Security is important. Companies and organizations of all sizes know that. It consumes boardroom discussions and captures headlines. There is no dispute.The challenge (and friction) centers on what to do about it. Where do we start? And why?Have you considered or adopted the CIS Critical Security Controls?The controls aren\u2019t new. Often cited, I wanted to explore their value in helping us bring people together and guide action. To learn more, I spoke with Tony Sager, Senior Vice President & Chief Evangelist Center for Internet Security (Company LinkedIn, @cisecurity).Tony leads the development of the CIS Critical Security Controls, a worldwide consensus project to find and support technical best practices in cybersecurity. Tony\u2019s experience includes 34 years in Information Assurance at the (U.S.) National Security Agency. In 2001, Tony championed the release of NSA\u2019s security guidance to the public. He also expanded NSA\u2019s role in the development of open standards for security.I met Tony a few years ago on a broad-ranging security panel. Immediately impressed with his knowledge and approach then, our recent conversation was a delight. If you get the chance to learn from or speak with him, take it. You\u2019ll be better as a result. In the meantime, check out the insights he shared in our five questions together.You point out that companies care, but they have a few struggles we need to collectively address. What\u2019s going on?As a career-long defender, today\u2019s situation seems very odd to me. We have more security tools and technology, training and certifications, vulnerability and threat intelligence feeds, security frameworks, etc. than ever in our history. Yet we seem to be getting worse, or at least improving more slowly than the Bad Guys are improving. \u00a0And the problem is getting more complex. New technology means that our data and applications are not under our direct control, and complicated (and changeable) business relationships mean that our risk is shared across many parties. \u00a0\u00a0\u00a0I think most of us are overwhelmed by what I\u2019ve called the security \u201cFog of More\u201d: more guidance, warnings, advice, products, marketing, training, certifications, and so forth than we can usefully absorb - often conflicting and all delivered in specialized techno-speak. \u00a0And coming up fast are regulators, lawmakers, insurers, auditors, lawyers - all the social forces trying to bring order to chaos. \u00a0In such a world, every enterprise has more in common than is different, and we should use that approach to identify and drive collective action. We all face a common \u201csoup\u201d of vulnerabilities, threats, and attacks, whether we know it or not, either directly, or thru one of our supply chain partners. Therefore we\u2019re better off sharing insight, labor and action on solutions to these problems. That\u2019s the philosophy behind the CIS Critical Security Controls, and all of the programs at the Center for Internet Security.Where did the Top 20 Controls get started?I spent the first 35 years of my career at NSA in the business of security testing for defense, from cryptography, through design, product, and operational testing (e.g., Red and Blue Teams). This gave me the chance to see a LOT of failures - to observe how things break, or can be made to break. In the very late 1990\u2019s, our teams started to translate this knowledge into documented security guidance for our DoD and Intelligence Community customer base, in the form of the NSA Security Guides.But it was becoming very clear that the DoD was moving to a more powerful but complex model of \u201ccoalition\u201d warfighting as well as dependency on many commercial suppliers, shippers, and other partners. In other words, there was no simple \u201cnetwork perimeter\u201d to be defended, only a complex set of fast-changing mission and business partnerships. In other words, DoD security could not improve without improvement by many others. So in 2001, we got permission to release the NSA Security Guides to the public through www.nsa.gov. My basic pitch to management? We will create more positive change by \u201cgiving stuff away\u201d than by trying to be in charge.What became the Top 20 Critical Security Controls flowed from that same approach - how can we prioritize and help enterprises focus on the most important and effective steps to stop attacks? In about 2008, a handful of us created a simple 2 page list for some key friends in the DoD \u00a0- \u201cif you don\u2019t know what to do, here\u2019s where to start\u201d. Security professionals love to brainstorm all the bad things that MIGHT happen, we chose to focus on what we KNEW was happening and how to prevent it. The list was picked up by the SANS Institute and turned a world-wide community volunteer project. \u00a0After I retired from NSA in 2012, I wound up taking over the project, and with the support of SANS and several other companies moved it into an independent, non-profit home, now the Center for Internet Security.Most recognize the controls as solid guidance, but then struggle with getting started. Where do we start?