CIS Top 20 security controls with Tony Sager

Get insight into the CIS Top 20 Security Controls straight from the source, Center for Internet Security® Senior Vice President and Chief Evangelist Tony Sager.

– Get your FREE cybersecurity training resources:
– View Cyber Work Podcast transcripts and additional episodes:

Chris Sienko: Hello and welcome to today's episode of the CyberSpeak with Infosec Institute podcast. This is an audio rebroadcast of a recent webinar we hosted entitled, 20 Security Controls for a more Secure Infrastructure. We'll be discussing the Center for Internet Security's 20 proven globally recognized best practices for securing your IT systems and data against the most pervasive attacks. Our very special guest is intimately involved with this list. He is Tony Sager CIS's Senior Vice President and Chief Evangelist, and he will be talking to us about the CIS controls list. Topics on the agenda today include the original purposes of the CIS controls, how to prioritize implementation of the controls, and how to make the CIS controls a foundational part of your security program, and improve your enterprise defenses, operations, compliance and security awareness.

Just as a reminder, if you'd like to also watch the webinar as it unfolds, including presentation slides, you can find this podcast on our YouTube page by searching InfoSec Institute, and visiting our channel. Without further ado, here along with moderator Camille DuPuis, is CIS's Tony Sager.

Camille DuPuis: We are fortunate today to have Tony Sager, and he is the Senior Vice President, and Chief Evangelist for the Center for Internet Security. There, he leads the development of the CIS controls. Tony also serves as the Director of the SANS Innovation Center, which is a subsidiary of the SANS Institute. Tony retired from the National Security Agency in June of 2012, after 34 years as an information assurance professional, where he founded and led the Systems and Network Attacks Center, oversaw all red and blue team projects, established and led security product evaluation teams, served as the founding chief of the Vulnerability Analysis and Operations Group, and was the Chief Operating Officer for the Information Assurance Directorate. Tony also led the release of the NSA Security Guidance to the public, starting in 2001, and greatly expanded the NSA's role in the development of the open standards for security.

Tony holds a BA in Mathematics from Western Maryland College, and an MS in Computer Science from the Johns Hopkins University. Tony is also a civilian graduate of the US Army Signal Officer basic course, and the National Security Leadership course. So with that, I'm just really excited to have Tony with us today, and amazing person with a lot of experience in the industry, and we're so happy that you could join us for a presentation today, Tony. With that, I'll go ahead and pass it over to you.

Tony Sager: So I wanted to offer a little perspective on the history of cybersecurity. And for me, this has been 40 plus years. And I've had the opportunity to watch the evolution of this business from something that was really a national defense problem. We pay taxes, we raise an army and we go fight the enemy over there, to something that is really pervasive across our entire economy. And so everyone is a participant whether they choose to be or not, whether they know they are or not. And that sort of world of the '60s, '70s, and '80s, it was a complicated time then, for sure, but looking back at it, it seems relatively simple, right? The government dealt with the problem. You might think of it as conceptually, we had one enemy, not a large number of unknown enemies. And there was really no marketplace like we know it today. No information about attacks, no choices in terms of who will defend me and where do I get the right kind of products and so forth.

And so watching that shift over the decades from, I call it a government monopoly to worry about security, where we had really very few choices. And so things were kind of dealt with for us, to the world of today, which is just inherently noisy, full of all kinds of things, marketing claims and competing opinions from consultants and so forth. And the way I characterize the challenge today, I coined this term, the fog of more. More choices, more options. It's really a pun on a book that was well known in the defense department back a few years back, Lifting the Fog of War, and was a serious examination of the challenges of high risk decision making, I.e. in that case, war-fighting, in the face of what we spoke of then, as the emerging information age, and this sort of notion of the government owning everything, to commercial sources, to CNN on 24 hours a day, to how do I pull all together this information, many of which comes from sources that I really not too sure about what competence I should have in them. And the information is uncertain. It's often very temporary in nature, and is often conflicting. So how do I pull all that together?

So the way I think about the problem today is, it's not the lack of good choices, good training, good security tools, good certifications and so forth. It's really that we're overwhelmed by it. That paralyzes the defense. And what you see in front of you is the way to think about that problem, the way I've conveyed it to large audiences, to think about, which is this overwhelming soup and fog of buzzwords and phrases and marketing. And, how do I sort through this? How do I decide what does the most important problem to be solved? What are my options? What are my most effective first steps? And how do I really go about the business of starting to design and put in place an effective cyber defense?

And so, if I could sort of capture a lifetime worth of cybersecurity lessons, this is 40 years plus in one slide, so take it for what that's worth to you. But I've spent a lifetime studying the business of vulnerability, 35 years of it at the National Security Agency, in security testing for defense. And if I could roughly characterize my life there, the first third was about the craft of finding problems, either in the mathematics of the designs, in the software, in the use of technology in support of primarily military operations.

So if I had one interesting advantage in my career was in the second third, when I moved into management and got to see this happen at very large scale, right? How do we test ourselves? What do we find? What are the kinds of problems we have to deal with? And whether we find them in physical space, or signal space, or in the software, or in the design and the hardware, how do I pull all that together and try to make sense of it? What are the root causes, and what are the things that would really make a difference in terms of defense? The last third of my career was really thinking about how do we get these problems fixed? And why are we seeing the same problems over and over and over again?

