The Price of Protection: Making CIS IG1 Cyber Hygiene Achievable and Affordable
Enterprises today face a constant barrage of cyber threats. Knowing where to start with cybersecurity and how much it will cost are critical questions for any organization, regardless of size. The CIS Critical Security Controls (CIS Controls) offer a prioritized set of actions to build an effective cyber defense program, recommending that all enterprises begin with Implementation Group 1 (IG1). IG1 represents essential cyber hygiene, providing a foundational set of protections designed to guard against the most common attacks.
This guide, "The Cost of Cyber Defense: Implementation Group 1 (IG1) version 1.1," aims to provide clear answers regarding the tools needed and the estimated costs for implementing IG1. It expands upon previous research focused solely on on-premises tools by including data and conclusions for environments leveraging Cloud Service Providers (CSPs) and Managed Service Providers (MSPs). The core message is that achieving essential cyber hygiene (IG1) is both realistic and cost-effective, whether through on-premises, hybrid, or outsourced solutions.
What is Essential Cyber Hygiene (CIS IG1)?
The CIS Controls provide a prioritized set of technical and procedural activities to defend against top threats. IG1 Safeguards are considered "essential cyber hygiene" that every enterprise should apply. These Safeguards are sufficient for small and medium-sized enterprises (SMEs) that don't face sophisticated attacks, but they also form the required foundation for the more resource-intensive protections found in IG2 and IG3, needed by larger enterprises or those with highly sensitive data.
Baseline Cyber Team
Research using the CIS Community Defense Model (CDM) v2.0 shows that IG1 alone can effectively defend against 74% of the attack techniques found in the MITRE ATT&CK framework. This demonstrates the significant protection achievable through these foundational actions.
For simplicity in this guide, the 56 IG1 Safeguards are grouped into 10 categories of activity:
- Asset Management
- Data Management
- Secure Configurations
- Account and Access Control Management
- Vulnerability Management
- Log Management
- Malware Defense
- Data Recovery
- Security Training
- Incident Response
Understanding Enterprise Sizes: The IG1 Tiers
To provide relevant cost estimates, the guide created three hypothetical IG1 Enterprise Profiles – Tier 1, Tier 2, and Tier 3. These tiers, based on data from sources like the U.S. SBA and Census Bureau, help simplify pricing which often varies by factors like employee count, users, systems, or usage.
The tiers are defined by factors such as:
- Tier 1: 1 to 10 employees, 1 IT staff member, 1-2 servers, 1-12 workstations, annual revenue up to $5M, annual IT budget up to $250K, annual cybersecurity budget up to $50K.
- Tier 2: 10 to 100 employees, 1-2 IT staff members, 2-5 servers, 12-115 workstations, annual revenue $5M to $50M, annual IT budget $250K to $2.5M, annual cybersecurity budget $50K to $500K.
- Tier 3: 100 to 999 employees, 2 to 10 IT staff members, 5 to 50 servers, 115 to 1,149 workstations, annual revenue $50M to $500M, annual IT budget $2.5M to $25M, annual cybersecurity budget $500K to $5M.
These tiers serve as an estimated starting point; actual budgets can vary based on factors like sector, industry, and enterprise structure. An alternative estimate is an average of $5,000 per person/per year for the cybersecurity budget. It's also important to note that IT and cybersecurity budgets can overlap, especially with multipurpose tools or outsourced services.
Implementing IG1: Policies and Tools
Implementing IG1 Safeguards requires both policies/processes and tools. The guide identifies a set of generic tool types and supporting policies mapped to the 56 Safeguards. Interestingly, implementing all IG1 Safeguards can be accomplished using a small number of resources: specifically 10 policies/processes and 16 tool types.
Enterprises should first review existing tools that might already satisfy some Safeguards. Tools can be open-source, bundled with existing products, built in-house, or purchased commercially. Tool selection also involves considering whether implementation will be manual or automated. While no-cost or open-source tools exist, they may incur costs in labor, vulnerability management, or require additional hardware/consulting. Commercially-supported tools often provide licensing, support, and easier management but involve renewal costs. The key is to focus on the activity needed to satisfy the Safeguard and then find the tool that best fits the enterprise's needs and budget.
It is crucial to factor in lifecycle costs such as labor, updates, hardware/virtual assets, training, license renewals, integration, testing, and consulting. Enterprises must budget for replacing or updating software and assets, and be prepared for unforeseeable costs like major vulnerabilities in third-party tools. Knowing the support life of software and having plans for updates are imperative.
