Episode 156: How CIS Uses CIS Products and Services
In episode 156 of Cybersecurity Where You Are, Sean Atkinson and Tony Sager are joined by Stephanie Gass, Sr. Director of Information Security at Center for Internet Security® (CIS®), and Angelo Marcotullio, Chief Information Officer at CIS. Together, they explore how CIS practices what it preaches by using CIS products and services internally, which includes implementation of the CIS Critical Security Controls® (CIS Controls®) and CIS Benchmarks®, automation, and alignment to compliance frameworks. Their discussion highlights how CIS builds a strong cybersecurity foundation while adapting to evolving threats and regulatory requirements.
The conversation dives into practical applications, cultural alignment, and the importance of repeatable processes for scaling security across new products and services. It also touches on the role of privacy regulations, cyber risk quantification, and the community-driven approach that underpins CIS best practices.
Here are some highlights from our episode:
- 01:12. Why CIS “drinks its own champagne” when it comes to cybersecurity
- 02:56. Three ways the CIS Controls help modern enterprises defend against threat actors
- 04:02. The importance of pulling together security lessons learned in a way that's translatable
- 10:03. Our use of the CIS Controls to align to SOC 2, ISO 27001, and other frameworks
- 12:01. How governance, risk, and compliance (GRC) engineering works with automation to help build repeatable processes
- 22:43. The role of collaboration and communication in building a cybersecurity program
- 27:17. Privacy regulations as a catalyst for security innovation
- 30:24. The CIS Community Defense Model and evidence-based practices
- 32:40. How CIS leverages lessons learned to improve our security best practices
Resources
- Episode 146: What Security Looks Like for a Security Company
- Implementation Guide for Small and Medium-Sized Enterprises CIS Controls IG1
- How to Construct a Sustainable GRC Program in 8 Steps
- Mapping and Compliance with the CIS Controls
- CIS Completes SOC 2 Type II Audit Using CIS Best Practices
- Episode 74: The Nexus of Cybersecurity & Privacy Legislation
- CIS Community Defense Model 2.0
- Episode 121: The Economics of Cybersecurity Decision-Making
- Episode 77: Data's Value to Decision-Making in Cybersecurity
- CIS Communities
If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected].
As of June 23, 2025, the MS-ISAC has introduced a fee-based membership. Any potential reference to no-cost MS-ISAC services no longer applies.