Announcing the SANS 2013 Critical Security Controls Survey Results!
Reducing real-world risk is the primary benefit of CSCs, which enjoy high level of support from CEOs and CIOs.
BETHESDA, Md., June 13, 2013 /PRNewswire-USNewswire/ — SANS announces the results of its first-ever survey on the Critical Security Controls (CSCs), sponsored by FireEye, IBM, Symantec and Tenable Network Security. The survey results will be discussed at the SANSFIRE 2013 security training event in Washington, DC, June 17 and the full results will be released during a SANS Analyst Webcast on June 25 at 1 PM EDT.
In the survey, which was conducted online in April and May and drew 699 responses, only 12 percent of survey takers hadn’t yet heard of the Critical Security Controls, while 73 percent said they are aware of and/or adopting the controls.
“The Critical Security Controls embody the best advice developed by an incredible range of talented people from across the entire industry and government,” says SANS Director and CSC survey advisor, Tony Sager. “Even better, we’re seeing the rapid emergence of a support ‘ecosystem’ of tools, working aids, mappings, and Use Cases, mostly created by volunteers.”
The largest group to take the survey (nearly 20%) came from government agencies, but 17% of survey takers were from financial institutions. Education, high tech, health care, manufacturing and utilities also had more than 5% representation in the survey.
Respondent organizations are adapting to the Controls guidelines in phases, prioritizing the most mature security technologies (such as anti-malware, boundary security and data recovery), according to survey results. They are also making use of evolving controls, including vulnerability assessment and configuration management. But other, less mature but still widely needed technologies are not as well used at this time.
“The high level of visibility and support at the CEO/CIO level was the most surprising survey finding,” says John Pescatore, SANS Director of Emerging Security Trends and author of the Critical Controls Survey report. “Enterprises and agencies are using the Critical Security Controls as a ‘lens’ to focus their resources on the security controls that demonstrate the most immediate real-world risk reduction to management. Security teams are using the Controls to assess and enhance existing security technologies for ‘quick wins,’ and wrapping newer controls into their development and upgrade cycles.”
Those who register for the June 25 webcast where we release our results will be given access to the full results paper developed by John Pescatore with advice by SANS Director Tony Sager. During the webcast, attendees will learn:
- The primary benefits for organizations adopting the controls
- Their methodologies and processes for adopting the controls and reducing risk
- How respondents are using controls to benchmark, measure and manage risk
Sager adds that the survey will help with the overall mission of the Critical Security Controls. “The Controls are focused on action,” he explains. “What are the most effective things we can each do to improve our defenses, and how can we as a community help each other get there quickly?”
About SANS Institute
The SANS Institute was established in 1989 as a cooperative research and education organization. SANS is the most trusted, and by far the largest source for world-class information security training and security certification in the world offering over 50 training courses. GIAC, an affiliate of the SANS Institute, is a certification body featuring over 20 hands-on, technical certifications in information security. SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; and it operates the Internet’s early warning system – the Internet Storm Center. At the heart of SANS are the many security practitioners in varied global organizations from corporations to universities working together to help the entire information security community. (www.SANS.org)
SOURCE SANS Institute