What are CIS Controls? Your Essential Business Security Framework Explained
Cybersecurity frameworks can be complex—but understanding these frameworks provides the foundation for building truly resilient organizational security. The Center for Internet Security (CIS) offers globally recognized controls that help organizations prioritize the most impactful actions to reduce risk. Whether you’re building a security program from scratch, or strengthening your existing protocols, these controls provide a clear path toward a more resilient security posture.
Our host, Mark Spaak, Director of Security, leads a series of short, focused videos that break down key CIS Controls into practical and easy-to-understand strategies. Each session highlights a specific control, from asset inventory to incident response, and offers quick, actionable insights your team can apply to strengthen your cybersecurity posture.
Why Bother? The CIS Roadmap
In this video, we explore why the CIS Controls are a critical foundation for cybersecurity, even for organizations that already follow other compliance frameworks.
According to the Center for Internet Security, implementing the CIS 20 Critical Security Controls can slash the risk of cyberattacks by 85%. While regulatory standards often emphasize documentation and reporting, CIS offers a prioritized, actionable blueprint designed to actively prevent large-scale cyberattacks. For mid-sized organizations, adopting CIS is a strategic move toward proactive security, helping teams focus on what truly reduces risk rather than simply meeting compliance requirements.
The Essentials: Shadow IT & Cloud Assets
In this video, we explore how unmanaged assets and unauthorized software — often referred to as Shadow IT — pose significant risks to an organization’s security posture.
Focusing on CIS Control 1 (Asset Inventory) and CIS Control 2 (Software Inventory), the session highlights why visibility is the first step in defense. You can’t protect what you can’t see. A single unapproved cloud service or overlooked endpoint can become the entry point for a major breach. Establishing a comprehensive inventory of hardware and software assets is essential to identifying vulnerabilities and enforcing security policies at scale.
Access 101: PAM & RBAC
In this video, we explore how Privileged Access Management (PAM) and Role-Based Access Control (RBAC) help reduce insider risk and ensure users only have access to the systems and data necessary for their roles.
Focusing on CIS Control 5 (Account Management) and CIS Control 6 (Access Control), the session explains how RBAC limits access based on job responsibilities, while PAM adds an extra layer of protection for administrative tools and sensitive systems. Together, these controls help prevent misuse, whether intentional or accidental, by restricting access to only what’s needed.
The Data Vault: Governance & Recovery
In this video, we explore the critical connection between protecting data and ensuring it can be recovered when needed.
Focusing on CIS Control 3 (Data Protection) and CIS Control 16 (Data Recovery), the session highlights that while encryption helps meet compliance requirements, it’s the recovery strategy that determines whether a business can survive a breach. A strong backup plan must be immutable, air-gapped, and regularly tested to ensure resilience and continuity.
Stop the Bleeding: Configuration Drift
This video examines the concept of configuration drift — when systems gradually move away from their secure baseline settings.
Focusing on CIS Control 4 (Secure Configuration), the session explains how drift introduces inconsistencies that attackers actively seek out. Enforcing secure configurations across all endpoints and servers, ideally through automation, helps maintain a hardened and consistent environment.
The First Line of Defense: EDR & XDR
In this video, we explore how modern detection tools like Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) go beyond traditional antivirus solutions.
Covering CIS Control 10 (Malware Defense) and CIS Control 7 (Vulnerability Management), the session emphasizes the importance of continuous vulnerability scanning and behavioral monitoring to detect and contain threats before they spread across the network.
The Wall: Zero Trust & Segmentation
This video focuses on securing networks in a perimeter-less world using Zero Trust principles and network segmentation.
Focusing on CIS Control 9 (Email and Web Defense) and CIS Control 12 (Network Infrastructure Management), the session explains how segmentation limits exposure and Zero Trust ensures that no user or device is implicitly trusted — even inside the network.
Eyes on the Prize: SIEM & Compliance
In this video, we explore the role of audit logs and Security Information and Event Management (SIEM) in both threat detection and compliance.
Covering CIS Control 8 (Audit Log Management) and CIS Control 13 (Security Monitoring), the session highlights how logs provide a reliable record of activity, while a managed SIEM enables real-time threat detection and demonstrates due diligence to regulators.
The Human & The Supply Chain Factor
This video examines the dual risks introduced by human behavior and third-party vendors.
Focusing on CIS Control 14 (Security Awareness Training) and CIS Control 15 (Service Provider Management), the session emphasizes that attackers often target the weakest link — which may be a vendor. Organizations must ensure both internal staff and external partners meet minimum security standards and are regularly audited.
The Emergency Drill: Business Continuity
In this final video, we explore the difference between incident response and business continuity, and why both are essential to surviving a major breach.
Covering CIS Control 17 (Incident Response Management) and CIS Control 18 (Penetration Testing), the session stresses the importance of having a tested plan to contain threats and maintain operations. Annual testing, including advanced penetration exercises, ensures your organization is prepared when it matters most.
Ready to Strengthen Your Cybersecurity Posture?
We hope this series has helped clarify how the CIS Controls can be applied to strengthen your organization’s cybersecurity posture. Whether you’re just starting or refining an existing strategy, understanding and applying these controls is a powerful way to reduce risk and build resilience.
Looking to take your cybersecurity efforts to the next level? Contact us today.
Mark Spaak, Director of Security
Mark is a seasoned cybersecurity expert with over 25 years in the IT industry. As the Director of Security at Worksighted, he leads our team in protecting client data and serves as a Virtual Chief Information Officer (vCISO). A Certified Information Systems Security Professional (CISSP), Mark offers tailored solutions across various industries. Outside of work, he enjoys camping, jet skiing, and volunteering with local charities like Kids Food Basket.
