Worldwide Outdoor Retailer Uses the CIS Controls as Primary Framework

A worldwide outdoor retail corporation that operates a chain of superstores and mail-order catalogs uses the CIS Controls as its primary framework in a world where security is always a challenge.

Using the CIS Controls in Many Ways

We learned that the retailer’s IT Security Team uses the CIS Controls in a number of ways, including as an assessment, reporting, and training tool. We talked with one of their Security Analysts, who said that the security team goes through the CIS Controls twice a year and scores their progress. The CIS Controls are then ranked to determine the level of maturity. A review by the security team can then see that the CIS Controls are addressed, identify opportunities for improvement, and then map to an internal risk management framework. IT management then uses the CIS Controls to communicate their security status to upper management and make recommendations for improving their security posture. A high-level introduction to the CIS Controls is also provided in new-hire training to educate personnel about security risks.

Importance of Prioritization

The retailer uses frameworks such as NIST, ISO, and PCI, but the Security Analyst said: “Where we get the biggest bang for our buck is in the CIS Controls. They help us to prioritize the other compliance frameworks.” She said they use a mapping of the CIS Controls to multiple frameworks to show upper management their compliance with NIST, ISO, and PCI. While these other frameworks may be used, the Security Analyst said: “We see the real value is in the CIS Controls because they are more user-friendly and are a practical, prioritized framework.” We also learned that they rely on the CIS Controls heavily to help prioritize IT projects and daily activities and to get visibility into the current environment and to be the most secure.

“Where we get the biggest bang for our buck is in the CIS Controls. They help up to prioritize the other compliance frameworks.”
– Security Analyst
Worldwide outdoor retail corporation


The Security Analyst noted that the organization continues to mature CIS Controls while collaborating with the business to implement plans that meet organizational and security objectives. She said: “We are in a very competitive business, and we always have to balance the business needs with the security needs.” She concluded: “We like the fact that such a broad base of security professionals were involved with creating, drafting, and prioritizing the CIS Controls based on what is really going on out there in the world.”