Cost Considerations: On-Premises, CSPs, and MSPs
The guide provides cost estimates for implementing IG1 using three primary approaches: entirely on-premises, leveraging Cloud Service Providers (CSPs), or partnering with Managed Service Providers (MSPs), or a hybrid approach.
1. On-Premises Tooling Costs
Based on researching over 200 vendor-specific tools, the guide presents annual cost ranges for implementing the tools associated with each of the 10 IG1 categories for each enterprise tier. These costs represent obtaining and deploying single-use, on-premises tools, ranging from no-cost to the highest quoted commercially-supported options.
Here are the total annual cost ranges for implementing IG1 using on-premises tools:
- Tier 1: $0 (using only no-cost options) to $38,124
- Tier 2: $0 to $176,961
- Tier 3: $0 to $1,446,187
Comparing these costs to the maximum annual cybersecurity budgets for each tier ($50K, $500K, and $5M respectively), it is evident that IG1 can be implemented for a relatively low cost when compared to the wide coverage of attacker techniques it defends against.
2. Leveraging CSPs and MSPs
Many enterprises, especially SMEs, rely on third parties like CSPs and MSPs for IT infrastructure and security services due to challenges like insufficient funding, evolving technology, and lack of skilled staff. IG1 Safeguards can be implemented in hybrid environments, with some fulfilled internally and others by service providers. Using service providers offers significant advantages, including cost savings, scalability, flexibility, and regular platform maintenance.
- Coverage: Research indicates that 100% of IG1 Safeguards can be accomplished by outsourcing services to an MSP. For CSPs, coverage is estimated at 80%, primarily because policy creation is typically not handled by a CSP.
- Responsibility: While service providers lighten the load, enterprises must understand and review Service Level Agreements (SLAs) to clarify shared responsibilities, especially regarding security breaches and incident response. Policy creation and maintenance ultimately remain the enterprise's responsibility even if an MSP helps write them.
- Limitations: Relying solely on a CSP might not fully cover all IG1 Safeguards, particularly in hybrid environments. Challenges can include comprehensive asset inventory across both cloud and on-premises systems, centralized account management in hybrid setups depending on tooling, and limited customization on some cloud platforms compared to on-premises solutions.
Calculating CSP and MSP Costs:
Calculating the cost of CSP and MSP services is more complex than for single-use on-premises tools because providers often combine tools into multipurpose offerings and pricing is highly dependent on usage (like data volume), number of users/endpoints, and the specific services scoped. These costs often fall heavily under the IT budget rather than just the cybersecurity budget, which is promising as IT budgets are generally much larger.
The guide provides example cost ranges based on publicly available data for popular CSPs and MSPs:
- Tier 1:
- MSP Pricing: $23,000 - $41,000 annually
- CSP Pricing (Low Data Usage): $23,000 - $47,000 annually
- CSP Pricing (High Data Usage): $26,000 - $255,000 annually
- (Compared to Max Cyber Budget $50,000, Max IT Budget $250,000)
- Tier 2:
- MSP Pricing: $44,000 - $200,000 annually
- CSP Pricing (Low Data Usage): $94,000 - $222,000 annually
- CSP Pricing (High Data Usage): $255,000 - $2,000,000 annually
- (Compared to Max Cyber Budget $500,000, Max IT Budget $2,500,000)
- Tier 3:
- MSP Pricing: $208,000 - $1,800,000 annually
- CSP Pricing (Low Data Usage): $246,000 - $1,600,000 annually
- CSP Pricing (High Data Usage): $2,000,000 - $16,000,000 annually
- (Compared to Max Cyber Budget $5,000,000, Max IT Budget $25,000,000)
These ranges demonstrate that leveraging CSPs and MSPs for IG1 is also achievable within typical IT and cybersecurity budget allowances. Understanding roles, responsibilities, and agreements is essential to ensure all IG1 Safeguards are covered.
Conclusion: Start Now!
The findings reinforce that implementing the foundational CIS IG1 Safeguards is realistic, cost-effective, and achievable for enterprises of any size. Whether opting for on-premises tools, leveraging CSPs or MSPs, or a hybrid approach, IG1 can be implemented for less than typical IT/cybersecurity budgets and provides significant defense against common threats.
The most important thing is to start now. Use this information to make informed and prioritized decisions to implement defenses before an incident occurs. IG1 provides the necessary starting point for any enterprise looking to improve its cyber defense posture.
