stay ahead of their adversaries. The SANS Institute has courses for cyber-security professionals at all career levels. We invite you to investigate the cyber defense curriculum today.

What do you think is the most pressing issue facing small to medium sized organizations when it comes to implementing the Controls?

Leave your comments below.


Posted December 18, 2014 at 12:15 PM | Permalink | Reply


Its more than obvious now that small and big companies need to invest in cyber protection the recent scandal with the Sony hack of their e-mails is just another reason why this is needed. If such a large company as Sony can be so easily hacked, what would happen if the same hackers attacked a smaller enterprise? What kind of data (if not all) could they obtain within hours? Its great to hear that you can do things on a budget and this should be widely known by all executives of all companies, big or small.

Posted December 18, 2014 at 8:20 PM | Permalink | Reply


I wonder how much cyber security would cost for a small company that has fewer than 50 employees. I work at such a company and keep telling my boss we need to implement something like this or we risk losing our entire work. I tried reasoning with him but its no use! He just doesnt understand that small companies are just as much of a target as a large one. What article or study could I show him to make him change his mind?

Posted December 19, 2014 at 2:49 PM | Permalink | Reply


Dear Aaron,
Thanks for your comment.
As far as your boss is concerned, you can show him the data and give him the list of organizations that have been comprised. You can also have him read books like Advanced Persistent Threat by SANS fellow and industry expert, Dr. Eric Cole. His book shows how prevalent the adversary is and how easy it is to compromise an organization.
I hope this helps.

Posted December 19, 2014 at 11:54 PM | Permalink | Reply

Robert Scroggins

I think that employee education/training for the security needed in their job is the most important item to implement. It seems that the employee/user is the weakest link in the chain. The threats that I seem hear about often involve an employee doing something they should not do''"such as downloading/executing an email attachment or inserting a USB in a corporate asset. At least some of the Advanced Persistent Threats initially start with nothing more advanced than lack of knowledge or concern with security on the part of an employee.

Posted December 20, 2014 at 3:20 AM | Permalink | Reply


Excellent point! Organizations are spending millions of dollars investing in security products to secure their critical assets (e.g., data and intellectual property) residing on corporate networks. Next Generation Firewalls and SIEMs, to name a few, are becoming increasingly more popular as the number and sophistication attacks continue to increase. On the other hand, hackers have realized that the easiest way to target an organization is to get an unaware employee to click on a malicious link as opposed to launching a sophisticated attack. Organizations have to recognize that they are constantly being targeted and must invest annually in a security awareness program to train the individuals, the weakest link, connected to the network. Organizations that have achieved success in raising awareness have implemented a company-wide phishing program that regularly sends fake phishing emails to employees to see whether they will click on the link. If an employee falls victim, they are notified privately via email. I've received one of those emails, and although somewhat embarrassing, it definitely raised my level of awareness.

Post a Comment


* Indicates a required field.