So these are my lifetime lessons, real quickly. A key lesson was, knowing about vulnerability is not get them fixed, in and of itself. That is, there's a whole marketplace around this. Penetration testing, red teaming, finding of zero days. And there's a sort of a naive belief behind the scenes here that says, "If we just point out problems to people, they'll suddenly be educated and inspired and they will go and fix them." And that has never happened at any scale across my entire career, because the business of fixing problems is more than a technology issue, and more than a knowledge issue. It is a complicated problem of behavior management, of incentives, of the environment that you're working in, economics. And so, you have to think of the finding of vulnerabilities as just part of a cycle of improvement. And if you haven't designed the rest of the cycle, then frankly, pointing out problems just irritates people, and you will find the same problems next time around. And I've seen that born out over decades.

The second big lesson is about the bad guys. If we treat the bad guys as a magician, and I think a lot of our business has been about this wizardry and magic of really clever people. And don't let me kid you, bad guys are good at what they do, right? They're highly incentivized, but they don't do magic. They have a budget, they have a boss, they don't like to get caught, right? They have to practice trade craft. They have to develop tools, they have to test them, they have to deploy them. They are professionals. This is how a lot of bad guys make their living, either for nations, or for criminal enterprises. And the key is, if you treat the bad guy as magic, your only defense is your own magicians. You have to hire wizards, and you're not quite sure what they do, but you know that you need them.

Really, the goal is to understand bad guys at a level that allows you to model and understand their behaviors, so you can make good defensive choices, at appropriate times, and in a way that you can afford and manage. And if you can't get to that point, then you're forever patching, chasing, trying to deal with this problem at a really abstract level. So it is very important to understand bad guys. And the good and the bad news today is that we have so much information about bad guys, that we've never had in our history, right? We're getting an education every minute of every day, across the entire ecosystem, of bad guys attacking us. And from that, we get the opportunity to learn. And one of the things we learn is that we're not actually seeing millions of magic, unheard of attacks every day. We're seeing millions of repeats of the same old thing every day. That's because they work, right?

And so, you don't need magic to be a successful criminal, or in involved in espionage, but you need to be clever. And so as we understand these massive attacks, that allows us to better understand the model of adversaries and make good choices. And speaking of choices, the nature of defense, it may feel overwhelming and confusing, but at the end of the day, there's really a limited number of defensive choices. It's a large number. But I'm a strong believer and observer in the cyberspace of what many people would know is the 80/20 rule. Some over you will know it as a Pareto principle. And the notion being, this is not mathematics, this is philosophy, that if you think about a problem carefully, that you'll get most of your benefit, most of your improvement, most of your positive change from a relatively small number, the 20, of inputs, variables, choices, decisions that you make.

And the key is, can I make a few good choices that give me most of my value, that then allow me to focus my energy, my attention, my scarce resources on problems that are really harder, or unique to my enterprise, or more nuanced and more challenging to deal with? And I often said when I was working in the Defense Department, that we had the equation backwards. We were spending 90% of our money trying to get to an 80% solution. That's not a recipe for success in cyberspace. And so we have to think about the sort of first few choices. And the good news and bad news, again, is that since we are being attacked by this mass market of repeated attacks, then those first few choices, frankly, are pretty much the same for the vast majority of us. And you could study it for a year, and you'd easily reached the same conclusion, that I really need to pick a first few set of steps to put in place the basic infrastructure of defense, to allow me to manage this problem at scale, and not chase every individual piece of malware.

Another key lesson for me is thinking about cybersecurity sort of abstractly, that is, people think, "Well, if I just have the right technology, the right tool, the right whatever, then I would be much better defended." And that's very naive. Another thread is that, "Boy, if the government would just tell me what it knows, it would just share the right information, give me some insight to what's has happened in the classified world, then that'd be very smart. And I wouldn't know how to defend myself." Another naive notion. The idea is, for me, as I've observed this, is that cybersecurity at its heart is really an information management problem, not a threat sharing problem. An information management problem. That is, how do I move information from where it's collected in a form which it's useful, to a place where I can take action upon it? And that place to take action is always, always at the network management level.

So my plea, whenever you see the verb share, as in threat sharing, mentally replace it with a couple other verbs. One is translate, and the other is execute, right? There's millions and millions of data points of badness out there, but really at the end of the day, what you want to do is take millions of data points of badness, and translate them into a small number of positive, constructive steps, things that you can control, do, buy, execute, et cetera. And at the end of the day, we're not sharing because we want to share for sharing sake, right? We want to take action so that we have safer enterprises, so that we have more confidence in the operations and so forth. So it's really, threat sharing is a means to an end, it's not the destination. And people often confuse that.

Another key lesson is about the way we make decisions in security. Security professionals really want people to care about security the way we do. And that will never happen. I hate to burst anyone's bubble, but at the end of the day, enterprises, people make decisions for lots of reasons, be purely about security, right? They care about economics, they care about social issues, they care about the safety and so forth. And so they put decision-making in a much broader context than security. And so we'll never train, for example, every business executives to understand IT and dependency, and security, the way professionals do. And we shouldn't.

By the way, we don't ask the entire populace to learn about things in great detail, about public health, or about brain surgery, or about flying airplanes, and so forth. We build social mechanisms to allow us to make a not perfect, but pretty good decisions, based upon some sort of a social framework. Things like building codes and laws and directives and insurance incentives and a whole basket of ways that allow us to gather information, make pretty good, rational decisions, not perfect decisions. And then we have other means to sort out when those decisions don't work out well, I.e through the courts, through regulation, et cetera.

