I know for us, the CIS Controls help in a couple ways:
- One, it's a level set for our customers so that they understand the framework we're using and that it's something that's broken down into fairly simple components. They do get more and more mature as you get into them, but the reality is you can have a pretty fundamentally easy conversation about what they are.
- And then we also use this to actually talk to our board about the security we put in place.
So again, you don't necessarily have to have a deep-dive knowledge of security to understand fundamentally how these work. But for those of us in security, it gives us a framework to talk about to other folks. And it really helps drive a maturity for ourselves, for our own organization, and it's ever evolving. So, the Critical Security Controls are global industry best practice. It's a volunteer firm that works together with anybody that's willing to participate.
And they have a huge volunteer organization that comes together on a regular basis to understand what is the attack landscape looking like, and how do these controls need to change? So, it’s not us individual security folks having to research this and come up with our own plan. We’ve got thousands of people helping put this format together. And again, these are general guidelines, and they’re pretty consistent and valid to work from.