Cyber Hygiene: It’s Not Just Recommended; It’s Essential

By Tony Sager, Senior VP and Chief Evangelist, CIS

The term “cyber hygiene” has been around for at least a couple of decades, and is usually attributed to Vint Cerf. The earliest I can remember using it in my presentations is around 2003 or 2004. The general notion is that a lack of good cyber hygiene is at the heart of most cyber-attacks.

Why Cyber-Attacks Are Successful

Simple enough, but there’s an important idea in here. Study after study, and test after test gives us the same depressing result. Almost all successful attacks take advantage of conditions that could reasonably be described as “poor hygiene” including:

  • Failure to patch known vulnerabilities
  • Poor configuration management
  • Inefficient management of administrative privilege

This does not mean that system operators and users are lazy or don’t care.

At CIS, we attribute these failures primarily to the complexity of modern systems management, as well as a noisy and confusing environment of technology, marketplace claims, and oversight/regulation (“The Fog of More”). Defenders are just overwhelmed. Therefore, any large-scale security improvement program needs a way to bring focus and attention to the most effective and fundamental things that need to be done.

Basic Cyber Hygiene is Essential

We do this at CIS by moving “cyber hygiene” from a notion or tagline into a campaign of specific actions, supported by a complementary market ecosystem of content, tools, training, and services. We’ve recently codified our definition of “essential cyber hygiene” as consisting of the Safeguards found in Implementation Group 1 (IG1) of the CIS Critical Security Controls.

A concrete definition can be used to specify tools that can be used to implement the actions, measurements to track progress or maturity, and reporting that can be used to manage an enterprise improvement program. And in today’s environment of shared technology, linked by complex business relationships and hidden dependencies, this approach provides a specific way to negotiate “trust” and an “expectation” of security. (Are you a safe partner to bring into my supply chain? Can I count on this merchant to safely hold my financial information?) This approach way is better than paper surveys or inconsistent interpretation of abstract security requirements.

Our recent release of the CIS Community Defense Model v2.0 also provides the technical underpinning for that declaration. IG1 is not just another list of good things to do; it’s an essential set of steps that helps all enterprises deal with the most common types of attacks we see in real life.

Community and Cyber Defense

Cybersecurity defenders are already flooded with information about attackers, vulnerabilities, and malware. But, as with public health, most don’t have the time, expertise, or interest to read the latest research. They just want a way to focus on positive, constructive action. This is a core principle of what CIS brings to the community: a volunteer-driven approach to share ideas and labor, to focus on the most important things we need to do, and to help us all get there.

Learn more about how you can assess and remediate your implementation of the CIS Controls using the tools and resources available as part of a CIS SecureSuite Membership.

Tony Sager
Chief Evangelist



Tony Sager is a Senior Vice President and Chief Evangelist for CIS®. He leads the development of the CIS Controls®, a worldwide consensus project to find and support technical best practices in cybersecurity. Sager champions the use of CIS Controls and other solutions gleaned from previous cyber-attacks to improve global cyber defense. He also nurtures CIS’s independent worldwide community of volunteers, encouraging them to make their enterprise, and the connected world, a safer place. In November 2018, he added strategy development and outreach for CIS to his responsibilities.