Skip to content

CIS Controls to Prepare Clients for Cyber Insurance | EP 56

Connor Swalm: Welcome to Gone Phishing, a show diving into cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. I'm Connor Swalm, CEO of Phin Security, and welcome to Gone Phishing.

Connor Swalm: Hey everyone. Welcome back to another episode of Gone Phishing. I'm joined once again by Matthew Fisch, founder of Fort Mesa. Matt, how are you doing today?

Matthew Fisch: I'm doing okay. I had a coffee refill. I've been out for days in the office.

Connor Swalm You must be lucky I can't drink coffee past like eleven. I drink so much coffee in the morning, but if I drink it past eleven, I just won't go to bed. No, I switch to tea in the afternoon. But even that, I won't drink iced tea in the afternoon because the amount of iced tea I would drink would be commensurate with a few cups of coffee worth of caffeine. Specifically, the tea I drink. So today we're going to talk about CIS controls, using them to prepare your clients for cyber insurance. Question I have right off the bat, where's the overlap between CIS controls and cyber insurance? And is that even a right statement to make?

Matthew Fisch: Overlap? Might be. So here's how I think of it. CIS is a best practice target of what a bunch of really smart cybersecurity experts put together through an international effort involving governments, large, small organizations, professionals all over the planet. And it's constantly being updated, it's technically specific, and it's really geared towards the types of things MSPs are good at. Cyber insurance, on the other hand, is whatever random question set that some actuarial underwriter thinks is going to save money this year based on losses. Looking back over the last three years, even though the reality is we're now in a new threat space going forward, so they're always three years behind, and attackers are always way out ahead of the applications. But that said, the applications draw from those core competencies in cybersecurity, and CIS is that gold standard. And if you aim for a security standard baseline, you're going to do well on just about any cyber insurance application.

Connor Swalm: Question on CIS controls how would you explain the difference between implementation group one, two, and three?

Matthew Fisch: You can have a custom explanation for each business in the world, but I'll try to simplify. So the Center for Internet Security has almost 200 controls. This compares to, for example, NIST standards or ISO standards that have two or three times as many as that, or even more so it's a little bit simpler than other standards, but it is almost 200 questions. So when you look at, well, what's appropriate for a small business versus a large business, you come up with, well, you know what? It's actually appropriate to be at different levels. CIS has these precooked baselines. They call them implementation groups. Implementation group one, sometimes referred to as IG one, is for small businesses. They probably use off-the-shelf software. They probably don't have any servers. They don't have any IT staff, they don't have any strong government regulations impacting them, and no failure would impact human safety. Up at implementation group two, we have organizations that perhaps have IT staff dedicated. IT staff to operate their systems. Now, that may be via a contract within a managed service provider, but there's people keeping things humming. There may be servers, there may be custom business applications that were built for them. And if they're very small, they may be regulated. And then we have implementation group three. And that's all of the controls in the Center for Internet Securities control list. And that's for organizations that have strong government regulations impacting them, or so the heavily regulated industries or some security failure could actually impact human safety. And so that's things like aerospace, that's things like healthcare. But it can also be things like energy. If your energy grid fails, that can impact people's safety. So that's the way you navigate those implementation groups.

Connor Swalm: That actually makes a ton of sense. And the way I've understood it before after chatting with a few folks on CIS, is implementation group one is like you want to put your best foot forward. Implementation group two is you know what you're doing and you're trying to better and implement. If I could say those words, implementation group three is you are aiming at the pinnacle of security. You're aware of all of your risks and you're actively trying to mitigate threats that you may be unaware exist.

Matthew Fisch: I think there's some truth to that. Specifically around service providers when you think in the beginning of their security journey, they're probably only providing adequate security for small organizations that don't have custom servers, etc. So a service provider security journey is going to follow that same client maturity arc, right? But just because a hospital decided on a random Monday, oh, we should actually have security. We were faking it for the last ten years. Does not mean that they should only be targeting IG one, there's actually, like, laws that say that they need to be up at IG three.

Connor Swalm: I really like that. It's almost like your investment in cybersecurity should be incredibly commensurate with the penalty for failure. So if your systems go down as a hospital, people actually die. If your power grid goes down, people have the potential to get hurt, if not, let alone die. Whereas if you're. I'll use another a coffee shop. If your POS systems go down, what do you do? You operate on cash for that day, probably. So it's like the penalty is not people die. The penalty. Well, if I don't get my coffee in the morning, I die.

