Reasonable Cybersecurity: From Legal Theory to Practice

Not long ago, “reasonable cybersecurity” was a term you’d mostly find in legal documents or regulatory filings. It was referenced in lawsuits and privacy laws, but it didn’t mean much to the people actually responsible for protecting systems and data. There was no clear definition, no roadmap, and no consensus on what made a security program “reasonable.” That lack of clarity left organizations guessing—and often exposed.

At the Center for Internet Security (CIS), we are working to change that. Our goal has always been to help organizations build cybersecurity programs that are effective, measurable, practical, defensible, and tailored to their real-world risks. Through tools like the CIS Critical Security Controls, the CIS Risk Assessment Method (CIS RAM), and our policy templates, we’ve created a foundation that organizations can use to make smart, risk-aware decisions—and back them up when it counts.

Why Reasonable Cybersecurity Matters Now More Than Ever

The legal landscape is catching up. States like Ohio, Utah, Connecticut, Iowa, and Texas have passed laws that explicitly reference reasonable cybersecurity. Many of these laws offer liability protections to organizations that follow recognized frameworks like the CIS Controls or the NIST Cybersecurity Framework. Other states—New York, Idaho, North Dakota, and Ohio—are weaving cybersecurity expectations into procurement rules, insurance regulations, and public-sector mandates.

This shift is important. Regulators and courts aren’t just asking whether you had security—they’re asking whether it was appropriate, documented, and based on a thoughtful risk assessment. Reasonable cybersecurity is becoming a standard that organizations need to meet, not just aspire to. And for consumers, this evolution offers something critical: assurance. When organizations adopt reasonable cybersecurity practices, they’re not just protecting their own assets—they’re safeguarding the personal data, privacy, and trust of the individuals they serve.

One Size Doesn’t Fit All

One of the most important lessons we’ve learned is that reasonable cybersecurity is contextual. What’s reasonable for a small nonprofit is different from what’s reasonable for a multinational financial institution. That’s why CIS introduced Implementation Groups (IGs)—a tiered model that helps organizations prioritize safeguards based on their size, resources, and risk exposure.

This approach ensures that organizations aren’t overburdened by unrealistic expectations. Instead, they’re empowered to make informed decisions about which controls to implement, how to justify them, and how to demonstrate that they’ve taken appropriate steps to protect their data. And when those decisions are made thoughtfully, consumers benefit—because their information is being handled with care, not just compliance.

Reasonable cybersecurity isn’t about perfection—it’s about making decisions that can be defended in court, in audits, and in the eyes of the public.

A Practical Guide for Defining Reasonable Cybersecurity

To help organizations navigate this evolving landscape, CIS developed A Guide to Defining Reasonable Cybersecurity. Created in collaboration with legal and technical experts, the guide offers a framework for building a cybersecurity program that meets today’s expectations—and tomorrow’s challenges.
It outlines how to evaluate your cybersecurity posture, apply risk-based methodologies, and align with defensible standards of care. Whether you’re a CISO, legal counsel, compliance officer, or IT leader, this guide provides the clarity and structure needed to move from ambiguity to action.

Looking Ahead

We’ve made real progress, but there’s more work ahead. At CIS, we’ll keep refining our tools, expanding our guidance, and working with partners across industries to make sure reasonable cybersecurity isn’t just a legal term—it’s something every organization can understand, implement, and trust.

Reasonable cybersecurity isn’t about checking boxes. It’s about making smart, risk-aware choices—and being ready to prove it when it matters most. And when done right, it doesn’t just protect systems—it protects people.