Year after year, investigations performed after breaches and other security incidents reveal that the majority of security incidents occur because well-known security controls and practices were not implemented or were not working as organizations had assumed. And the major problem in cyber security remains a lack of defined and repeatable processes for selecting, implementing and monitoring the security controls that are most effective against real-world threats.
The Center for Internet Security (CIS) Critical Security Controls has proven to be a valuable, effective framework for addressing this problem. First, the Controls are informed by real-world attacks and effective defenses, creating a prioritized set of actions that organizations can take to assess and improve their current security state. Second, the Controls are not static, with each new release harnessing the experience of a global community to ensure that the Controls remain well-vetted and supported.