Matthew Fisch: There's one other great thing about CIS that's maybe undersold by the greater community, which is unlike every other security standard I'm aware of, there's a prescripted order of implementation that actually narrates the journey, and that's why they're in domain groups one through 18. And yes, you could also follow up the IGS if you want to make an even more comprehensive plan around it. There's basic foundational stuff you need. Stacked on top of that is intermediate interventions. Stacked on top of that is advanced interventions. And if you start at CIS one and you move through CIS 18, you will pretty much be spending your way through a return on investment curve. So the farther up you go that curve, the less return on investment. That doesn't mean that you don't need those things, right. Think of it as like, the amount of risk you're taking off the table for the amount of money you're spending. And CIS is great there, and I'm not aware of other standards that have that inbuilt guidance. And this is the reason why the insurance industry used to be running on ISO 27K, which had hundreds of controls and no guidance at all on how much security you needed. Figure it out yourself. Was the guidance right, and why the insurers are looking at things that are more prescriptive and they're basing their underwriting criteria on those maturity milestones that you meet as you implement CIS controls.

Connor Swalm: I had a buddy, Wes Spencer when he was working with Phin Wall Cyber Insurance, on the podcast, and he said I don't know what's going to change. But I do know that cyber insurance companies having 108% loss ratios on the policies they wrote in 2019 was never going to happen again. It might have been 21. They pulled things in and it was really tight for the last few years, and they've been opening capacity up again. And I would like to say they have it figured out. But the reality is, the attackers, the threat actors out there, they're not necessarily playing along with the carrier or underwriter plans. Yeah, maybe they won't be that greedy again, like the Greed fear index, but it is hard to keep those loss ratios down. Can you imagine a hacker or a malicious actor saying, hey, guys, this would have worked, but there's no control in the cyber insurance policy recommending this. So we can't do it. We got to attack something that they're defending?

Matthew Fisch: Do we cover, like, a few domain areas that are really critical on pretty much all the security policies?

Connor Swalm: Yeah, let's do it. What are some of the domain areas?

Matthew Fisch: Just real fast, I'll rattle through them, and I'm going to point out the things that are maybe not so obvious to most service providers because I think people know some of the obvious things, like, you should have some kind of anti-malware solution, or you should be patching. I would hope that you guys are all doing that, and I know that pretty much everyone knows that you need to have multifactor authentication these days. And the standard, by the way, right now is you need to have multifactor authentication anytime an administrative act is completed. Any kind of admin action, or you're accessing systems that are outside your building. Remote access. So in those two cases, you always need MFA and your client doesn't want it isn't an excuse. If I had a nickel for every time an MSP said, I can't enable MFA because the client's not involved, I don't think either of us would be running companies. We'd be sipping margaritas somewhere on a beach. So I do want to talk about the anti-malware real quick. I know that there's a lot of confusion here, antivirus versus EDR versus XDR versus whatever. At its core, what the insurers are trying to get you as a provider to do is detect when an attacker does get in. Detect when they do get in and do something about it. But it's not as simple as installing an EDR or MDR agent or whatever DR agent that costs more than the other DR agent you used to have. There's actually a responsibility here to have some processes and procedures in place around when an incident is detected. When a service provider takes XYZ actions. And have a plan written down that says, we will contact the customer under these criteria, the criteria is written down. There may be an external contact list, there may be a need to bootstrap some kind of incident forensics. There may be a need to just document. Not really a problem. We don't think there's any impact document that. Set it to rest. There may be a need to do after action. So there's a lot of governance needs there that I think people miss out on. They install the whatever DR agent and they think oh, we're good. And actually what the cybersurer application said is do you have an incident response plan and do you have a process in place? And you do incident lifecycle and they do go into a little bit of detail there. And let me tell you, in the case of a claim. If you haven't written down that plan and you haven't followed it, and you haven't logged all the times you followed it, you could end up in a bad chair during that claim, the claim will get denied and the service provider will end up in arbitration. Yeah, arbitration, the one place none of us want to be.