So that's really the... We need to think about how we shift our thinking in cybersecurity around this, helping people make decisions, as opposed to helping people understand that they are challenges of technology. And finally, let me wrap up with this lifetime... If you like popular movies, and I certainly do, and one of my favorites is Independence Day with will Smith. I remember that? Well, we all wish cybersecurity, the challenge of defense was like the movie Independence Day. What do I mean? Well remember the premise of the movie, the attack by the aliens, the big mother ship. We have some older capture technology. The mothership is out there in orbits, waiting to conduct the attack on us. We take the technology, we've captured brilliant minds, reverse engineer it, create a tool of the, either virus, the heroes fly it up in the captured scout craft, deliver it to the mother ship, implant the mothership, boom goes the bad guys. The good guys escape. The defenders come back. They have their celebratory cigar and the parade.

Let me tell you, I've been in cyber defense for 40 plus years, no parade for the cyber defender. I promise you. It just doesn't happen. Cyber defense is much more like the other popular movie I have here, Groundhog Day. Remember that, with Bill Murray? He wakes up every day to the same day, and once he realizes where he makes small changes, and occasionally there's improvements, occasionally there's things that don't improve. But cyber-defense is much more like running machinery, right? Designing machinery that will execute over and over and over again. Information is really what drives this machine. Information about new attacks, new vulnerabilities, new flaws, new business uses of technology.

And so, you have to think of it as, I designed this machine for efficiency, and repeatability, and for confidence, so that I'm able to manage this information, bring it into my environment, decide how it applies to me, and then take action if I need to, to block something, delete something, prevent something, go get information out of a log, et cetera. And those are all the kinds of things that we have to keep in mind as we design our defenses, right? We would love to have this sort of heroic invention, deliver it, boom, we win. But that's not going to happen, at least not in my professional lifetime. Really, defense is much more about designing the machinery, and then thinking about issues of like the movement of information and the efficiency and the execution of this.

The next thing is, and I would sort of encapsulate this at a high level of what I call the defender's dilemma, and this is what is really changing behavior today, I think. For most of our history, we've been consumed with the first two things here. Number one, what's the right thing to do, right? Given the complexity of threats, and all these things that are happening, and the business use, and the technology issues and so forth, the regulatory environment, what's the right thing to do? And companies struggle with this, and they should. It's a complicated problem. And how much do I need to do, right? You can't afford to bankrupt your company in the name of good security. You don't want to put yourself out of business.

So there is a limit to spending, like there would be a limit to spending for a personal safety and so forth. And you have to think of it as a decision making challenge. So the number one, what's the right thing to do? We'll talk a little bit about how to help you with that. Number two, how do I actually do it? That is, how do I convince the boss, get a budget, scour the marketplace for options, buy things, install things, operationalize them, and turn them into day-to-day running stuff? The thing that really changes behavior is number three, and it is, "How do I demonstrate to others that I have done the right thing?" What do I mean by that? Well, what's really mobilized in the last few years, are things like the insurance industry, the legal system, the regulatory world, supply chain concerns, right? So it's not good enough to do one and two, to actually solve the problem.

You now have to explain to multiple parties, different parties with different interests, over and over again, that you have done the right thing. Otherwise, you can't get insurance. You can't become part of somebody's supply chain. You're not trustworthy partner. You will leave yourselves open to liability in a court of law. And so this, number three, is really closer to where executives and bosses, and business leaders think, because it really is part of their day-to-day management problem. And this is a good thing, right? This is very challenging, but it changes behavior because it changes the way that decision makers think about this problem. So it's really important to make sure that we can not only deal with number one and two, but do it in a way that allow us to do number three, I'll say, cost-effectively, with great efficiency. And that will come up in just a moment.

So next up, 40 plus years, it's great to point out problems. I got paid to do that for a long, long period of time. But what are we doing about it? Well in about 2008 on the upper left of this slide, there was a little project, and believe me, I had no idea what was going to happen. I'd love to tell you I was very clever and knew what the future would hold, but that's not true. I literally gathered five folks around the table, and I was struggling with a problem. So Camille, in the intro, mentioned I led the campaign to release the NSA Security Guidance to the public. And that happened to be in June of 2001. And once we did that, it led to a lot of opportunities to speak in public, and to deal with the much broader industry around security. And the most frequent question I would get when I would go out in public is, "That's great information, Tony. Thanks for releasing all this information and guidance to the public. But what do I do first?"

And I would say, "What?" And they would say, "What do I do first? I only have a limited budget. My boss only has attention span for two things at once. I can only get their attention for a little bit. What do I do first?" And I would say, "Wow, you can tell I've never had the responsibility to fix a problem. I'm great at pointing out problems, but not so good at fixing them." But that's a very natural question, right? If you were tasked with leading the solution to this problem or the survival of an enterprise. And so rather than continually pointing people to thousands of pages of missed documents, or the equivalent from NSA or DISA or all kinds of great industry sources and nonprofits, I gathered a small group of people and I gave them this challenge. And these are not ordinary people. These are NSA colleagues who represent both attack and defense and technology and insight into threats, and said, "No one leaves the room until we all agree on a small number of things that all of our friends should do to defend themselves."

And the other part of the guidance to that group was, "And do not try to solve world hunger here at the table. Do not try to solve the entire problem." Remember that 80/20 rule thing, right? If you put security people in the room, they can't help themselves, right? We're trained to do this. There's a lot of one-upping going on. "Oh, you've identified 50 problems, let me give you five more." "Oh, you've identified a 100 problems, let me give you 10 more." We're sort of trained to nitpick and dream of these incredibly clever scenarios and ways to attack.

