Center for Internet Security, CREST launch new enterprise cybersecurity accreditation scheme

The Center for Internet Security (CIS) and international information security certification body CREST have announced a new joint cybersecurity accreditation initiative for organizations. The CIS Controls Accreditation program aims to provide companies a way to show customers and partners that their cybersecurity posture meets the best practice guidance as set forth in the CIS Critical Security Controls (CIS Controls), a set of globally recognized best practices for improving an enterprise's cybersecurity posture, the pair said. It is the first initiative pairing the CIS Controls with a program to deliver accredited consulting, they added.

Earlier this month, CREST announced a 50% discount for small businesses based in lower income countries as part of its mission to help reduce inequality in access to cyber defenses. The discount, including all associated membership and accreditation fees across all disciplines, will apply to eligible new member applicants and on renewal for current members, CREST said. In April, CREST also published a new guide to fostering financial sector cyber resilience in developing countries, outlining the need for appropriate, multi-party cyber resilience testing to ensure better cyber safety in developing nations, along with advice for governing authorities.

CIS Controls Accreditation an organizational level cybersecurity "stamp of approval"

The CIS Controls Accreditation is an opportunity for CIS SecureSuite Members (Controls, Consulting & Services, and Product Vendor) and CREST members to demonstrate that their implementation of security best practices is guided and externally assessed in accordance with the training and validation defined by two authorities in cybersecurity, read a press release. The program offers service providers a "stamp of approval" at the organization level, assuring that their customers can feel confident that they are doing business with a reputable and reliable CIS Controls assessment organization, wrote CIS. The scheme is priced at $1,500 USD for members and $2,500 USD for non-members.

The ability to digest all the data and controls from various devices and systems is essential in this massive shift to evidencing security, said Tom Brennan, executive director, CREST Americas Region. "Together, CIS Controls and CREST accreditations give our joint members an accelerated path to meet risk and compliance requirements in addition to providing a methodology for continuously monitoring their security posture. By using CREST on top of the CIS Controls, security professionals can monitor security from infrastructure that can be observed, tested, and enhanced."

The new accreditation is a significant step forward in efforts to secure enterprises and safeguard against current and emerging threats, according to Curtis Dukes, CIS executive VP and general manager, Security Best Practices.

New accreditation welcome, but has narrow technical focus

The new accreditation is a welcome one for the IT industry, says Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster university. "CIS Controls are important because they help companies reduce risk, meet compliance requirements, prioritize resources effectively, and cover multiple security domains," he tells CSO.

They also provide a systematic and structured approach to mitigating the most dangerous cyber threats, and by implementing them, companies can reduce their exposure to a wide range of common attacks and vulnerabilities, he adds. "By following these controls, organizations can enhance their security posture and better protect their critical assets and information."

However, its narrow focus on technical control assessment limits the value it will bring to organizations, James Bore, cybersecurity hygienist and consultant, tells CSO. "There are a lot of schemes like this out there, under different branding and with different levels of marketing. Looking purely at the assessment of technical controls is of limited benefit to organizations who should be looking at more comprehensive frameworks to solve what are ultimately security governance issues," he argues.

Adding certifications to an already over-crowded and inconsistent field does not help anyone, he adds. "Really what's needed is more effort to rationalize the standards and certifications we have, improve understanding of the relevant governance areas, and focus on what's genuinely effective."