Episode 165: An In-Depth Look at CIS Controls Implementation

Update: 2025-12-10

Description

In Episode 165 of Cybersecurity Where You Are, Tony Sager sits down with Valecia Stocchetti, Senior Cybersecurity Engineer at the Center for Internet Security® (CIS®), and Charity Otwell, Director of Critical Security Controls at CIS. Together, they take an in-depth look at implementing the CIS Critical Security Controls® (CIS Controls®), including what you need to know to begin your own CIS Controls implementation efforts.

Here are some highlights from our episode:

00:53 . Introductions to Valecia and Charity
02:48 . How the CIS Controls ecosystem answers the deeper question of how to implement
06:42 . The importance of clear strategy, business priorities, and a realistic timeline
09:56 . How the CIS Community Defense Model (CDM) clarifies cyber defense priorities
13:01 . The use of calculations around costing to make a security program achievable
15:31 . Bringing IT and the Board of Directors together through governance
20:36 . "Herding cats" as a metaphor for navigating different compliance frameworks
23:17 . Why one prescriptive ask per CIS Safeguard starts cybersecurity workflows
25:30 . "Why" vs. "how" communication, accountability, staffing, budget, and continuous improvement as keys to success for CIS Controls implementation
42:03 . CIS Controls Assessment Specification as an answer to implementation subjectivity
47:21 . Parting thoughts around team effort, change, and CIS Controls Accreditation