And what I wanted to focus in on, was number one, how do I get started? What's the basic infrastructure? What's the 80/20 part of this? Where do I get going in order to help people prioritize their first steps in defense? So that NSA project was, believe me, very modest in scope. It was a list of 10 things on a two page letter, that went out to a bunch of our friends across the defense department and said nothing more complicated than, "If you don't know where to begin. Start here," based on our experience. And it was unclassified. It got broadly distributed, and it turned into something that had a life of its own. It was grabbed by the SANS Institute, one of, I think, the biggest teacher of cybersecurity in the world, along with one of the DC think tanks that acronym CSIS, Center for Strategic and International Studies.

And they, with our permission, took a very modest two page thing, and turned it into roughly what we know today as the CIS controls. It was originally popularly known as the SANS Top 20, and it went from five friends in the room, to sort of 5,000 friends on a mailing list, a much broader selection of the community, much more of a comprehensive, worldwide community, that was throwing ideas into this. And SANS held onto the idea as a community service project, basically. And most people knew it as the SANS Top 20. Some people knew it by the name Consensus Audit Guidelines. And that, by the way, tells you something. The notion there was to focus in on what do auditors look for? And the reason goes back to that number three of the defender's dilemma that I mentioned, right? Auditors get a special attention from bosses. For example, critical findings in a financial audit. And so as a company, you have to deal with them at some level, or face either regulatory wrath or legal liability. And so that was kind of the notion. It didn't really pan out at that time in history, but that was kind of the thinking. This was probably late 2008, '9, '10, somewhere in that range.

So fast forward and very quickly, I retired in 2012, from 35 years of federal service and wound up working at the SANS Institute in the Special Projects area, and wound up taking this project over a sort of a, "You were involved on day one, you get stuck with this thing." So I wound up taking it back. And then with the permission and supportive SANS, spun it out into a nonprofit company to support what we then call the critical security controls, and then in the 2015, merged with the Center for Internet Security, because I really wanted to provide both an independent nonprofit home for the idea, but also a longterm sustainment mechanism. Something more solid than me working in my home office with a giant email list of friends.

And so that's really led us to where we are today, this notion of the CIS controls, and this idea, and you'll see on your screen now, kind of the list of them. I won't go through them, but you can find all this online. We give the content away at no charge. The business model is a funny one, right? We create this with volunteer labor. The staff that supports this at CIS is actually pretty modest in size. This really comes down to, how do we organize the community of experts? And I often refer to them as the experts you cannot afford to hire, because the quality and numbers of people that will volunteer for these kinds of projects is just off the charts, some of the best minds that we have in the industry.

And so that's the good news about this industry. And one of the things that keeps me working even after retirement, the business is full of really, really talented people of goodwill. People who believe strongly in a secure and safe internet, and are willing to contribute their time, whether it's through our nonprofit or other nonprofits, or through international standards, or lots of mechanisms. You can look around and see this great sense of service and volunteerism across the community. So, here you see the graphic of the controls. You won't see any surprises up there if you're a longterm practitioner here. A lot of great ideas. There's another level of detail below this, and I'll talk a little bit about the kind of things that go with it.

But it's not a magic list, right? It's a collection of thoughts. And we derive these from an understanding of attacks. That's what it comes down to. And I'll talk about that in just a moment. But also, let me show you a little bit about the company itself that's behind this. And I've been in this business long enough to see many, many good ideas disappear from the marketplace, or from government, because no one planned any sort of sustainment mechanism. Will it be there two years from now? So we've built a company around this idea, the Center for Internet Security. We have two main mission areas. If you look towards the lower half, we are the home of the multi-state ISAC, the Information Sharing and Analysis Center for state, local, tribal and territorial governments across the US. And this part of our mission is funded by DHS.

So we really are the watch center, the advice giver, the organizer of cyber defense across the entire United States. And we have the usual watch folks and analysts and bulletins, advisories, emergency response and so forth that goes along with all that. Because we are so deeply embedded in the security of state and locals, that naturally brings us to the business of elections. And so we have recently stood up the elections infrastructure, ISAC, really running on the mechanism of the multi-state ISAC. But it's a different group focused around this business of elections. For example, a separate one, while there are a lot of unique aspects to elections, and it turns out state by state, it's very different. So the elections infrastructure may or may not report, for example, through the CIO of the state. And so there's a lot of variability across the country, right? There's no one, national, infrastructure. There's lots of local, thousands of local infrastructures that add up to give us a national election.

So that's one of the two main missions that whole business of state and locals and elections. The middle and up of this slide here, the CIS benchmarks, we are the world's largest producer of security benchmarks, which is our term for the lower level configuration guidance. "How do I set up registry settings and file permissions and things like that in a typical environment for best security effect?" We were pioneering that kind of work in the late '90s at NSA. If you've heard of the acronym STIG, Security Technical Implementation Guide, that's the Defense Department equivalent. A NIST has its own program of what they call security checklists, but benchmarks is kind of our term for it. And again, a small professional staff at CIS, a large number of volunteers working with vendors, with analysts, with all kinds of people around the world, to develop and then distribute the CIS benchmarks. In the middle of this slide, CIS controls, that's where I've spent most of my time for the last couple of years. And this is a level up in abstraction, more about operational practices, design, the composition, organization of your systems for best defense.

And then to the right there, CIS hardened images. Like everyone else, we're trying to make sure that we provide security wherever the technology and the adopters go. So in the fastest growth area for us is in a secure cloud images. So when you go to an Amazon, Google or Microsoft and many others and follow to arrange for your IT, and you want so many desktops of this vintage and so many servers, et cetera, you can get all those pre-configured to CIS benchmarks with some of the CIS controls built in, as just a matter of routine now. That becomes a really important way for us to move good advice into a way that is naturally embedded in the marketplace.

