Episode 7: CIS Controls v8…It’s Not About the List

CIS Controls v8…It’s Not About the List

Part 1 of a 2-part series on the CIS Controls v8 update

In this edition of Cybersecurity Where You Are, host and CIS Senior Vice President and Chief Evangelist, Tony Sager welcomes guests Randy Marchany and Phyllis Lee. Marchany is the Chief Information Security Officer (CISO) at Virginia Tech, and Lee serves as Senior Director of the CIS Controls. The connection between the two guests is the CIS Controls – a prioritized set of Safeguards to mitigate the most prevalent cyber-attacks against systems and networks.



This week’s Cybersecurity Where You Are podcast highlights the:

  • History of the CIS Controls
  • Guiding principles for CIS Controls v8
  • CIS Controls ecosystem
  • Practical implications for the Controls and real-world applications
  • CIS Controls life cycle

What started out as a community service project of sorts in early 2008, turned into what would later be known as the CIS Controls…version 1, if you will. Marchany was there from the beginning. Listen as he describes the process involved in creating the first version of the Controls, his volunteer experience for all subsequent versions, and his role in teaching the Controls through SANS courses.

Jump ahead 13 years, and Lee led the team that created CIS Controls v8. While the Controls may have changed a bit over the years, the focus remains the same…creating practical, achievable, and measurable cybersecurity guidance that organizations can implement to hit the ground running. It took nine months to create the document for v8; Lee tells us what it’s like to build a new version of the Controls.

Updated to Keep up with the Ever-Changing Cyber Ecosystem

Since the beginning, the process of creating new versions of the CIS Controls hasn’t changed much. They are updated based on changes in technology and evolving threats. CIS Controls v8 has been enhanced to keep up with modern systems and software. Movement to cloud-based computing, virtualization, mobility, outsourcing, work-from-home, and changing attacker tactics prompted the update and supports an enterprise’s security as they move to both fully cloud and hybrid environments.

The updated CIS Controls cooperate with and point to existing independent standards and security recommendations where they exist, and are mapped to and referenced by multiple legal, regulatory, and policy frameworks. They are something that organizations can implement on their networks while also accommodating how they are managed and governed.

CIS Controls v8

Whether you use the CIS Controls, and/or another way to guide your security improvement program, you should recognize that “it’s not about the list.” It’s about making the list smaller and more manageable. The v8 release is not just an update to the Controls; the entire ecosystem surrounding the Controls has been (or soon will be) updated as well. This includes:

  • CIS Controls Self Assessment Tool (CSAT) (Hosted & Pro)
  • Community Defense Model (CDM)
  • CIS Risk Assessment Method (CIS RAM)
  • CIS Controls Mobile Companion Guide
  • CIS Controls Cloud Companion Guide
  • Mappings to other regulatory frameworks

Episode Resources