uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites,’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.


Using Unified VRM to Implement SANS 20 Critical Security Controls

The SANS 20 Critical Security Controls are prioritized mitigation steps to improve cybersecurity. Coordinated through the SANS Institute, many companies with mature security programs are aware of and have adopted the security controls with the objectives of increasing visibility of attacks, improving response preparedness and reducing information security risk.

Implementing the Critical Security Controls delivers immediate benefits as well as long-term benefits as processes become formalized into your organization’s IT approach. However, as cited in the SANS 2013 Critical Security Controls Survey: Moving From Awareness to Action, many organizations struggle to enable controls despite the significant benefits.

Perceived and real barriers to adoption

Many of the critical security controls cross organizational boundaries. In order for security improvements to be made, security and IT operations must work together in a coordinated fashion. Adopting the controls also requires technical knowledge that sometimes requires additional training of staff. Somewhat surprisingly, the third most frequent barrier to adoption is “the inability to prioritize which of the Controls to implement first.

Where to begin the implementation

It is not necessary to approach all controls at the same time, and it can be effective to prioritize and address areas that are the greatest risk for your specific organization. There is also some logical inter-dependencies to take into consideration. NopSec security engineers generally recommend focusing efforts on near-term implementations of the highest-priority Controls and on upgrading existing implementations of some of the lower-level Controls. Regardless of where you start, vulnerability management is a commitment to decreasing the risk of a security breach and ensuring compliance with your company security policies.

Mapping Critical Security Controls to Unified VRM

We have worked with a number of customers to help address the critical security controls using NopSec’s software-as-a-service, Unified VRM. Many actions can be automated through vulnerability risk management which will result in compliance at dramatically reduced costs. You can learn more about NopSec’s approach to helping achieve the 20 Critical Security Controls in “Whitepaper: SANS 20 Critical Security Controls“. The information in this whitepaper is intended for a technical reader and should help you understand each control, and how features in Unified VRM map to the respective control.

Schedule a Product Demo Today!

See how NopSec's security insights and cyber threat exposure management platform can organize your security chaos.