A lot of security is sort of like after the fact, slap it on and hope for the best. And really, what we need to be moving towards is further upstream in the life cycle to help people do this in a much more comprehensive way. All right. So that's the company behind the scenes that really supports this. And the idea was to have a longterm sustainment mechanism. Just briefly, you see in front of you all, I'll mention what I call the cycle of cyber. There's lots of these sort of wheel things here. But here's mine. The way we think about this problem is, what we have today that we did not have when I was growing up in this business is lots and lots of data about attacks, good and bad, right?

It's bad to be attacked, but the good news is there's lots to learn from it. So this idea of analyzing them, and you cannot deal with millions and millions and millions of attacks. You just can't. It's overwhelming. The good news is, we're not actually seeing millions of unique attacks every day. We're seeing millions of repeats of the same garbage every day. And so analysis is much more about templates, and patterns, and trends and summaries than it is trying to chase every individual piece of malware. You'll make yourself crazy trying to do that. You really need to stand back and say, "If I could understand millions of attacks and this sort of pattern summary, template level, what does that tell me and how do I translate that into action?"

What are the sort of root cause problems, and what steps can I take to really deal with large classes of problems as a class, as opposed to individually? So that's really what analysis and action is about. Audit, and I use that term loosely, I don't use it the way auditors do, it's about making sure the machine is in place, right? I described cyber defense as a machine. Well, at the end of the day, the way you have confidence or assurance is that you make sure the machine is running right? Is the information coming in? Is it being translated? Am I able to take action? How long does that take? How long does it need to take, given the rate of the way attacks manifest themselves?

And so, assurance is about confidence, right? The confidence that a decision maker has to make a decision about the business, about what to do, about what's next and so forth. So this idea of, we're always running in this machine, in this cycle of cyber. Next up, kind of a lower level is thinking about this notion of workflows. So how do we translate this from a conceptual model into workflow? I mentioned, look at the left side there, attacks, right? And we do this through... We're working with regularly reaching out to folks like the folks behind the Verizon Data Breach Report and the Semantic equivalent in HP and Palo Alto, all the people you would love to have to talk to, maybe you don't have time to, or that you don't have the people to go reach out to, or the contacts to reach out to them.

And again, I'm not looking at every piece of data that they have. We're working with them to understand trends in some reason, templates and patterns. And we're also, I mentioned, we're the MS-ISAC, right? So we are living and breathing this operational problem just like many of you are, we're also closely tied to the US SAC. So we get pretty good insight into what's happening like minute by minute, day to day, and then with lots of friends in the IT and security marketplace that we work with. And we're always looking for new solutions to old problems. You pull all that together, kind of in middle of the slide, around these vulnerabilities, these summaries, these patterns.

We use something called the Community Attack Model. And this is not rocket science. A lot of folks have thought about this, and I'd be glad to share ideas with you after the fact on this. But at the end of the day, what you're trying to pull together are, from top to bottom, the business requirements for information technology. At the bottom, it's the emergence of new technology, and how does that help businesses? And then you're trying to understand how are systems and technology being attacked? And then, can I translate that? Remember that translate is really the key verb. It's not about dealing with every one of them. It's, "How do I translate these sort of negative issues into positive steps?" Whether it's the benchmarks, it's the controls and business process.

So this is the next level of detail and thinking about the cycle of cyber, and the way you need to conceptually think about defense. So all these... Next slide up please. The controls, again, it started so modestly. I'm almost embarrassed to tell you that. But the two page letter has turned into this worldwide movement, frankly. And so were founded... And this is just a sampling of the places where there are references of one level or another to the CIS controls. So, most of you are familiar with the NIST Cybersecurity framework. Since day one, we've been involved with that, and we're one of what they call the informative references.

We got a ton of attention a couple of years ago in the California Attorney General's data breach summary report. They looked at three years worth of data breach problems. And the interesting thing was, completely on their own without even reaching out to us, we were recommendation number one, what should you do about it? And they implied a legal standard of due care, which has not translated, strictly speaking, into what you might think. But it's really got the attention of lots of people to say, "If the attorney general thinks this represents a standard of due care, I better do something about it. And this is consistent with that step number three of that defender's dilemma, right? We're seeing more and more of these ideas of, how do I establish the social expectation of behavior? And the legal system has terms for this. Best practice is often called out in regulation or law, but not very well defined, frankly. And so it needs to point to something else, something like the CIS controls or other frameworks in order to make sense of this.

I mentioned the Verizon Data Breach report. We are an ongoing discussion with them, and they do an amazing job, and we're one of the contributors from a state-local perspective of data to their analysis. And then recommendations, again, it's great to have a list of things to do, but they also point to us as a sort of more comprehensive way to think about recommendations. We are embedded in the Federal Reserve's internal audit process as one of the things that they reference in the audit against, other number of European technical standards that have jumped on us and use us significantly. National Governor's Association, were recommendation and many supply chain activities.

Everyone is grasping with that number three thing, again, the defender's dilemma, right? How do I prove to others? And I think we are actually in grave danger of bankrupting our own economy with that number three, proving to others I've done the right thing, right? Every little company I deal with that, that, for example, sells to defense agencies and places like that, they're getting overwhelmed with supply chain questionnaires, and, "Tell me how you're safe to bring into my supply chain." These are folks that don't even have security teams, much less the ability to deal with this sort of flood of questions. And, "Tell me how you're doing in security," et cetera, et cetera. This is a crazy way to think of this, if we let all this happen randomly. We really need to think of this at a national level. How do we make it easy for people to demonstrate that they've done the right thing, and do it in a repeatable way that can be reused many times? These are really important.

