CIS Logo
tagline: Confidence in the Connected World
HomeCIS ControlsCIS Control 17: Implement a Security Awareness and Training Program

Implement a Security Awareness and Training Program

CIS Control 17This is a organizational Control

For all functional roles in the organization (prioritizing those mission-critical to the business and its security), identify the specific knowledge, skills and abilities needed to support defense of the enterprise; develop and execute an integrated plan to assess, identify gaps, and remediate through policy, organizational planning, training, and awareness programs.

CIS RAM is an information security risk assessment method that helps organizations implement and assess their security posture against the CIS Controls. Download CIS RAM

Why is this CIS Control critical?

It is tempting to think of cyber defense primarily as a technical challenge, but the actions of people also play a critical part in the success or failure of an enterprise. People fulfill important functions at every stage of system design, implementation, operation, use, and oversight. Examples include: system developers and programmers (who may not understand the opportunity to resolve root cause vulnerabilities early in the system life cycle); IT operations professionals (who may not recognize the security implications of IT artifacts and logs); end users (who may be susceptible to social engineering schemes such as phishing); security analysts (who struggle to keep up with an explosion of new information); and executives and system owners (who struggle to quantify the role that cybersecurity plays in overall operational/mission risk, and have no reasonable way to make relevant investment decisions).

Attackers are very conscious of these issues and use them to plan their exploitations by, for example: carefully crafting phishing messages that look like routine and expected traffic to an unwary user; exploiting the gaps or seams between policy and technology (e.g., policies that have no technical enforcement); working within the time window of patching or log review; using nominally non-security-critical systems as jump points or bots.

No cyber defense approach can effectively address cyber risk without a means to address this fundamental vulnerability. Conversely, empowering people with good cyber defense habits can significantly increase readiness.

Main Points:
  • Perform a skills gap analysis to understand the skills and behaviors workforce members are not adhering to, using this information to build a baseline education roadmap.
  • Train the workforce on how to identify different forms of social engineering attacks, such as phishing, phone scams and impersonation calls.
Want to implement this organizational Control?

Download the CIS Controls for more details on implementing this and the other 19 Controls.

Download all
CIS Controls (PDF)

Already downloaded the CIS Controls?

We have several resources to help you implement: