2023 Verizon DBIR Report: Actionable CIS Controls

Verizon’s highly anticipated 2023 Data Breach Investigation Report (DBIR) was released today, unveiling a valuable addition to the report—the mapping of CIS controls to Verizon’s incident classifications. This inclusion provides organizations with an actionable and comprehensive list of controls that directly align with high-impact areas that have historically led to confirmed incidents and breaches. 

By mapping the CIS controls to Verizon’s incident classifications, organizations gain a strategic advantage in their auditing and risk assessment processes. This mapping allows businesses to prioritize their security efforts by focusing on controls that address specific incident types and potential vulnerabilities identified in the report. 

The CIS controls serve as a starting point for organizations to build out their risk assessments and implement safeguards to protect against system intrusions, social engineering attacks, basic web application attacks, miscellaneous errors, and lost and stolen assets—categories that have proven to be critical factors in previous security incidents. 

With the actionable list of CIS controls now incorporated into the DBIR, organizations can proactively assess their security posture by evaluating their controls with the incident classifications outlined by Verizon. This empowers businesses to evaluate and mitigate risks against the evolving threat landscapes, leveraging the valuable insights provided by Verizon’s extensive research and analysis. 

Here is the assembled list of CIS controls, categorized based on their incident classifications, as outlined in the 2023 DBIR: