SANS 2013 Critical Security Controls Survey: Moving From Awareness to Action

by John Pescatore
Sept. 1, 2017 0 comments SANS Institute Management risk management

Over the years, many security standards and requirements frameworks have been developed in attempts to address risks to enterprise systems and the critical data in them. However, most of these efforts have essentially become exercises in reporting on compliance and have actually diverted security program resources from the constantly evolving attacks that must be addressed. In 2008, the U.S. National Security Agency (NSA) recognized the diversion of resources as a serious problem, and the agency began an effort that took an “offense must inform defense” approach to prioritizing a list of the controls that would have the greatest impact in improving risk posture against real-world threats.1 A consortium of U.S. and international agencies quickly grew, and ultimately, recommendations for what were to become the Critical Security Controls (CSCs) were coordinated through the SANS Institute.2