“The CIS Critical Security Controls have always provided a prioritized list of security controls to quickly secure your environment. Even if you can’t do everything (and let’s face it, most people can’t), you can easily create a plan for intelligently moving forward.”
Senior Manager of IT Security
CIS Controls Community Volunteer
“The CIS Controls are the friendliest framework for organizational security. They constitute a clear path to success that's built and updated by a small community of subject matter experts who are always looking for additional guidance and refinement."
Senior Security Partner Strategist
Amazon Web Services (AWS)
CIS Controls Community Volunteer
“CIS controls and standards help new Fintechs like TASConnect by providing a clear set of baselines for secure configuration of common digital assets. By following a well-defined path to minimize the attack surface, TASConnect was able achieve a more mature security posture within a short time for its security set up. This has also enabled TASConnect to demonstrate its security posture and cybersecurity commitment.”
“The CIS Control framework along with CIS-RAM are exactly what you need to develop organizational cyber defense capabilities , as well conducting cyber risk assessment to make well-informed decisions about prioritization and implementation of the CIS Controls regardless of organization complexity in-line with global best practices. CIS framework is easy to map with program and risk frameworks, and reverse mapping features.”
Adham Etoom, PMP®, GCIH®, CRISC®, FAIR™, CISM®
Government of Jordan, NCSC
“We use the CIS Controls to help our clients achieve compliance with state and federal cybersecurity regulations. The CIS 18 are prioritized, easy to understand, and extremely cost-effective for small to mid-size organizations looking to prove they are secure enough to do business in today’s marketplace. I highly recommend starting with CIS in building your cybersecurity program.”
The Long Law Firm, PLLC
“Too often, people think that CyberSecurity means making IT hard to use and stopping people from doing their jobs. I call this the “wrong security”. The CIS Controls show that good security doesn’t have to be this way. We’ve spent years applying the controls to systems in the UK Public Sector, and now are pleased to be taking this to our SMB clients.”
Chief Technology Officer, UK
“The fact that the CIS Controls crosswalks to the other frameworks is very helpful to us. If we go into an entity that has to comply with another framework, we’re often able to show them how our evaluation crosses over with whatever they’re required to comply with. We don’t have to become specialists in eight different control frameworks. We can be specialists in this one framework and then help our audit clients understand how they are related.”
IT Security Audit Manager
Washington State Auditor’s Office (SAO)
“Cybersecurity can be an overwhelming undertaking for organizations that lack the staff or knowledge. The CIS Controls take the guesswork out of what steps to implement. The Implementation Groups (IGs) take an overwhelming list of controls and essentially turns them into a checklist that is very easy to understand. I have found the CIS IGs to be very helpful when explaining to school officials and municipal leaders the steps or controls that need to be implemented to raise their security posture.”
Director of Technology
New Hampshire Hillsboro-Deering School District
“Applying the Controls in a school environment is very important to me. Controls 1 and 2 (Inventory) as well as Control 6 (Monitoring Logs) and Control 15 (Wireless Control) are the most useful CIS Controls. Of course, the goal is to apply all possible CIS Controls to achieve a higher level of security.”
Technician and Educator
Italian Ministry of Education
CIS Controls Community Volunteer
“I strongly believe that good IT operational practices drive a reduction in cybersecurity-related risk and that the CIS Controls help drive those operational practices. I wanted to help develop the CIS Controls and use my quarter of a century experience in this sector to make them even more effective.”
Director, SAM for Compliance Ltd.
CIS Controls Community Volunteer
“It’s been a good experience working with the community in the Controls update process. I’ve made many connections and had many discussions on Controls, especially for small businesses.”
CIS Controls Ambassador
“Falling into the CIS Controls framework was absolutely fantastic for us. I smiled ear to ear when I realized that there is a way to build a standard to measure against.”
CEO of a Small Consulting and Development Services Organization located in Upstate NY
‘What the CIS Controls have done is formatted a way for people to begin their cyber journey and for larger organizations, I have found that the Top 20 actually helps them organize.’
Michael A Echols
CEO, IACI (International Association of Certified IASOs)
“When dealing with critical infrastructure, such as election system security, CIS provides an incredible resource [CIS Controls] to help prioritize security controls. With numerous support guides [CIS RAM, A Handbook for Election Infrastructure Security, etc.] focused on risk assessment, system hardening, and metrics, the sting of compliance work has been removed, allowing us to speed up the implementation of our security program.”