But anyway, there's a whole world of these references to controls, both informal, formal, and I just want to give you a sample of them. Next up, how might you use the controls? And these are just for your thought here, but these are all examples of how people are using them. Many folks have a jump on our work just as an independent, not for profit statement of what to do, right? You can argue this from auditor to boss, or you can kind of raise the argument up a half step and say, "You know what? Here's how we're basing our security program, on an independent nonprofit international statement of what the problem is, and what we have to do about it. And that, for a lot of folks, at the enterprise level, at the consultant level, et cetera, this is a valuable contribution that we can make.

I talked about the translation from attacks to action, a benchmark of performance, right? Where am I, relative to this? To assist with prioritization. I've talked a couple of times about that. There is no sort of nice, neat one to end prioritization, in any part of this business. But we've really tried to pull out the thousands of things into a relatively small number of things that you should do, and that's really the focus here, of the controls.

Supply chain. I mentioned that. Again, everyone's looking for a repeatable, low cost efficient way to assess the security of supply chain partners and a lot going on in the industry around that. Reporting, implementation of the NIST Cybersecurity Framework. And as a reference or alternative to more formal frameworks, I will... Last sort of editorial statement I'll make here, and we've done surveys with some of our industry friends, we are entering what I would call the multi framework era. That is, for many, many, many companies in our economy, they're not they don't have just one security framework staring over their shoulder asking them what they're doing. They have two, three, four, five or more, depending on the industry you're in, the regulatory environment, the geography that you operate in. It's starting to overwhelm companies in figuring this out, all these different frameworks and regulations and the laws, legal system, and what do I have to approve to insurance company?

Again, we really need a universal way to talk about such things so that we don't bankrupt our own economy in the name of trying to get the better security. So just to let you know, folks like my friends at NIST and I have decades of experience working with good people. There were trying to do things like, right up front, admit that this is happening. That is, the world has to deal with multiple frameworks, whether we like it or not. Therefore, what can we do to make it easier for you? How can we cross map to each other right up front? How can we standardize on language? How can we make things simpler for the those that have to live in all this?

Okay. A next stop please. Just as an example, I don't want to... I won't go through this, but this is an example of how the Federal Reserve uses the CIS controls. Down the left side, you see the controls, they map it to a category of the functions in this cybersecurity framework. And then there's a whole two or three levels of detail below this. But it's a way for them to track how are different parts of the Federal Reserve doing, when they do these internal audits, and what are the trends of improvement or not improvement? And how does it help? Their view of internal auditing is really about a guide to helping management prioritize, right? This is not punitive. This is really about management support. How do we help the management make good decisions about where to invest, where should they spend the time? So this is just a sample. There are many of these different kinds of things floating around that people use.

And then finally, I'll mention the... Again, this is not about the list, is one of my standard catch phrases, right? If you want a great list of things to do, there are gazillions of these across the industry. And when we get back to national cybersecurity environment, where in this month, every magazine will have a top 10 things you should do, and on this test, thousands of things you could do. And that's all great. But a list is a list, right? What really matters is all the things that happen around the list, what I would call an ecosystem that help you achieve the intent of these well-intended lists.

So I mentioned things like mappings to other frameworks. Again, we're tightly coupled to the NIST Cybersecurity Framework and completely supportive of it. We're about to release a new document on levels of implementation, or tiering, to sort of say, "Even within this set, focus here first." And most of these can be done with technology you probably already own. We're really expanding our presence in a cloud images, hardened images we call them. We're working right now on a small medium business toolkit. I am very concerned, and all of CISs, and many of our friends are, about the state of play of the small business economy, especially in the US. They just are overwhelmed by this problem. It's unreasonable. There aren't enough security professionals to hire. It's too complicated. And how do we collectively find ways to improve the security of small businesses across the economy?

I mentioned the attack model. We'll do an update on measures and metrics sometime here in the next year, and then, we call them companion guides, that is, how do you take the work of CIS and adapt it to either new sectors or new technologies, just some of the examples of their IOT cloud, et cetera. And then finally, one of our newest products we call CIS RAM, the Risk Assessment Method. This is a not quite technical way to think about the decision making. It's really, how do I look at things like technical controls from a legal viewpoint, right? From a due care, from a responsibility, from a reasonable decision making and presentation point of view. And that's what that is really aimed at. We're really conscious of this need to bridge the gap from technical practice to business management decision making. So this is our first attempt to do that.

So with that, I'm going to wrap up to make sure that we leave plenty of time for questions. So thanks for your indulgence up to this point, so that I can share with you some, a little bit of history. I wanted to help you understand the philosophy that drives the controls, right? It's not about the list. It's really about a philosophy here. And my strong belief is that we really all face a common problem here, across the entire cyber ecosystem, which really just begs for us to work together. And this is not bumper sticker, hurrah hurrah stuff. This is, we really have to work together to create content to help each other improve because of the mutual dependency. Otherwise, we'll never make any progress on this. So with that I'm going to turn it back over to Camille. Thanks very much.

Camille: Tony. Thank you so much. And I think that this was a great presentation to just help us even sort through what we're working with. Starting out with that fog of more idea, if you talk to someone who's not in cybersecurity, not into security, they say, "Oh, what is cybersecurity? What do you do?" Well, I think, just understanding the sheer depth of it is just... Even where anyone needs to start and then realizing how you can progress from that. So really great presentation. And we appreciate that so much. As we get to questions here, we still have time to submit those to us in the question to answer. We've got a couple coming in already. But one of the questions addressed, where can they find resources? So this page is going to be a friend for you. A couple of different ways to look at the Center for Internet Security. You can see on the screen here and kind of find some of those resources that you might be looking for.

Tony: That's absolutely right, Camille. I'll just mention, again, you can go to the website. There's lots of great content on there. The model, again, is volunteer labor creates the products. We distribute them at no cost by and large. How do we support a nonprofit, right? Even a nonprofit has employees, we support it through a membership model, either licensing to vendors for certain types of uses. So you can build... Our content is built into tools from any of the main IT security vendors, or you can become a member of the enterprise camp for the use of the products here. But there's just tons of great information out there. And remember, do not think of CIS as kind of this mystery think tank or whatever, right? It really is the community. So there are lots of people. And if you want to become a part of this, you are welcome to call it part of this. We manage this through a closed social media platform where the discussions happen and volunteers work and so there's a lot of opportunities to get information in a less formal way. Thanks.

Camille: Sure. Now as we kind of move on to questions here, let's start out with a question that just came through Tony. You just said it was a nonprofit volunteer organization. Now, how are folks going to know that this is credible information, if we just have... In the sense of anybody joining.

Tony: Sure. Yeah. Part of the value that CIS provides is this kind of a confederacy, I'll call it, of these volunteers. And believe me, we have no problem attracting very talented people from across the ecosystem, public sector, private sector, US, non US, et cetera. And so part of our job is to ensure the quality of the work and the sustainment of the work. Because that's what we're really providing here from CIS, this sort of independent view and the management of it. And we try to fill a gap here. Like again, I mentioned we work closely with our friends at NIST, and they do a great job with the things that they produce. Because they are a government agency, they're subject to certain restrictions, or timing, or the openness of their process and so forth. We provide a compliment to that. We're sort of leaner and faster because we are less encumbered by some of the things that they have to deal with.

But the notion here is people can get directly involved if they want to, if they want to make sure that the work is a consistent. Many times, we have representatives from the vendors working on our products also. And part of what we do, again, is to make sure that we, we have many viewpoints represented every time we produce a product. Our reach is very broad. So that no vendor gets to dominate the way our products come out, the government doesn't, no company does. So we really are very conscious of the role that we play. That's kind of unique here. And again, as I mentioned, the notion of having a nonprofit set up, because I've only got a few more years left, I think, in this professional life. And it's really important to have a sustainment mechanism that is funded, that is a consistent, that can be counted on, there's a place to ask questions, there's a place to interact with the vendor community to deal with the regulators and so forth. So you know that's a really big part of what we do here at CIS. Thank you.

Camille: Absolutely. Could you describe a little bit more about that relationship between the NIST Framework... The relationship or the difference maybe, between the NIST framework and this framework?

Tony: Sure. Yeah. I personally was involved, I think, in almost all the workshops that developed in this framework. And we work closely with the same NIST folks when I was at the NSA, just to let you know. So the NIST framework, by design, is really aimed at the sort of broad enterprise level understanding and discussion of risk. And the idea was to help bridge this gap as talked about, from technology to management decision making, by design. And part of the guiding principle for the NIST framework was to point to existing standards, wherever possible. So by design, the NIST framework points to PCI, points to the more extensive NIST 800-53 catalog. It points to lots of other things including the CIS controls. So, this framework wasn't intended to be the only thing you dealt with. It was intended to be the umbrella that allows you to bridge this gap from technology to management decision making.

So we work carefully with them to make sure that we map the CIS controls into the NIST framework and vice versa. And so, it's never one or the other. Our surveys for example, with companies say that the overlap is actually pretty high. People using this framework, about 50% of the time are using our stuff and vice versa. But the NIST has designed this framework allows you to use sort of whatever you think appropriate, more technology oriented structure is out there. So we are on ongoing discussion with the NIST folks about that. If your audience is knowledgeable on these things, NIST is building a way to sort of cross map naturally from other frameworks into the NIST. We're part of that process also.

So there's really... People want to think of it as one or the other, but that's just not true, by design. As I said, we are really entering an era where there's no one thing that fits every situation. And therefore, my view is, and the NIST folks certainly agree with me, those of us that are responsible for security recommendations or best practice or requirements or whatever, we have a responsibility to the broader community, to make it as easy as possible to navigate across all of these things. That's why we're really focused on making that simpler for our adopters as well as others.

Camille: Sure. That definitely helps bridge that gap of the connection of those and how they work together. So that's helpful. Now, I think this question is looking back at the audit example of the Federal Reserve Bureau audit. Are you aware of other organizations that use the CIS control framework for their auditing?

Tony: The most formal example we have is the Federal Reserve Board, is the one that we mentioned. I'm looking at the acronyms there. We're in discussion with at least one of those and two or three other major government organizations who are looking... I can't discuss them right now, but they're looking to do essentially what the FED has done, integrate them into their auditing process as one of two or three things that they audit against. And that's in recognition of the kind of popularity and the accessibility of the CIS controls. So if you have a particular favorite, folks are welcome to reach out to me directly through the CIS website, for example. And I'd be happy to talk about your favorite one.

