Understanding the top 20 Critical Security Controls

In this podcast recorded at RSA Conference 2014, Wolfgang Kandek, CTO at Qualys, talks about the 20 Critical Security Controls, which outline a practical approach to implementing security technologies by providing proven guidelines for protecting IT environments.

The 20 Critical Controls for Effective Cyber Defense (the Controls) are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive attacks. They were developed and are maintained by a consortium of hundreds of security experts from across the public and private sectors. An underlying theme of the Controls is support for large-scale, standards-based security automation for the management of cyber defenses.

The actions defined by the Controls are demonstrably a subset of the comprehensive catalog defined by NIST SP 800-53. The Controls do not attempt to replace the National Institute of Standards and Technoloy comprehensive Risk Management Framework. The Controls instead prioritize and focus on a smaller number of actionable controls with high-payoff, aiming for a “must do first” philosophy. Since the Controls were derived from the most common attack patterns and were vetted across a very broad community of government and industry, with very strong consensus on the resulting set of controls, they serve as the basis for immediate high-value action.

Listen to the podcast here.


Qualys has collaborated with the SANS Institute and the Council on CyberSecurity to release a new free tool to help organizations implement the Top 4 Critical Security Controls to fend off attacks.