SAIC – Security Architect for the Colorado Secretary of State’s Office
“The [CIS Controls] are a baseline of high-priority information security measures and controls that can be applied across an organization in order to improve its cyber defense.”
Centre for the Protection of National Infrastructure
“The [CIS Controls] identify a minimum level of information security that all organizations that collect or maintain personal information should meet.”
Kamala D. Harris, Attorney General
California Department of Justice
California Data Breach Report
“The CIS Controls take the background and knowledge of cybersecurity experts literally around the world and help focus efforts on things that are of most value. Directly impacting the adversaries and challenges we face today on our networks.”
Harley Parkes, Director
IACD (Integrated Adaptive Cyber Defense)
“The CIS Controls definitely fills a gap where other leading frameworks gloss over and that is where we reference them.”
Tom Cornelius, Senior Partner
“The CIS Controls have been tremendously successful in that they give a company an education about the behavior of the bad guy, how they attack an organization; and where you can manage not only your business risk, which is really important but your technical and IT risk within a company.”
Chief Cybersecurity Executive, Advanced Cybersecurity Group
“In 2015, I came across the CIS Controls and fell in love with the CIS Controls spreadsheet. We adopted the CIS Controls as our framework going forward.”
John Nord, Manager of IT and Business Systems
“The CIS Controls helped us set a vision for the state and gave us a framework for the implementation.”
Thomas Olmstead, CISO
State of Iowa
“I’m a huge fan of the [CIS] Controls…CIS Controls provide a strong story and framework.”
Christophe Demoor, CISM
“The CIS Controls are the best signpost out there to do something that will have an actual, concrete, and immediate effect.”
President and CEO, Global Cyber Alliance
“This is where the [CIS Controls] are almost perfect for establishing a security baseline for smaller organizations.”
James Jacobs, CEE
“Start by taking care of the basics: build a solid cybersecurity foundation by implementing the [CIS Controls], especially application white-listing, standard secure configurations, reduction of administrative privileges, and a quick patching process.”
Zurich Insurance Group
Risk Nexus: Overcome by cyber risks?
Economic benefits and costs of alternate cyber futures
Since we switched over to a standardized CIS Benchmark, it’s easy for us to give the auditor the data and say: We’re using CIS and these devices are going to be compliant with that, because we implement the CIS Benchmarks through group policy. If we fall in alignment with these configuration standards, it just clearly makes sense that it could really lighten the workload on the team of the State of Minnesota. I’m really impressed [by] the value you get with CIS. It’s huge.
State of Minnesota Security Architect
Without this resource, the hardening of our devices would have taken a lot longer and required many meetings between IT and Security to debate which configuration settings to change and the impact they could have. The CIS Benchmarks provided the necessary information to alleviate many of the fears IT may have had with changing specific settings.
Banking Information Security Engineer
The content comes from a diverse set of contributors and considers realistic threats. The CIS Benchmarks content is then presented as a series of recommendations, with rationales, that should be considered by the implementer and selected as appropriate to their use case.
Information Security Consultant
CIS Benchmarks are very useful to apply security best practices on our platform and for the secure configuration of our system.
Information System Directorate
We needed to reach a security compliance for one of our clients and using CIS we were able to generate reports to prove our process
Director of Information Technology
Spring Design Partners, Inc.
New York, USA
Thank you for your efforts to better secure the overall cyber environment.
Security Technical Architect
Asset Management & Business Processing Solution Company
CIS’ collaborative correlation between standards facilitates the time to market our supplied assets covered by the CIS Benchmarks.
Cyber Information Assurance Specialist
Defense Technology Company
“Integrating the CIS-CAT Pro Assessor and CIS Benchmarks directly into Puppet’s infrastructure compliance automation solutions has been a game-changer for our enterprise customers. Now they can address their compliance needs from Day 0 through Day 2 operations, alleviating their dependence on security or compliance professionals to manually interpret, declare, and enforce desired state. Puppet’s partnership with CIS provides peace of mind that infrastructure is – and remains – compliant with evolving security best practices.”
CISM PCI-P CTMA CPSP CPFA
Sr. Director of Product Marketing
Puppet by Perforce
Every month, we report on compliance levels against the CIS Benchmarks. This puts us in a position where we can actively reassure customers that we're keeping their systems hardened to the required levels. Using Group Policy to actually implement the hardening guidelines has been a huge helping hand, as well. It's drastically reduced the amount of operational work that goes into achieving different levels of compliance.
