SANS Top 20 Critical Control - Practical Advice for Chief Information Security Officers

1 minute read Ken Kantzer on

CISOs have a tough job. They are faced with securing data across thousands of devices. They are often brought in after a bad breach and are asked to make sure “it never happens again.” Throw in ISO/IEC 27001 or PCI-DSS compliance reporting, and it can lead to an overwhelmed question: when it comes to developing a roadmap for my company’s security, where is the best to start?

Series Introduction

At PKC, we’ve been in all these situations before, and we’re a big fan of starting security programs with the SANS Top 20 Controls list. Done well, these 20 controls represent a complete security program. In fact, do these 20 controls well, and you’ll be in the top 1% of companies, because the best way to protect your enterprise is to achieve perfection on the security fundamentals.

This series is our way of sharing our experiences with you. We’ll go through each of the Top 20 controls, sharing two things: One, we’ll try to get at the core part of the control: what is this control really trying to achieve? This will help you articulate a clearly defined goal for your security staff and avoid unnecessary distractions and expenditures. Two, we’ll share some of our insights we’ve learned on the job implementing these controls, which will hopefully save you from making costly mistakes down the road.

The Series

1 Inventory of Authorized and Unauthorized Device

2 Inventory of Authorized and Unauthorized Software

3 Controlled Use of Administrative Privileges

4 Continuous Vulnerability Assessment and Remediation

More to Come…

As always, we’d love to hear your thoughts or feedback on our discussion of these controls: you can contact us at or drop us a line.

Ken is a Founding Partner of PKC