We developed the fifty-four controls based on experience in the trenches. It includes expected areas such as firewall platforms and multi-factor authentication while also including rarely mentioned CISO strategies such as working with value-added solution providers and managed security service providers (MSSPs) and Managed Detection and Response (MDR) vendors. And, as you can see, the TAG Cyber Controls are presented in a way that allows visual inspection at a glance, which explains why many refer to it as the Periodic Table of Security.
The practical usefulness of the fifty-four TAG Cyber security controls has been validated since 2016 by many enterprise teams who use the framework to identify gaps and optimize the selected controls for their security portfolio. The TAG Cyber team recommends that portfolio managers and consultants who assist enterprise teams with vendor selection make full use of the structure.
Ultimately, each enterprise will have to tailor its security architecture to its unique needs. Lager organizations, for example, will rarely need unified threat management (UTM) gateways for smaller networks, and companies that have little creative video, music, or written material will rarely need content protection. In general, however, the controls provide a useful guide for enterprise teams to measure the completeness of their program.
At the most basic level, portfolio managers would be wise to map their projects, vendors, and deployments to the TAG Cyber controls to get a general sense of coverage. If, for example, a gap is identified, then this helps drive a new project to identify suitable vendors that can address the missing protection. On the other hand, if the security program matches or is a super-set of the TAG Cyber controls, then this offers evidence that the portfolio managers have done a thorough job.