Summary

The CSO Outlook article Taking Control of IT Operations through the Critical Security Controls by Matthew J. Harmon explains how embedding the first five of the SANS/CIS 20 Critical Security Controls into everyday IT processes can transform security from a reactive cost center into a proactive, measurable discipline.

Starting Easy

First, Harmon shows that many breaches start with unknown or low-priority systems, devices and software not inventoried or patched. Controls 1 (Inventory of Authorized and Unauthorized Devices) and 2 (Inventory of Authorized and Unauthorized Software) create visibility by correlating DHCP, ARP, and DHCP assignments for hardware and using WMIC, RPM/APT, or SCCM to catalog installed applications. This foundational inventory maps assets to owners, enables application whitelisting, and allows organizations to detect unauthorized additions before attackers can pivot.

Next, the article tackles Controls 3 through 5: secure configurations, continuous vulnerability assessment and remediation, and malware defenses. Harmon advocates applying vendor and CIS hardening guidelines via Group Policy Objects or configuration-management tools (Puppet, Chef), enforcing a 48-hour patch window for critical flaws through tiered testing and deployment, and layering defenses beyond antivirus, such as host firewalls, DNS filtering (e.g., OpenDNS), and threat-intelligence driven proxies. He concludes by recommending a gap assessment against the remaining controls and a phased implementation roadmap to embed these practices into routine IT operations and gauge their impact over time .

Presentation

CSO Outlook: Taking Control of IT Operations Through the Critical Secuity Controls