\u201cWhere do we start?\u201d is one of the most frequent questions I heard when I began speaking in public in 2001. For me, the answer was always about \u201cvisibility\u201d- what devices are in your enterprise, what software is running, how is it being operated (patched and configured)? \u00a0If you don\u2019t know what you have, it is hard to defend it. These kinds of things provide the basic operational foundation for understanding your environment and where it is vulnerable, spotting the Bad Guys, deploying defenses, and even recovering from the inevitable problems. There\u2019s a lot more to do for effective defense, but these are the best starting points. More recently, we have emphasized management of the people who can change or bypass your security controls (\u201cadministrative privilege\u201d). \u00a0We have codified these ideas in the Top 5 of the CIS Controls. \u00a0Also note that these ideas are not unique to security, but are just good operational IT management practices.In a recent survey of adopters of the CIS Controls, we found that enterprises overwhelmingly endorsed the first few Controls as the most valuable for defense. But they also highlighted them as very challenging to implement, and so we\u2019re working to provide more specific help on implementing and prioritizing action. We\u2019re also reaching out to solution vendors so that their products and services are \u201ctuned\u201d to the CIS Controls and the most important problems to be solved.The controls aren\u2019t new. People like them, but then struggle to get them implemented. Do we have evidence they work?There aren\u2019t any straightforward algorithmic answers in cyber defense, but there\u2019s lots of evidence. For example, any large scale data-driven study of Internet attacks reaches a similar conclusion: \u00a0the vast majority of attacks (in the 80-90% range) are enabled by the failure or lack of basic defenses. This is why we work with numerous companies in the threat intelligence marketplace to map summaries of what they are tracking (like the Symantec Internet Security Threat Report, the Verizon Data Breach Investigations Report) directly into the CIS Controls. \u00a0Similarly, the US-CERT attributes 85% of the security incidents they manage to the absence or failure of the same 5 defensive actions. You\u2019ll find similar data and thinking behind projects like the DHS Continuous Diagnostics and Mitigation (CDM) Program, the Australian government\u2019s \u201cTop 35\u201d list, and the NSA \u201cTop 10 Information Assurance Mitigations\u201d. \u00a0\u00a0What can a security leader do to get started down the path of encouraging their organization to move in this direction?\u201cIt\u2019s not about the list.\u201d \u00a0I often say this about the CIS Controls. You can find great lists of things to do on every virtual cybersecurity street corner, from abstract to specific, from simple to overwhelmingly large and complex, and from every possible source. Most of them are just repeating the same ideas over and over. \u00a0In fact, we provide cross-mappings from the CIS Controls to every framework we can find, like ISO, COBIT, PCI, NIST, etc. We\u2019re not trying to create another competing regulatory or compliance framework. We\u2019re trying to help you succeed in a very complex problem.In my experience, it\u2019s hard to have an original thought or a unique problem in security. So a foundational part of the CIS model is to create and sustain communities that allow security leaders to help each other identify problems, barriers, and solutions together. There\u2019s a rapidly growing ecosystem of references, resources, tools, and consultants building up around the CIS Controls. For example, you\u2019ll find them referenced in the NIST Cybersecurity Framework, and recommended by the California Attorney General\u2019s 2015 Data Breach Report, the National Governor\u2019s Association, and numerous other places. Over the next few months, we\u2019ll also be providing you with more help to prioritize and measure your implementation of the CIS Controls, new complementary content to help you implement them, a collaborative workspace for sharing ideas, and better pointers to resources and working aids (like mappings, tools, use cases, etc.).So the CIS Controls are more of a \u201cmovement\u201d than a list - one that you can join, contribute to and learn from. And to be successful, a security leader must also be a corporate leader - executive leadership, HR, legal, IT Operations, etc. all have vital roles and the CIS Controls provide you with an opportunity to bring all of their actions into alignment.