Matthew Fisch: Yeah. That's the MDR requirement or the incident response requirement. Vulnerability management these days are on a lot of these questionnaires and this again is not. I've installed a thing that looks for vulnerabilities or I've installed a thing that patches. The actual standard is have you and the client set a risk acceptance threshold and are you using prioritization methods to make sure that you're remediating vulnerabilities to whatever that standard is that you've set with the client. So not only are you finding these things, but are you finding them and are you fixing them within a set amount of time based on risk acceptance criteria where there's some actual prioritization in place. And that's sophisticated language that I'm using. But at the core of what I just said is the MSP has to do something that's human and act, they have to perform a service and you can get paid for that service and your clients will be happy to pay you to keep the attackers out. And there's a huge revenue opportunity there for not just installing the agent. Actually doing the thing to a set. Risk acceptance threshold, awareness training. I think pretty much everyone knows you're supposed to be doing this, but if you're not doing awareness training or you can't be shown that there's evidence that you've been doing awareness training, in the end client, you will get a claim denial and awareness training goes a little bit further past, we did a phishing simulation once. You do need to train people on their responsibilities for taking care of their credentials, hatching their own local machines, you need to train administrators on best practices. You might need to train people for their job roles, or you may need to train them for whatever their industry impact is like, oh, this is how you treat healthcare data. This is how you treat criminal justice data. And all of those things need to happen across the end client and in the service provider to satisfy those insurer requirements. And I think those are the big ones. Clearly, a provider is also going to want to know that you've got some kind of data recovery plans in place, like taking backups. You stock that stuff away someplace, you protected it, they're not going to come rescue you. If you say, oh, we didn't back up our data, and there was $10 million in losses, and they're going to be like, well, man, you didn't back up the data. You could have run every night. No, those are like the core pillars that I'm seeing right now. And then each insurer is going to have levels of depth that point back to CIS controls. There's some other things in there. Log management, access control, but covered the corbets.

Connor Swalm: Somebody I had on the podcast previously, I believe it was a guy by the name of Brian Mahone, who does this and writes cyber insurance policies. He made a statement along the lines of, five years ago, they'd measure your heartbeat and say, congratulations, here's your policy. And now here's a 37-page questionnaire on not only what tools are you using, but how are you using them, how often? What do you do if they don't work? It's like everything you've described now, it's actually getting into the weeds of real security is not just saying you use a tool. Real security is using it properly for your business use case.

Matthew Fisch: And you're not joking about the 37 pages? I saw one the other day that was about that length, but as I was working through it, I realized this should actually be 100 pages. They packed it down so dense just to keep the page count down, just.

Connor Swalm: So you wouldn't be deleted. Toss it in the bin or something. What advice would you give MSP or a business who's trying to understand the world of cyber insurance as it exists today? Where do you think they should go to begin learning about this?

Matthew Fisch: The reality is, if you're following the guidance that's appropriate for a business of that maturity level, that size in that industry set out by the standards organizations like CIS, you are going to meet the insurance requirements, no problem. So follow the guiding light. You will have no problem getting through those insurance processes. If you've got questions about specific standards, different regions in the world, different industries, certainly reach out to someone that can help you with that. That's one of the things we do at Fort Mesa. We're a governance risk compliance platform and we also help people with vulnerability management. So we're cheerleaders for the service provider, really helping them learn how to right-size the different security offerings for these different industries based on these outside standards.

Connor Swalm: For those of you who have been listening today, if you're interested in learning more about the CIS controls as well, you can go to cisecurity.org. I don't know why they just didn't put an extra s in there. That stands for the Center for Internet Security. And you can download all of, like Matthew said, the 18 domains here, which is, I guess, fancy speak for areas that you should be concerned with for cybersecurity. And it's reading through them. It's explained in plain enough English that you know what you're reading. You might not know what you need to do about it, but you'll know what's going on. Highly recommend starting there. As if you wanted to learn about the CIS controls as well.

Matthew Fisch: Yeah, and it's only four pages, a four-page version, not 37, condensed to 100. So don't go through the cyber. They've got the long version too.

Connor Swalm: Well, they don't need to go through that. Maybe we do. Awesome. Well, Matt, it was a blast having you on again. I'd love to have you on at some point in the future. We haven't chatted about government contracts and the dreaded four-letter word CMMc, so maybe we can do that next time.

Matthew Fisch: Yeah, that's good.

Connor Swalm: Once again, thanks for joining me, Matt. It was a pleasure having you. I'm Connor, host of the Gone Phishing podcast, and I hope you all have a great rest of your day.

Connor Swalm: Thanks so much for tuning in to Gone Phishing. If you want to find out more about high-quality security awareness training campaigns, how to launch them in ways that actually engage employees to change their habits, then check us out at Phin Security at Phinsec.io. Or click all of the wonderful links in our show notes. Thanks for phishing with me today and we'll see you next time.