Every 10 years, something comes along in the world of IT that is so big, so important, that shrewd people build wildly successful careers on just that one\u00a0event.\u00a0 Past examples have included ERP system implementation, \u201cY2K\u201d, and cloud computing.\u00a0 The brass ring is coming around again and this time it\u2019s called \u201ccyber security\u201d.\nSecurity is dominating the conversation\nThis year we have been awash in headlines about major security breaches, hot new products, and the emerging threat to our way of life from cyber warfare, both public and private.\u00a0 There is a great sense of urgency worldwide to \u201cget serious\u201d about cybersecurity.\u00a0 In an article by Dan Lohrmann (\u201cyou ain\u2019t seen nothing yet\u201d), we see many reasons why concerns about information security have become front-and-center.\u00a0 I am a great proponent of following the money trail when determining if something is for real or just a fad.\u00a0 As outlined by Steve Morgan of CSO, global spending on cybersecurity will top $1 trillion for the five-year period\u00a0of 2017-2022.\u00a0\u00a0For\u00a0IT leaders this news on investment is huge.\u00a0 It means the resources will be available for major new projects that we need to launch, covering everything from hardware and software to the next generations of adaptive technology.\u00a0 It also means we will be able to invest in top talent and be able to afford the training they will need to become fully adept.\nThe news is not all rosy, as could be expected.\u00a0 While the resources and impetus will be there for major security initiatives there is a very significant knowledge gap that exists not only in the general business community, but with those of us who will be tasked with leading the charge.\u00a0 In other words many CIOs and senior IT leaders are almost clueless about where to focus and how to start building next-gen security functions.\u00a0 Many third party and consulting firms are stepping up to help, but for each of us to be successful personally we\u00a0must\u00a0demonstrate our own individual competence.\nSo what can we do to go from our current dearth of knowledge to become fully capable?\u00a0 The answer is already available and surprisingly easy to access.\nCyber security is an open book test\nThe Council on Cyber Security (CSS) began a project in 2008 to generate a set of controls that would tell leaders exactly where to focus on cybersecurity.\u00a0 CSS created a publication that outlined 20 security controls, the latest version (v6.1) released last August.\u00a0 If \u00a0leaders\u00a0implement all of these controls,\u00a0their\u00a0total security risk drops by about 94 percent.\u00a0\nFor many the introduction of 20 controls across an enterprise can be daunting and politically risky.\u00a0 Taking this problem into account CSS further distilled these controls into a \u201ctop five\u201d list.\u00a0 Putting just these controls into effect still leads to an 85 percent reduction in raw cyber security vulnerabilities.\nBecoming familiar and proficient with these controls can literally transform an average IT leader into one that projects knowledge and competence in cybersecurity.\nTo verify this claim ask the question of how many people, yourself included, can name the five categories in the CIS Top Five list?\u00a0 Although not a scientifically proven conclusion many security industry experts believe that less than one\u00a0in\u00a020,000 corporate workers in the United States who are asked this question can give a correct or complete answer.\u00a0 Most IT leaders are assured of knowing some of the elements, but almost none can go through the controls list from one through five and spell out what they mean and how to implement them.\u00a0\nHaving the skill\u00a0to\u00a0stand and deliver this information will demonstrate a level of knowledge and insight that few IT leaders possess today.\nIf you are an overachiever and want to to know all 20 controls, here is a\u00a0very nicely constructed poster\u00a0created by the SANS Institute.\u00a0 For the rest, here is a quick primer on the\u00a0top five\u00a0CIS controls.\n1. Inventory of authorized and unauthorized devices\u00a0- since you cannot control an undefined architecture it is important to conduct an audit, both cyber and physical, of all the hardware of any type that is attached to your network.\u00a0 By understanding what is connected to your infrastructure you can more easily ensure that only the devices of which you approve are allowed to attach to your resources.\u00a0\u00a0Leaders who conduct this inventory for the first time are amazed to see the types of hardware and devices that have been plugged into their network.\n2. Inventory of Authorized and Unauthorized Software\u00a0- the CIS controls exist to push organizations toward standards.\u00a0 Without common standards in place employees\u00a0will predictably install all sorts of unapproved software into a company\u2019s environment.\u00a0 Often, this software is introduced with benign intentions, but leads to the compromise of application security with each unapproved addition.\u00a0 Even having mismatched versions of the same approved software is often enough to create security vulnerabilities.\n3. Secure configurations of hardware and software on mobile devices, laptops, workstations and servers\u00a0- in the world of security creating common standards for work tools is a great step.\u00a0 Rather than allowing a patchwork quilt of hardware to exist within your environment, all machines must be of the same type and have the exact same configuration.\u00a0 Software applications in use must all be updated and patched to the same release version.\u00a0 One of the most common methods of exploitation used by hackers is to find gaps in security coverage created when different (and sometimes custom) versions of the same products co-exist within an IT ecosystem.\u00a0 For the same reason the army issues uniforms to its soldiers, uniformity is the key to strong cybersecurity.\n4. Continuous vulnerability assessment and remediation\u00a0- a strong security practice is driven by continuous, dynamic probing of an IT environment.\u00a0 Too many times organizations design and implement cyber defenses only to check back on them periodically.\u00a0 Cyberwarfare is an ongoing, evolving struggle where the attacks mutate in real time.\u00a0 Make your review of vulnerabilities a continual effort and immediately close gaps and holes as they are found.\n5. Controlled use of administrative privileges\u00a0- employees who are granted administrative privileges to corporate systems truly have unlimited access.\u00a0 Because admins can literally do anything within the IT architecture, careful control must be exercised over these individuals.\u00a0 This control lists all the areas that must be measured and monitored to ensure that admins act only in ways beneficial to the organization.\nWhen it comes to excellence in cybersecurity most professionals study for years to gain their proficiency.\u00a0 The problem we have in this day and age is that there are just so few of these people around that security must be part of all our jobs.\nBy truly knowing just the first five key CIS controls, you will have enough knowledge of cybersecurity practices to develop a strong competency.\u00a0 Given that so few people, both inside IT and out, are aware of what the CIS components are and how they work, you will be able to speak confidently and professionally about good security controls.\u00a0 Learn these five (all 20 if you\u2019re up to it) and the next time the topic of cybersecurity comes up, you will truly be the smartest person in the room.