Tips for Implementing CIS Controls for Your MSP Clients
As an MSP, you’re likely familiar with the CIS Controls. They provide a great framework for hardening systems and protecting against cyber threats. But implementing them can be a challenge, especially if you’re working with clients who aren’t tech-savvy. Here are a few tips to make the process easier.
Understand Your Client’s Business Needs
One of the most important things you need to do before implementing cybersecurity measures is understand your client’s business. You need to know what their goals are and how each change will impact their business. Only then can you make decisions that will actually help them meet their goals.
For example, if you go through the CIS Microsoft 365 Foundations Benchmark v1.3.0 you’ll notice they recommend building Conditional Access Policies for various reasons. You can’t blindly start implementing CAPs without first thinking about all of the implications that come with each policy.
Before implementing each change, ask yourself:
- How will this change the way endusers are using Microsoft services today?
- Who do I need to communicate with to double-check this won’t create a work stoppage for any resources?
- What kind of training needs to happen before this goes live?
- How do I provide fast, efficient tech support after it goes live?
- Should I test this with a portion of endusers from the client before a mass deployment?
- What are the steps I need to go through to make sure this gets done correctly?
- Can I automate this somehow so it’s repeatable for other clients?
How Will This Change Enduser Procedures?
Implementing cybersecurity changes can affect the way people use technology every day. For example, they might need to change the way you sign in to their email or computer. They might also need to learn new rules about what is safe to share online.
One of the most important aspects of cybersecurity is training. Employees need to be taught how to identify phishing attacks, how to use strong passwords, and what to do if they think they’ve been hacked.
You should also create a policy for when employees can and can’t use their own devices at work. For example, you might want to prohibit them from using their personal devices for work-related activities.
Be Prepared for Pushback
Some of your clients may be hesitant to make changes, especially if they’re not familiar with cybersecurity concepts. They may see the changes as an inconvenience or even a threat to their business. It’s important to be patient and explain the benefits of each change. Be prepared for some initial pushback, but remember that it’s worth it in the end.
Using Automated Tools
When possible, use automated tools to help with the implementation of cybersecurity changes. Automating tasks makes them easier and faster to complete, which means you can get them done more quickly and efficiently. It also helps to ensure that the changes are implemented in a consistent manner across all of your clients.
Understand How Your Tools Align
One of the best ways to understand how your tools align is to use the CIS Controls Maturity Model. This model can help you measure where your organization is in relation to the CIS Controls and identify areas where you need to make changes.
The model has five maturity levels:
1 — Awareness
2 — Preparation
3 — Implementation
4 — Operation
5 — Optimization
It’s important to understand where your organization falls on this scale and make changes accordingly. You can use the model as a guide to improve your cybersecurity posture.
Encountering Issues
No matter how well you plan, you’re bound to encounter some issues along the way. It’s important to be prepared for them and have a process in place for dealing with them.
One thing you can do is have a backup plan ready to go. If one change doesn’t work, you can try something else. You can also keep track of what’s working and what’s not so you can learn from your mistakes.
Be Patient and Persistent
Cybersecurity is an ongoing process that never really ends. There’s always something new to learn and new threats to deal with. It’s important to be patient and persistent in your efforts. Don’t give up if things don’t go as planned — keep trying until you find something that works.
Testing Changes
You should always test cybersecurity changes with a small subset of users first. This will help you identify any potential issues before implementing the changes more broadly. You can also use this testing period to train employees on the new changes.
Make Sure Changes are Properly Implemented
Once you’ve made changes, it’s important to follow up and ensure they’re being properly implemented. This means tracking how the changes are affecting end users and troubleshooting any issues that come up.
It’s also important to keep in mind that cybersecurity is an ongoing process. You can’t just implement a few changes and call it a day. Security is something that needs to be constantly revisited and updated.
Stick With It
CIS Controls provide a great way for organizations to improve their security posture, but the implementation process can be challenging. Be prepared for some initial pushback from clients and make sure you understand how your tools align with CIS controls and benchmarks. Follow up to ensure they’re properly implemented — security is an ongoing process that’s never “done.”
What tools are you using today for clients and how do they align with CIS?
If you’re looking for more resources on CIS Controls, watch the interview I had with Liam Downward where we discussed implementing CIS Controls v8 for clients.