Making The Business Case for CIS Benchmarks Automation in SLED
The statistics are grim for State, Local and Education (SLED) organizations. Between 2022 and 2023, the Center for Internet Security (CIS) reports that malware attacks increased 148%, ransomware was up 51% and endpoint data breaches increased by 313% in the sector. Yes, you have data that hackers want to monetize and expose. But, more importantly, you have common vulnerabilities that are easy to exploit.
If you are looking to mature your cybersecurity program, your budget is likely your biggest barrier. But there are other issues. Like where do you even start? How do you sell it to the powers that be? And have others done it successfully? This article will give you some of those answers.
Make a business case for your cybersecurity budget.
After a decade of driving cybersecurity maturation in both public and private organizations (including the most sensitive government agencies), we’ll just cut to the chase: if you want the most bang for your buck, we recommend instituting CIS Benchmarks with automation. CIS is a nonprofit whose goal is to provide an optimized roadmap for system hardening based on best practices and known vulnerabilities. Based on the NIST framework, it is also the approach many state and local governments mandate when they mandate cybersecurity.
CIS Benchmark automation is a right-sized approach for your organization and has been proven and refined over more than a decade to answer these challenges:
- Save money. Not only do you save money in technology and protect budgets from ransomware, but you also reduce manpower. Plus, this combination can be leveraged at nearly every budget.
- Save time and effort. Automation can reduce a system-wide implementation of CIS Benchmarks from weeks/months to a few days.
- Hasten application availability. Instead of waiting a month or more to harden around a new application, you can access new technologies in days, even hours.
- Combat the talent gap. Manual implementation of CIS Benchmarks or other comprehensive approaches would require hiring a team of hard-to-find, expensive professionals. Automation does it faster, using the staff on hand. Even junior team members can drive complex cybersecurity processes with automation.
- Protect your reputation. One hack or ransom can cost millions to bounce back from and shatter the trust citizens have in you. Often, your reputation is the biggest hidden cost of a breach.
- Enjoy myriad other benefits. Achieve the highest levels of system security. Eliminate human error. Comply with mandates. Protect system availability and user experience. Increase consistency and operational effectiveness. Prevent drift. Maintain continuous compliance. Reduce headaches and overwhelm. And access a rapid ROI.
To make your business case, figure out your projected costs. Know your threats and statistics. Wrap the above benefits around organizational pain points, such as beating the talent gap or improving user experiences. Highlight use cases, like those below. And otherwise make them understand that a storm is headed their way and CIS Benchmarks plus automation is the way to stop it.
Two use cases showing how CIS Benchmarks and automation deliver on their promise.
One state government’s Office of Information Technology was driven to take a proactive approach to cybersecurity by using a robust framework like CIS Benchmarks. Understanding a sustained investment is necessary to maintain long-term security improvements, they made the case to increase their yearly budget from $6000 in 2012 to $5M today. They also automated CIS Benchmarks implementation and found it greatly reduced the manual workload, allowing staff to focus more on strategic tasks, rather than routine monitoring and compliance checks. Automation helps them achieve continuous compliance with best practices.
A solution like SteelCloud’s ConfigOS (currently the only automation solution recommended in the CIS CyberMarket) automatically scans your system for known vulnerabilities, then remediates them without manual intervention. Along the way, it collects data for reporting and can keep you current with the latest updates from CIS. ConfigOS has been proven over more than a decade protecting some of our nation’s most sensitive data.
In another real-world example, a community college system wanted to secure the more than 20 colleges in their network. The CIO identified CIS Benchmarks as the standard he’d like to meet. Implementing the Benchmarks manually with his small team, however, would take months and he wanted this initiative done yesterday. He explored automation options and chose SteelCloud’s ConfigOS. In the first week of testing he brought one of his test environments from 14% to 95% compliance. He didn’t need to hire additional staff to assist the implementation. Training was easy for his staff. He also liked the ease of reporting so he can quickly dispatch auditors when they come knocking.
Start moving toward tighter security today.
Whether you are a local government, state government or educational institution, citizens, staff, faculty, students and are counting on you to protect personally identifiable data and confidential information. CIS recommends an IT budget that is 5% of overall revenue, with cybersecurity getting 20% of that money. That is the standard your organization should be meeting. But even if reality doesn’t even come close to that, you can still afford CIS Benchmarks and automation.
Start making your case. And consider that, in education, the average cost of a data breach is $3.65M. Government breaches have reached up to $40M. If it comes to that, your organization will pay to save personal data and regain system availability. It will have to. Protecting your system proactively is simply a more cost-effective.
As you consider your costs, reach out to SteelCloud for a quote on ConfigOS, the leading CIS automation solution. Better yet, schedule a no-obligation demo. Once you see how easy this can be, the intimidation factor will be gone and you’ll have the information you need to become—and stay—CIS compliant in a matter of weeks.
