Description

In this episode of Practical Cybersecurity, host Jen Stone talks with Curt Dukes, EVP and GM of Security Best Practices at the Center for Internet Security (CIS). Drawing on his 30-year career at the NSA, Dukes breaks down how small and medium businesses (SMBs) can implement "good enough" security without unlimited resources. The conversation focuses on Implementation Group 1 (IG1)—a prioritized set of safeguards that provide essential "cyber hygiene". Dukes introduces free resources like the CSAT (Controls Self-Assessment Tool) and CIS Workbench to help leaders move past the intimidation of technical jargon and establish a "standard of reasonableness" for their organization's defense.

CIS Resources

• 
  CIS (Center for Internet Security): The nonprofit organization that creates the global standards discussed in this episode.
• NSA (National Security Agency): The U.S. intelligence agency where Curt Dukes led defensive security efforts for 30+ years.
• IG1 (Implementation Group 1): The essential "Cyber Hygiene" tier of the CIS Controls designed for small businesses.
• CSAT (Controls Self-Assessment Tool): A free web-based application to track and measure your security progress.
• CIS Workbench: A collaborative platform to ask technical questions and get help from the security community.
• CIS RAM (Risk Assessment Method): A free methodology to identify security gaps and prioritize investments based on risk.
• CIS Benchmarks: Free, consensus-based configuration recommendations for OS and network devices.
• MS-ISAC (Multi-State Information Sharing and Analysis Center): The division of CIS providing threat intelligence for state and local governments.
• EI-ISAC (Elections Infrastructure ISAC): A dedicated team at CIS focused on securing election-related systems.
• The Community Defense Model (CDM): A data-driven report proving the effectiveness of the Controls against top cyber attacks.
• The Cost of Cyber Defense: A breakdown of the financial investment needed for various security models.

A note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club.

If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place 

But if you just want to learn how to protect yourself for free, start here:  https://academy.securitymetrics.com/