Nettitude Blog

Data Safety: What Are The Critical Security Controls, And Why Do You Need Them?

Posted by Stuart Wright on Feb 2, 2016 11:10:02 AM

Cost of Cyber-Attacks

Cyber-attacks cost UK businesses an estimated £34 billion a year, with that number only likely to rise. Small to medium sized businesses experiencing severe breaches can expect it to cost them at least £75,000, whilst large businesses should be braced for costs of between £1.5 to £3m.

Why do we struggle?

With so much at stake it comes as little surprise that many businesses are struggling to sufficiently protect themselves against rise of attacks.

Why is this?

One contributing factor, often encountered, is a lack of focus. With finite resources and budget available to spend on cyber security, it can be difficult to know where it will be most beneficial.

Tony Sager, who leads development of the Cyber Security Controls (CSC) and is an evangelist for the adoption of the controls, describes this problem as the “Fog of More”.

  • There’s simply too much – too many different vendors with more solutions than we could ever evaluate.
  • We have so much best practice advice that it’s difficult to know where to turn.
  • And of course there’s compliance, and the tasks we need to complete to satisfy our auditors and regulators.

Is it really any wonder that with the abundance of choices we have, so many businesses simply react to problems and threats as they emerge? The end result is that despite the best efforts (and budget) dedicated to solving this problem, we’re often left no more secure than before we started.

How can Critical Security controls help?

This is where the Critical Security Controls 20 can prove an invaluable tool. The CSC 20 is a prioritised checklist of technical controls, which your company can implement, and is designed to prevent the attacks you are most likely to experience. CSC 20 doesn't say you have to buy this vendor’s antivirus solution, or that vendor’s intrusion detection; but it is intended to help you understand which of those tasks should be completed first.

CSC in a nutshell 

  • Derived from common real-world attacks and known effective defences
  • Version 6 released October 2015
  • 20 high-level control areas
  • 149 sub-controls
  • Prevent what you can
  • Detect what you cannot

Why assess against Critical Security Controls?

The CSC 20 doesn't just help you prioritise, it actually assists you to measure and improve. By assessing your company against CSC you can calculate a score.

Use that score as your baseline, your ground zero; and then improve it, gradually, and continually.

Once you have that baseline score, most businesses can quickly identify several critical controls that would require minimal effort to put in place.

Every time you implement one of the critical controls your score will improve, and so you will take another step towards better security. And if you’re considering investing in a new technology, you can easily consider if it will positively or negatively impact on your CSC 20 score.

How do I comply with CSC?

In short, you don’t, this is not the point of the CSC. Although the critical controls do map well to many different security frameworks, there is no audit that you can pass or fail. In reality very few companies (if any) will ever achieve 100% of the critical controls, but this isn’t a problem.

That’s not to say that adopting CSC 20 won’t help with compliance and audits. On the contrary, as in doing so you’re taking advice and guidance from experts in the field of information security.

But most importantly, you will be able to significantly improve your businesses data safety.

Adopting the controls means aligning with the combined best practices and recommended defences of industry, government, and academia. Contributors to the CSC include the US Department of Defense (DOD), Department for Homeland Security (DHS), the UK Centre for the Protection of National Infrastructure (CPNI), and Communications Electronics Security Group (CESG).

Not only is adopting CSC far better (and easier) than trying to work it all out yourself, it proves you’re doing the right thing in the eyes of countless cyber security industry experts.

Does it work?


Examples provided by the Centre for Internet Security include the US Department of State, which achieved an 88% reduction in vulnerability-based risks after implementing the critical controls.

In the UK, the Centre for the Protection of National Infrastructure (CPNI), a government agency tasks with securing national infrastructure, has adopted and endorsed the CSC 20.

Adopting the critical security controls won’t make you more secure overnight. What it will do is help you to understand how prepared your business is to defend itself against common cyber-attacks. The prioritisation and guidance provided will help to lift the fog that Tony Sager talks about, and ensure you focus on what’s important.

To contact Nettitude’s editor, please email

Topics: Security Blog, Uncategorized

About Nettitude

Nettitude is the trusted cyber security provider to thousands of businesses around the world. We stop at nothing to keep your data and business secure in an age of ever-evolving cyber threats.

In 2018, Nettitude became part of Lloyd’s Register, an 8,000 person strong professional services organisation, with 300 years of heritage in safety and risk management. Nettitude now provides true global coverage, through a network of over 180 offices strategically placed around the globe.

Subscribe Here!

Recent Posts