This entire field is extremely complex with many variables. While not trying to be negative about our peers, they do have a few limitations:
- The CIS methodology is based on the CIS Critical Controls list. While that list is an excellent set of important controls, it has weaknesses:
- CIS is not used by many industries, including financial services. Most financial services firms base their controls strategy on regulatory requirements and not CIS.
- The list is not precise: there are general statements but not specific requirements. For example, USB storage devices are a major risk for data loss. Oversight of USB's is a control in the list but does not include specific details to block those devices, even though controls to block those devices are widely available.
- Some critical controls are not widely implemented: many firms do NOT segment their network, record network traffic or decrypt web traffic for inspection. However, compensating controls to mitigate some of the associated risks that are widely implemented are not included.
- Controls utilized by many firms have been deprecated: many large firms use Network Access Control (NAC) to protect their network against rogue devices. In fact, NAC is 'recommended' by banking regulators. NAC is also extremely effective and was included in CIS v7.1 but deprecated in v8.
- Both CIS and FAIR provide a general methodology to manage risk, but not specific threats. Our approach is to identify a specific threat and model controls to mitigate that threat. Our threat based approach allows us to fine tune the model to accommodate specific controls and estimate their effectiveness.