Today, I will be going over Control 17 from version 7 of the CIS top 20 Critical Security Controls – Implement a Security Awareness and Training Program. I will go through the nine requirements and offer my thoughts on what I’ve found.


Key Takeaways in Control 17

  • Less focus on metrics. The previous security awareness control had multiple sections on metrics and improving the overall compliance score. This round of controls is focused more on just establishing a method to deliver continuous training while only highlighting a handful of the most common attack vectors.
  • Outsourcing continues to be ideal. Security teams are already under-staffed, underfunded, and overworked. Establishing an awareness training program from scratch will be a time-consuming process that may be better suited for a third-party to develop and deliver.

Requirement Listing in Control 17

1. Perform a Skills Gap Analysis

Description: Perform a skills gap analysis to understand the skills and behaviors to which workforce members are not adhering, using this information to build a baseline education roadmap.

Notes: Performing a true skills gap analysis across the organization is going to be a time-consuming process. If you are just starting out on your journey of security awareness training for the organization, it may be best to look for a third party for help.

2. Deliver Training to Fill the Skills Gap

Description: Deliver training to address the skills gap identified to positively impact workforce members’ security behavior.

Notes: Delivering the training is just closing the loop from the first section. Delivering the training can be either in-person presentations or automated videos delivered through the web. The size and complexity of your organization will most likely determine which route you will want to go.

3. Implement a Security Awareness Program

Description: Create a security (Read more...)