IT-Security Gap Analysis: CIS-20 Critical Controls

IT Security Profile (CIS-20 Gap Assessment)

Deloitte has developed a practical approach to IT-security, based on the 20 Critical IT-Security Controls CIS-20. Our security profiles divides and conquers the challenges of IT Security.

Challenges

IT Security is a struggle: Where to start, what to prioritise and how to measure and report.

An IT security programme requires a solid foundation based on recognised security practices. This involves choosing a recognised IT security framework.

We find that in most cases, the Center for Internet Security 20 Critical IT Security Controls (known as "CIS-20") is an effective starting point. This framework focuses on operational challenges.

Organisations struggle with prioritising IT security initiatives - which initiatives mitigate risks most effectively, and in what order should they be prioritised? In many cases, we see that the expected IT security enhancements associated with these activities get cannibalised, when they are not coordinated.

Most organisations struggle to develop a practical IT security programme. The challenge is simply where to start and which initiatives to prioritise.

Our approach

We use a modified version of the Center for Internet Security 20 Critical Security Controls © as suggested by The Ministry of Justice and the Danish Digitization Agency in "Cyber ​​defense that works".

The concept is called the Danish IT Security Barometer ™ and helps the organization to achieve the necessary IT Security Profile to be able to meet GDPR requirements for processing security and notification obligation.

  • What is the organization's current Security Profile - expressed in%
  • Delta between the current and the target Security profile
  • What you need to do to reach the target profile - in practice!

20 CSC is not a standard you can become "compliant" with, but a series pragmatic controls that can be complied with / fulfilled to a greater or lesser extent degree.

We have developed a system of profiles based on 20 Critical controls (CIS-20). This enables your organisation to deep-dive into specific topics or start from the Security Profile and work from that foundation.

  1. Today: Identify the current state of IT security and GDPR art. 32-33 compliance in your organisation (A)

    We will walk you through the 20 IT security critical controls. We will share with you the best practices as well as what we see other organisations do. We will go through all dimensions of security: People, Process and Technology.

    We will identify your strengths and weaknesses.

  2. Future: Define the future-state aspiration for security (B)

    Together with you, we will find the future aspiration matching business expectations.

  3. Roadmap: Identify critical IT security initiatives to move the maturity from A -> B

    The next critical questions will be how, when and who. Looking into identified gaps, we will lay out the path from A to B.

    1. Which initiatives do we recommend?
    2. Which tools and competencies do you need?
    3. Who should be involved (any critical resources?), when is the timing and lastly what are the costs?
  4. Management story: How do we convince the management that this is important to business

    The majority of organisations struggle with "selling" security projects to internal sponsors. As part of the project, we will help you "speak the word of business";

    - How IT is critical to business procedures

    - What is the current risk exposure (what could go wrong)?

    - What are the benefits/upsides of suggested actions? Save money, less administration and efficiency

    - Easiness of action

    - Clearly describing required resources

    - Output of the project

  1. Today: Identify the current state of IT security and GDPR art. 32-33 compliance in your organisation (A)
  2. Future: Define the future-state aspiration for security (B)
  3. Roadmap: Identify critical IT security initiatives to move the maturity from A -> B
  4. Management story: How do we convince the management that this is important to business

We will walk you through the 20 IT security critical controls. We will share with you the best practices as well as what we see other organisations do. We will go through all dimensions of security: People, Process and Technology.

We will identify your strengths and weaknesses.

Together with you, we will find the future aspiration matching business expectations.

The next critical questions will be how, when and who. Looking into identified gaps, we will lay out the path from A to B.

  1. Which initiatives do we recommend?
  2. Which tools and competencies do you need?
  3. Who should be involved (any critical resources?), when is the timing and lastly what are the costs?

The majority of organisations struggle with "selling" security projects to internal sponsors. As part of the project, we will help you "speak the word of business";

- How IT is critical to business procedures

- What is the current risk exposure (what could go wrong)?

- What are the benefits/upsides of suggested actions? Save money, less administration and efficiency

- Easiness of action

- Clearly describing required resources

- Output of the project

Why Deloitte?

Awarded market leaders

We strive to continuously lead the market in the area of cyber risk and security services. We are awarded and acknowledged by some of the most renowned institutions within the area of cyber, e.g. Gartner, ALM Intelligence and Forrester. In 2020, we were named global leader in Security Consulting Services for the 9th year in a row by Gartner.

Leading-edge technologies

We are committed to investing in innovation and emerging technologies to ensure that we are equipped with the latest tools to solve current and future challenges for our clients. Alliances with market-leading cyber vendors and groundbreaking startups around the world offer our clients access to a wide range of cyber-risk technologies and leading-edge technology innovation.

Global intelligence delivered locally

We have the largest professional services network in the world. Diversity across our cyber teams helps us work across the globe with a local and personal lens. We have over 8,600 dedicated cyber-risk service practitioners of which 1,300 are dedicated to Europe and the Middle East alone, ready to help our clients everywhere with any challenge.

End-to-end cyber-risk services

We cover every aspect of cyber risk — from advisory and implementation of strategic transformations to managed security services, product solutions and incident management. This enables us to deliver more resilient and silo-breaking solutions, taking the whole business chain into account. This helps our clients to leverage their potential and growth even more.

Reach out

Would you like to know more? Contact our experts.

Christian Schmidt

Director