CIS Controls Community Volunteer Spotlight: Alan Watkins

CIS-Controls-Volunteer-Alan-Watkins-HeadshotThe CIS Controls Community is fortunate to include many experienced IT security professionals who volunteer their time and expertise to help improve cybersecurity best practices and make the connected world a safer place. Alan Watkins has been a CIS Controls Ambassador and Volunteer since 2017. Most recently, he contributed to the Version 7.1 updates. Read on to learn more about Alan.

Please tell us a little bit about yourself.

Over the last 45 years, I have held positions in IT Management, InfoSec, and teaching. I worked in the public sector for the City of San Diego for over 36 years, first in law enforcement and then in several IT positions, and when I left I worked as an Independent Cybersecurity Consultant. I also have about eight years of experience teaching graduate cyber courses online.

Where are you from?

I’ve lived in Southern California almost all my life, mostly in San Diego. Then I moved to the desert, where I now reside in Yucca Valley, near Joshua Tree National Park.

How did you get into cybersecurity?

I was working for the City of San Diego in the 1990s as an IT Supervisor and we had some “rogue” staff who had system admin privileges and abused them, so I needed to implement some security countermeasures. Then I was assigned the task of reviewing and mitigating the “Y2K Bug” issues in both IT systems and OT (operational technology) systems in the wastewater department. For this task, I coordinated with the FBI’s National Infrastructure Protection Center (NIPC), which led to collaboration with the San Diego field office and their computer crime squad. After that, security simply became another “hat” I wore along with all the other job duties.

How long have you been in the CIS Controls Community?

Since 2017. I created a training course with eight modules to teach cybersecurity professionals how to implement the first six CIS Controls (version 6.1) as part of a cyber hygiene program. Because I was using CIS’s materials directly in the training, I got in touch and we executed a Supporter Agreement. At that point, I became a CIS Controls Ambassador.

Why did you decide to join the community?

I was invited to provide input into the update from Version 6.1 to Version 7.

What is your favorite CIS Control? Why?

Well, I really don’t have “one favorite” Control. With the newest release (V7.1) and the use of Implementation Groups, I have been more focused on the CIS Sub-Controls. However, if I were to choose one Control, it would be CIS Control 17: Implement a Security Awareness and Training Program.

Taking into account that the majority of the CIS Controls are procedural or technical in nature, this one has the potential for impacting the successful implementation of the others. After all, having a trained (educated) and cyber-aware workforce goes a long way in preventing cyber incidents.

What is one thing you would tell folks about the CIS Controls Community?

Don’t be afraid to ask tough questions. This includes the wording and intent of a CIS Sub-Control. If you feel there’s something wrong with the way it describes a situation or the suggested control mechanism, then please say something. The purpose of the community is not only to share knowledge, but also to have a broad spectrum of expertise to discuss the controls.

What’s the latest CIS Controls Volunteer Community project you’ve contributed to?

I reviewed content and provided input for Version 7.1, including the creation of “Implementation Groups.” Through this interaction with the CIS Controls Community, I had conversations with other, like-minded cyber professionals who are focused on small businesses. One person in particular, Tony Krzyzewski from New Zealand, has been a great resource for sharing information.

For the overall cybersecurity community (not just CIS Controls), I just finished developing four courses, comprised of 20 learning modules, for one of a few new certificate programs being developed by InfraGard. The one I created is an Introduction to Cybercrime Prevention certificate program, and the courses include Introduction to Network and System Security, Introduction to Business Disruption Attacks, Introduction to Insider Threats, and Introduction to Social Engineering.

What are your favorite cybersecurity blogs, podcasts, or books?

Since I retired, I’ve mostly concentrated on teaching and writing. So if I may, I would like to recommend my new book, “Creating a Small Business Cybersecurity Program.”

Press release: CIS Controls Ambassador, Alan Watkins Pens New Book