This idea is very consistent with what we're going to be focusing in at CIS over the next year, which is this bridging the gap. I'm going to be... I've given probably four or five talks at major auditing conferences in the last year, and we are developing an afternoon workshop with another training company around auditing and the CIS controls. So I'm very interested in this because of the notion of effecting and supporting executive decision making. So I'd love to hear from anyone who wants to talk more about this, after today's seminar.

Camille: Now, I think this next question that we got through the chat, can you just give real light touch on how to... You read through the controls and you learn about them, but how would someone implement these? What are the steps of just kicking off your program, implementing these, for example?

Tony: Yeah. I mentioned that we're putting out some documentation to help people with that first step. And we're working with one of the, probably the major it vendor. It turns out, a number of the things that the controls asks you to do, you may already have the technology to do. I'm not saying this is a complete solution, right? But part of it is learning. Every vendor tells me the same thing, whether they're an IT vendor or a screen vendor. "Oh, the customer only uses some number percent of what we sold them." I ask every vendor that question, they almost always give me the same number, 30 to 40%.

And so, part of this is sort of discovery, right? How do we make sure that we take advantage of the technology that we already have, whether it's the operating system, the major applications, the IT security things that we bought on there. But we have not produced nearly enough information to help people with that. We're working on a couple things right now. I'd love to hear again, more from folks about specifics and things that they would find helpful. We're trying...

One of the things we did not have, again, this went literally from a very simple project to a really big project, and what we have today that we did not have a couple of years ago even, was a way to sort of gather information about use cases, or about where are people getting stumped, and what problems they have. And we're using that information that we're now gathering. For example, when you can download the controls, we ask for registration, and we ask, "Please answer a few simple questions," to get a sense for how people intend to use them. Or later we can ask you questions about how you are using them, and where you're stumped. And we're using that to drive our priority of development over the next year.

So we have produced some implementation guidance. And you can also find many vendors have produced their version of it. If you hunt around on the web, you'll find vendors that will map their product line to the CIS controls. And that's their statement. We do not validate those, currently. But what they say is, use my product because it helps you with this subset of the CIS controls. And you can kind of backdoor it that way and take a different look at how to do implementation. But for anyone who has a specific question, I would happy to discuss that, again, also, afterwards.

We are definitely producing more information with this sort of startup process, and we are particularly interested in what I'll call the cyber under-resourced, small business and so forth, who really have make due with either what they have, or what they can get at very low cost. So look for that over the next several months from CIS. Thank you.

Camille: Thanks Tony. Looks like we have time for just a couple more questions here. Now are there any specific controls that you think give organizations the most trouble, or are the hardest for people to grasp, or implement or that kind of thing?

Tony: Yeah. I think it can depend on the sector that you're operating in, and the type. But let me give one example that has come up a couple of times. For a medical service delivery type, hospitals and clinics and that kind of stuff, many of them, for a variety of reasons have struggled with even with just the very basics, right? Control one and two in our language, that is knowing what you have. And that sounds kind of crazy, but it's actually understandable. You have an environment, for example, that that may not have a long history of top-down management of IT. You may have lots of merger and acquisition kind of things happening all the time, technology coming in as a function of the business environment. And you may have a culture that says, and not to pick on you in here, but you may have a culture that says, "Doctors kind of get to do what they want."

And so you've got salespeople besieging them with poking things into the enterprise, and the system is designed to give them an IP address, whether that's a good idea or not. And so you've got the sort of complicated, fast-changing environment here that you really have to manage. So what I've heard from a number of folks in that area, just as an example, it's a struggle with just understanding what they have. And I get it and it makes sense. Part of that requires some thinking about architecture. How do I partition off things like the salespeople and demonstration folks coming in all the time? Can I make that a separate enclave or part of my environment? Can I provide a way to manage guests more naturally within these sort of environments? These challenges of users who have to go from multiple health services across to each other?

I'd say what happened in here, and my discussions with some of them was, they may overthink the problem. And by the way, security people are the worst at this, right? You figure out 99% of a solution, and they tell you the 1% is the one you should care about and you never get it right. So you in IT, we think anything short of perfection is terrible. But really, getting a pretty good handle on your inventory of both hardware and software allows you then to start to bring disciplines and things like patching and management and administrative rights, and so forth.

And so, my advice to folks who are struggling with those sort of early steps in the controls is, don't let lack of perfection prevent you from doing these other things. Because if you wait for perfection, you'll never get to it. But it's an astounding sort of first thought, but not surprising when you think about it a bit, about how complicated networks have become, with mobile users, and this dynamic of mergers and acquisitions and so forth.

Camille: I think we're gonna wrap up here just for time. Definitely appreciate you joining us again today and I'm sure everyone would agree that this was a really informative presentation and it just kind of helps us understand where we're at in the world, with cybersecurity as a whole.

Chris: This concludes today's episode of CyberSpeak with Infosec Institute. Thank you all for listening. Remember, if you enjoyed today's episode, you can find many more including webinars, tutorials, and interviews with security thought leaders by visiting, for the full list of episodes. See our current promotion for podcast listeners considering class signup. Please check out to learn more. Also, if you'd like to try our free security IQ package, which includes phishing simulators you can use to fake Phish, and then educate your colleagues and friends in the ways of security awareness, visit Thanks once again to our guest, Tony Sager, and thank you all again for listening. We'll speak to you next week.

Free cybersecurity training resources!

Infosec recently developed 12 role-guided training plans — all backed by research into skills requested by employers and a panel of cybersecurity subject matter experts. Cyber Work listeners can get all 12 for free — plus free training courses and other resources.


Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.


Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.


Level up your skills

Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.