Why CIS Solutions Join CIS Resources
CIS WorkBench Sign-in CIS WorkBench Sign In CIS Hardened Images CIS Hardened Images Support CIS Support


Who We Are

CIS is an independent, nonprofit organization with a mission to create confidence in the connected world

About Us Leadership Principles Testimonials


secure your organization
Secure Your Organization

secure specific platforms
Secure Specific Platforms

cis securesuite CIS SecureSuite® Learn More      Apply Now  
u s state local tribal and territorial governments
U.S. State, Local, Tribal & Territorial Governments

View All Products & Services  

Join CIS

Get Involved

Join CIS as a member, partner, or volunteer - or explore our career opportunities

CIS SecureSuite® Membership Multi-State ISAC (MS-ISAC®) Elections Infrastructure ISAC (EI-ISAC®) CIS CyberMarket® Vendors CIS Communities Careers




filter by topic
Filter by Topic

View All Resources  
CIS Logo Show Search Expand Menu

Cyber Hygiene Matters, and So Do Definitions



In an earlier article, I wrote about the importance of cyber hygiene and offered up a specific definition of basic cyber hygiene based on CIS Controls Implementation Group 1. I’d like to expand a bit on why having a clear-cut definition is really important.

A specific definition lets you move from a general awareness campaign to an unambiguous action plan – one that can be communicated, adapted for different conditions, and followed.

There’s a big difference between “only you can prevent wildfires,“ and an explicit set of steps to safely extinguish your campfire.[1] Having such a plan allows you to focus the attention of the entire cyber ecosystem of users, adopters, suppliers (vendors), as well as authorities (governments, regulators, the legal system) around a common set of problems, and a common set of actions.

A concrete definition provides a technical basis to identify tools to implement the actions, measurements to track progress or maturity, and reporting that can be used to manage an enterprise improvement program.

A specific definition also gives you the opportunity to change the recommended behaviors when the underlying science or understanding changes. In public health, for example, hygiene recommendations are used to translate complex science about topics like disease control into specific personal or social behaviors. [2] [3]

Cybersecurity defenders are already flooded with information about attackers, vulnerabilities, and malware. But, as with public health, most don’t have the time, expertise, or interest to read the latest research – they just want a way to focus on positive, constructive action.

In today’s environment of shared technology, linked by complex business relationships and dependencies, we also need a specific way to negotiate “trust” and an “expectation” of security (Are you a safe partner to bring into my supply chain? Can I count on this merchant to safely hold my financial information?) – one that is better than paper surveys or inconsistent interpretation of abstract security requirements.

Finally, if you don’t have a specific definition then you can’t do the analysis needed to help you establish the specific value of cyber hygiene (or any cyber improvement program). This is what CIS has done through our Community Defense Model, and is a topic for another day.

Get started with Basic Cyber Hygiene with the CIS Controls Navigator

About the Author

Tony Sager
Chief Evangelist



Tony Sager is a Senior Vice President and Chief Evangelist for CIS®. He leads the development of the CIS Controls®, a worldwide consensus project to find and support technical best practices in cybersecurity. Sager champions the use of CIS Controls and other solutions gleaned from previous cyber-attacks to improve global cyber defense. He also nurtures CIS’s independent worldwide community of volunteers, encouraging them to make their enterprise, and the connected world, a safer place. In November 2018, he added strategy development and outreach for CIS to his responsibilities.