20 Years of Creating Confidence in the Connected World
The Center for Internet Security (CIS) recently celebrated its 20th year of creating confidence in the connected world. In preparation for our 20th anniversary, I reached out to the people who founded CIS, some of its first employees, and a handful of the very first volunteers. This outreach was a lot of fun as it gave me the chance to speak with some amazing people in our industry. As we shared fond memories, I captured some of their ideas and thinking from 2000 to help make the connection with what CIS is doing today.
History of CIS
Over the years, CIS brought together three major components for the cybersecurity industry, starting in 2000 when our nonprofit company was founded:
- CIS Benchmarks
Our first goal was to create security “Benchmarks” by bringing together the best minds across the industry. We wanted to establish the most effective and usable security configuration for individual components of any information technology (operating systems, applications, routers, etc.).
- A New Home for the MS-ISAC
In 2010, CIS was joined by the Multi-State Information Sharing & Analysis Center (MS-ISAC). The MS-ISAC, which started as a regional cooperative, had outgrown its home in New York State government, and brought what became a nationwide, 24x7x365, operational mission to CIS.
- Adopting and Nurturing the CIS Controls
In 2015, the Council on CyberSecurity joined and brought in what we now call the CIS Controls. Of course, the CIS Controls today are a recognized international standard for cybersecurity, with a total of 171 Sub-Controls!
Other steps along the way included the the transition of the US Cyber Challenge to CIS in 2015, and the formation of the Election Infrastructure ISAC (EI-ISAC) in 2018.
A Consistent Vision
In speaking with the founders of CIS, the leaders of the components that joined later, and all of the early employees, volunteers, and supporters, I was really struck by the consistency of vision. Everyone spoke about the work to be done in the same way, no matter where it started:
- independent of any specific vendor’s interest, but cooperative with industry;
- improve the real practice of security, don’t seek perfection;
- focus on measurement and management, not magic; and
- create value via consensus-building and sharing, not through protection of intellectual property.
And to a person, the goals were always very big and audacious. No one spoke of company growth or market share. Instead we focused on improving the nation’s security - the entire ecosystem - and the establishment of an international community. This consistency was not a result of hindsight, nor revisionist history. It was documented in the writings, vision statements, and presentations since 2000.
For me, the connection to CIS started in 2000 with CIS Employee #1 (when there was only one employee) and CEO Clint Kreitner. At the time, I was leading groups at the National Security Agency (NSA) that produced (among many other things) the NSA Security Guides. These were a sort of spiritual ancestor to CIS Benchmarks (along with DISA STIGS). When I was introduced to Clint, I knew I had found a kindred spirit, and I was blessed with a career-long partner and a life-long friend. And I had no idea that this would be come my professional home after retirement from Federal Service.
The Journey Continues
At the 20-year mark, we celebrate our founders’ vision, the work of our early employees and volunteers, and all the industry allies who started us on this journey. At CIS today, we create and support an astounding range of best practices. We also stand as a leading practitioner of security through our ISAC missions and our own IT enterprise. Our influence, and the trust that others have placed in us, extend across the nation, the globe, and throughout the industry. And our success as a business ensures that our work will be there to meet the challenges of the future.
The journey that started with a relative handful of people has become a movement - and a reason to celebrate - across our entire industry!
Happy Birthday, CIS
About the Author
Tony Sager is a Senior Vice President and Chief Evangelist for CIS®. He leads the development of the CIS Controls®, a worldwide consensus project to find and support technical best practices in cybersecurity. Sager champions the use of CIS Controls and other solutions gleaned from previous cyber-attacks to improve global cyber defense. He also nurtures CIS’s independent worldwide community of volunteers, encouraging them to make their enterprise, and the connected world, a safer place. In November 2018, he added strategy development and outreach for CIS to his responsibilities.