I appreciate the work involved here but question some of the assumptions and motivations of the presenter. James gives an "F" rating with the CIS Critical Security Controls framework for mapping Threats to Controls, saying the framework doesn't effectively do that, which for the life of me I don't understand. The ENTIRE POINT of CIS v8 was to take an Offense Informs Defense mindset to the controls, and uses the Vzb DBIR and Mitre Att&ck frameworks as inputs to better inform the resulting security controls. In fact, it's the ONLY framework that I've run across that actually provides the ability to select different threats such as Ransomware, Insider Threat, etc, that directly maps to specific controls. One could (and should) question the validity of those Threat to Controls mappings as there are issues there from my standpoint, but the failure to accurately portray this significant point results in one wondering if he actually really dug into the V8 version of the standard at all. So between the abject failure of acknowledging the above and the inclusion of the Collective Controls Catalog (which appears to be a derivative work developed by his employer), and giving the CCC the *best* score across all frameworks, the presenter leaves me questioning the validity of the overall research and the motivations behind it.
I appreciate the work involved here but question some of the assumptions and motivations of the presenter.
James gives an "F" rating with the CIS Critical Security Controls framework for mapping Threats to Controls, saying the framework doesn't effectively do that, which for the life of me I don't understand. The ENTIRE POINT of CIS v8 was to take an Offense Informs Defense mindset to the controls, and uses the Vzb DBIR and Mitre Att&ck frameworks as inputs to better inform the resulting security controls. In fact, it's the ONLY framework that I've run across that actually provides the ability to select different threats such as Ransomware, Insider Threat, etc, that directly maps to specific controls. One could (and should) question the validity of those Threat to Controls mappings as there are issues there from my standpoint, but the failure to accurately portray this significant point results in one wondering if he actually really dug into the V8 version of the standard at all.
So between the abject failure of acknowledging the above and the inclusion of the Collective Controls Catalog (which appears to be a derivative work developed by his employer), and giving the CCC the *best* score across all frameworks, the presenter leaves me questioning the validity of the overall research and the motivations behind it.
Awesome work! Very helpful for the community.