Mission Critical Engineer
My team and I are responsible for assuring customers, which are banks, that we take their security seriously. Using the CIS Benchmarks helps me say, 'Yes, we do have control of our security configurations in our environment.' With the CIS Benchmarks, we're able to hold our systems to a high standard.
Director, Information Security Officer
We don't let any servers onto our production network unless they pass one of the CIS Benchmarks. This would be impossible without some sort of automated tool like CIS-CAT Pro Assessor to scan the configurations. Can you imagine trying to go through more than 200 individual configurations manually? We can't hire enough staff to do this, so CIS-CAT fulfills a particular niche in our security program.
Director of Information Technology Security & Compliance
CIS-CAT Pro is a real solid foundation by which you can go to any customer and show them: Look, here’s what the Center for Internet Security tells us we need to be doing to lock your systems down. You can read what Tony Sager says – stop chasing shiny objects and get back to the basics.
BFB Consulting President
CIS SecureSuite Membership provides excellent value. It should be part of everybody’s security program.
We work with sensitive information on a daily basis. The CIS Controls along with CIS-CAT Pro, a proven and indispensable tool, helps us to evaluate and maintain a security baseline for our IT infrastructure.
Sasawat Malaivongs, Business Director
Being SOC 2 compliant, adopting a hardening standard is required and we have found that CIS fits that requirement. The support of multiple operating systems is key in our environments and CIS provides that. For all of our systems, we are standardizing our hardening standards on CIS.
VP of IT
Small U.S. Business
Thank you for the services you provide, they are very valuable and appreciated.
Keith Guest, PMP, Computer Specialist
Information Services Division, Enterprise Services Center
A division of the Federal Aviation Administration
Washington D.C., USA
The CIS SecureSuite membership is the most important membership for the compliance reviews of information security available in the market today. It reduces labor cost to develop standards by comparing control effectiveness against CIS Benchmarks.
Senior Manager Information Security & Compliance: Internal IT
International Public Service Information & Communications Technology Agency
We’re very happy with CIS and the work that you guys are doing to help businesses like ours develop and validate our security posture.
Information Security Officer
Payment Solution Company
Allgress currently uses the CIS Hardened Images in our deployments to eliminate almost all of the manual work when it comes to locking down our servers. It reduces time, cost and risk by not having to manually configure our servers from scratch.
Jeff Kushner, Chief Marketing Officer
Based on the value, time and costs saving, I would not consider spinning up a AWS server without adding the CIS security to it for any production-level instance.
V.P. Application Lifecycle Management
CIS images are continuously maintained by CIS to ensure configuration changes and patches are current and available so it saves us time and money.
Khaja Syed, President/CEO
Using an industry standard offers time savings which is a huge benefit of using the CIS hardened images. We don’t have to build an image from scratch and then apply additional controls.
Waqasul Haq, Chief Security Architect
The CIS images are cost effective and cover various operating systems which align well with our customers.
Jordan Thomas, VP Software and Services
Malicious Domain Blocking and Reporting (MDBR)
“For California, the Malicious Domain Blocking and Reporting (MDBR) service has been effective as an additional source of threat intelligence. This capability adds an additional element of automation in our security operations processes and playbooks, resulting in greater efficiencies. The preventive blocking and reporting provides metrics on true positive and high-fidelity events, allowing our internal teams to focus on more sophisticated attacks.”
Chief Information Security Officer
State of California
“Prior to Albert, I had no mechanism for fully analyzing my incoming and (just as importantly) outgoing electronic traffic. I now have a reliable, affordable, and trusted source that inspects ALL of my traffic in both directions.”
Marion County, Florida Elections
Sources Going Back to December 2019 (Case Studies):
Washington State Auditor’s Office: https://www.cisecurity.org/insights/case-study/washington-state-auditors-office-uses-cis-controls-to-perform-effective-security-audits/
Minnesota Security Architect: https://www.cisecurity.org/insights/case-study/tackling-audits-and-cloud-security-efficiently-and-at-scale/
New Hampshire: https://www.cisecurity.org/insights/case-study/school-district-enhances-cyber-hygiene-with-cis-controls/
BFB Consulting: https://www.cisecurity.org/insights/case-study/how-to-choose-a-cybersecurity-consultant-what-are-their-security-best-practices/