What’s in a Name? CIS Critical Security Controls
By Tony Sager, CIS Sr. Vice President and Chief Evangelist
The conversation that eventually led to the CIS Critical Security Controls started with a series of observations and questions, and a simple idea. At the time, I was at the National Security Agency (NSA) leading a defensive organization dedicated to the discovery and analysis of vulnerabilities in technology and operational systems – likely the largest such organization in the U.S. government. This gave me the opportunity to see security flaws at scale, whether we found them, or the attackers found them for us. What I observed was that we kept finding the same problems over and over again, in every domain. What was going on? By then (the mid-2000s), even NSA openly shared security guidance with the public (starting in June 2001), part of a public-private wave of excellent defensive guidance, tools, training, threat intelligence, and frameworks. But I also observed that despite all of these defensive resources, most people were more overwhelmed than empowered. The most frequent question I heard was “what do I do first?”
This led to a simple meeting to gather answers for that simple question. To do that, more questions had to be asked:
- How does an enterprise get started on cyber defense?
- What are the most important, foundational steps that everyone should take, based on our experience of testing systems and studying attackers?
I reiterated that we CANNOT try to solve the entire cybersecurity problem in one meeting or with one list!
The output of that meeting was a two-page letter that went to some friends in the U.S. government, with this simple advice: if you don’t know how to get started, here’s our best advice for the most important things you need to get started on. A short letter soon turned into a large-scale community-supported volunteer project, led by the Center for Strategic and International Studies. The original project was formally known as “20 Most Important Controls for Continuous Cyber Security Enforcement: the Consensus Audit Guidelines.” When it later moved to the SANS Institute for ongoing support, it was eventually titled “Critical Controls for Effective Cyber Defense,” with most people referring to it as the “SANS Top 20.”
By version five, I had retired from NSA and took over the project, standardizing the name as “The Critical Security Controls for Effective Cyber Defense,” soon finding a permanent home at the Center for Internet Security (CIS). As we integrated this work into a more complete portfolio of Security Best Practices along with the CIS Benchmarks, we also simplified the naming and branding to “CIS Controls.”
Throughout the multiple versions and the variations in naming, we never lost sight of the guiding principles that started this conversation and this movement. While there are thousands of things that an enterprise could do to defend itself, what are the most important, most CRITICAL things that everyone should do to get started, based on what attackers are doing?
After a lot of feedback and a lot of discussion, we’ve decided to reemphasize those guiding principles by formalizing the name of the project as the “CIS Critical Security Controls,” while shortening it to the “CIS Controls” after the first mention. I must mention that we do the same with our organization’s name. At first mention, we are the Center for Internet Security, and subsequently, we are CIS. This lets us state more clearly what we are trying to do, and helps put our work in the context of the myriad of security frameworks across the industry. We don’t try to compete with all of those comprehensive, formal, or legal schemes. Instead, we bring focus and priority to any enterprise security improvement program – especially for those companies that cannot do it themselves –- in a way that is consistent with and mapped to all of them.
You may see us referred to as the CIS Critical Security Controls, CIS Controls, or even just the Controls, and we'll answer to any of those names. While the name is important, and the formal name is the CIS Critical Security Controls, what they do is most important: they provide a prioritized and prescriptive path to improve an enterprise's cybersecurity posture.
We’re changing our wording in another area as well. Previously, we decided to bring some rigor to the notion of “cyber hygiene,” one of the most-used, least-defined phrases in the industry, by formalizing Implementation Group 1 of the CIS Controls as “basic cyber hygiene.” We didn’t quite hit the mark with “basic,” which some interpreted as “easy.” From now on we’ll refer to Implementation Group 1 as “essential cyber hygiene,” which more accurately reflects the importance of these foundational defensive actions. Essential cyber hygiene (IG1) represents an emerging minimum standard of information security for all enterprises, and is the on-ramp to the CIS Critical Security Controls.
As always, we view our work at CIS as keepers of your trust. We are not a distant, intellectual think-tank or large agency. Your needs and your input drive every CIS decision and product, and we are proud of our work, and mindful of our responsibility to the community.
About the Author
Tony Sager, CIS Senior Vice President and Chief Evangelist
Tony Sager is a Senior Vice President and Chief Evangelist for CIS® (The Center for Internet Security, Inc.). He leads the development of the CIS Controls™, a worldwide consensus project to find and support technical best practices in cybersecurity. Sager champions of use of CIS Controls and other solutions gleaned from previous cyber-attacks to improve global cyber defense. He also nurtures CIS’ independent worldwide community of volunteers, encouraging them to make their enterprise, and the connected world, a safer place. In November 2018, he added strategy development and outreach for CIS to his responsibilities.
In addition to his duties for CIS, he is an active volunteer in numerous community service activities: the Board of Directors for the Cybercrime Support Network; and a member of the National Academy of Sciences Cyber Resilience Forum; Advisory Boards for several local schools and colleges; and service on numerous national-level study groups and advisory panels.
Sager retired from the National Security Agency (NSA) after 34 years as an Information Assurance professional. He started his career there in the Communications Security (COMSEC) Intern Program, and worked as a mathematical cryptographer and a software vulnerability analyst. In 2001, Sager led the release of NSA security guidance to the public. He also expanded the NSA’s role in the development of open standards for security. Sager’s awards and commendations at NSA include the Presidential Rank Award at the Meritorious Level, twice, and the NSA Exceptional Civilian Service Award. The groups he led at NSA were also widely recognized for technical and mission excellence with awards from numerous industry sources, including the SANS Institute, SC Magazine, and Government Executive Magazine.
Mr. Sager holds a B.A. in Mathematics from Western Maryland College and an M.S. in Computer Science from The Johns Hopkins University.