List of 20 controls offers good information security protection bang for the buck As a federal government watcher, I get exposed to some happenings in Washington that few outsiders know about. One such initiative is the Consensus Audit Guidelines (CAG). Simply stated, CAG applies the old 80%/20% rule to cybersecurity best practices by focusing on 20 high priority security controls. Since these controls are specifically designed as countermeasures for the most likely types of real-world attacks. There are two primary knocks against CAG. First, many people believe that it completely redundant with other security requirements and IT frameworks like ITIL and COBIT. Second, CAG is viewed as incomplete. The thought here is that stealthy or innovative security attacks could circumvent the 20 controls.In my opinion, each of these criticisms is accurate. That said, I think these points are non-issues. Yes, CAG is redundant with other security and IT efforts but most large organizations already face this redundancy issues as they are forced to comply with HIPAA, SOX, PCI DSS, FISMA, etc. Sure, CAG has gaps — no one ever claimed it was exhaustive.CAG ain’t perfect but it does have several key strengths:1. CAG has focus. I see organizations get overwhelmed by the scope of information security policies and controls all the time. CAG takes away this “boil the ocean” mentality and concentrates on the highest risks. This makes it easier to implement — and afford — than other security models.2. CAG is based upon real-time data analysis. As the old saying goes, “you can’t manage what you can’t measure.” CAG takes this expression to heart as the 20 controls are anchored by data collection, measurement, and validation — in real time.In the future, it is likely that the list of 20 CAG controls will grow to accommodate new threats thus keeping CAG up to date. CAG may not be as comprehensive as other security models and it is certainly no panacea, but given its focus, it is a great way for overwhelmed CISOs to rationalize their security efforts and concentrate on high priority risks. Related content analysis 5 things security pros want from XDR platforms New research shows that while extended detection and response (XDR) remains a nebulous topic, security pros know what they want from an XDR platform. By Jon Oltsik Jul 07, 2022 3 mins Intrusion Detection Software Incident Response opinion Bye-bye best-of-breed? ESG research finds that organizations are increasingly integrating security technologies and purchasing multi-product security platforms, changing the industry in the process. By Jon Oltsik Jun 14, 2022 4 mins Security Software opinion SOC modernization: 8 key considerations Organizations need SOC transformation for security efficacy and operational efficiency. Technology vendors should come to this year’s RSA Conference with clear messages and plans, not industry hyperbole. By Jon Oltsik Apr 27, 2022 6 mins RSA Conference Security Operations Center opinion 5 ways to improve security hygiene and posture management Security professionals suggest continuous controls validation, process automation, and integrating security and IT technologies. By Jon Oltsik Apr 05, 2022 4 mins Security Practices Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe