When Threats Evolve, So Do We
Building Resilience Against an Expanding Cyber Threat Landscape Through Collaboration and Shared Defense
Adapting Your Security Program to New and Emerging Technologies
How Today's Regulatory Climate Has Made Cyber Risk an ExecutiveLevel Priority
Using the CIS Controls to Help Your Organization Align IT Security and Governance Policies
In a world of ever-evolving threats, cyber defense cannot be rigid and inflexible. Organizations must adapt to new threat vectors and technologies, be resilient in the face of constant attacks, and most importantly, work together to ensure their collective security.
Built-In Security You Can Trust
CIS Benchmarks are globally recognized as robust security standards.
Editor-in-Chief Michael
For
contact CIS at learn@cisecurity. org or call 518.266.3460
© 2025 Center for Internet Security. All rights reserved.
Copy
Autum
Stephanie
Patrick
Thomas Sager
Natalie Schlabig
Ad Placement
CIS Managed Detection and Response™ Continuous Endpoint Monitoring
QuarterlyUpdate with John Gilligan
“The increasing number and sophistication of threats against U.S. SLTT organizations necessitates far greater emphasis on improving the security resilience of the MS-ISAC"
Fall is a time that marks the end of summer and a changing of the seasons. This is also the case for the Center for Internet Security® (CIS®) and the Multi-State Information Sharing and Analysis Center® (MS-ISAC®). We recently learned that the Cybersecurity and Infrastructure Security Agency (CISA), a component of the U.S. Department of Homeland Security (DHS), is not planning to award a contract for continuing federal funding for the MS-ISAC, which ended on September 30, 2025. This marks a departure from a 20-year history of federal funding of the MS-ISAC and a decision by the Administration not to spend funds that had already been appropriated by the U.S. Congress. While the decision is disappointing in the face of the enormous value that the MS-ISAC has provided to U.S. State, Local, Tribal, and Territorial (SLTT) governments, the need for support has not diminished. If anything, the increasing number and sophistication of threats against U.S. SLTT organizations necessitates far greater emphasis on improving the security resilience of the MS-ISAC.
Fortunately, in working with state and local CIOs and CISOs, CIS has successfully launched a subscription membership model to fund the MS-ISAC. Even though the Administration’s funding decision had no advance notice, and in the face of financial pressures on almost all state and local government organizations, MS-ISAC members have strongly supported the new fee-based membership options. In addition to the traditional products and services that the MS-ISAC has provided, the MS-ISAC has added a couple of new products and services. Chief among these are the expansion of threat notification and analysis beyond traditional cyber threat notifications to include physical and information operations threats. These threat notifications are also being developed for non-technical customers. On top of that, the MS-ISAC will be providing support to states and territories as they seek to accelerate their “whole of state” efforts to strengthen security resilience across their entire state or territory. By partnering with each state and territory to share best practices as well as to assist in the planning and execution of "whole of state" efforts, CIS and the MS-ISAC will help accelerate improving security
resilience among cities, towns, tribes, and government-run critical infrastructures.
In this issue of Cybersecurity Quarterly, Carlos Kizzee, SVP MS-ISAC Strategy and Plans, reviews a recent publication by the MS-ISAC Executive Committee, Strengthening Critical Infrastructure: SLTT Progress & Priorities (vol. 2). This report complements the earlier, shorter volume and highlights the progress that has been made by U.S. SLTT organizations in improving their security resilience. It also outlines specific priorities for continuing this progress. Also, Josh Franklin, CIS Sr. Cybersecurity Engineer, and Thomas Sager, CIS Cybersecurity Engineer, cover how to secure emerging technologies leveraging CIS resources, highlighting The CIS Critical Security Controls® (CIS Controls®) Internet of Things Companion Guide and Introduction to Artificial Intelligence: Security Concerns for Small- and Mediumsized Enterprises (SMEs).
Sarah Day, Senior Cybersecurity Engineer with CIS, writes about our white paper that addresses the opportunities and challenges of leveraging the CIS Controls in security governance efforts. Meanwhile, Elizabeth Wu from Cybersecurity Auditing Technologies discusses state safe harbor laws and how cybersecurity should be governed at the executive level of organizations.
In addition, Tom Stockmeyer from Cyware highlights the importance of collaboration in security and working together across sectors to secure critical infrastructure. Finally, CIS’s Stephanie Gass explores building cybersecurity culture to improve organizational resilience.
I hope you enjoy this quarter’s issue.
Best Regards,
John M. Gilligan President & Chief Executive Officer Center for Internet Security
NewsBits&Bytes
CIS Re-elected to PCI Security Standards Board of Advisors
The Center for Internet Security® (CIS®) has been re-elected to the Payment Card Industry (PCI) Security Standards Council (SSC) Board of Advisors for the 2025-2027 term. This re-appointment highlights CIS's continued commitment and valuable contribution to enhancing global payment security by collaborating with industry leaders to develop and promote data security standards and programs.
CIS is one of 64 board members to join the PCI Security Standards Council in its efforts to secure payment data globally. As strategic partners, board members bring industry, geographical, and technical insight to PCI SSC plans and projects. Learn more about our re-election and work with PCI SSC here
CIS Awarded AWS Government Competency
CIS has achieved Amazon Web Services (AWS) Government Competency status with badge in the Citizen Services and Defense & National Security categories. This designation recognizes that CIS successfully meets AWS’s technical requirements and demonstrates experience in delivering quality solutions to help civilian agencies, national defense and intelligence communities, and state and local governments meet mandates, reduce costs, drive efficiencies, and increase innovation. Read more here.
Texas Safe Harbor Laws and CIS Controls
Texas Governor Greg Abbott signed Senate Bill 2610 into law, making Texas the fifth state to implement a cybersecurity safe harbor and the sixth to meaningfully define “reasonable cybersecurity” in statute. The law incentivizes businesses to adopt strong cybersecurity programs by offering protection from exemplary (punitive) damages in the event of a data breach provided they meet specific cybersecurity criteria.
The new law formally recognizes CIS Critical Security Controls® (CIS Controls®) as a standard for demonstrating reasonable cybersecurity practices. For businesses with 20–99 employees, the law specifies enacting Implementation Group 1 (IG1), a subset of the CIS Controls whose implementation fosters essential cyber hygiene, as a moderate requirement for achieving safe harbor protection. Learn more here.
Announcing New Members of MS-ISAC Executive Committee
CIS and the Multi-State Information Sharing and Analysis Center® (MS-ISAC®) recently announced the addition of four distinguished professionals to the MS-ISAC Executive Committee. The new members are:
• Michael Geraghty, Chief Information Security Officer and Director of NJ Cybersecurity and Communications Integration Cell, State of New Jersey
• Ryan Murray, Chief Information Security Officer and Deputy Director of Arizona Department of Homeland Security, State of Arizona
• Al Yu, Information Technology Director, Black Hawk County, Iowa
• Dr. Byrian Ramsey, Corporate IT Director and Senior Compliance Officer, Poarch Creek Indians Federal Services
Congratulations to our newly elected members and thanks to every committee member who volunteers their time, energy, and expertise providing strategic guidance and recommendations on behalf of the MS-ISAC membership. Learn more about our current and new committee members here.
MS-ISAC Executive Committee Releases Volume 2 Report on U.S. SLTT
Cybersecurity Challenges and Progress
State, local, tribal, and territorial (SLTT) organizations are the unsung defenders of America’s critical infrastructure. The latest volume of the SLTT Progress & Priorities Report highlights the essential role SLTTs play in national security and the urgent need for coordinated, well-resourced defense strategies.
By Carlos Kizzee
On August 11, 2025, the Multi-State Information Sharing and Analysis Center® (MS-ISAC®) Executive Committee released Volume 2 of its landmark report, Strengthening Critical Infrastructure: State, Local, Tribal, and Territorial (SLTT) Progress & Priorities. This comprehensive document builds on the high-level overview presented in Volume 1 and offers a deeper, more detailed look at the evolving cybersecurity landscape facing SLTT organizations across the United States.
The report arrives at a critical moment. U.S. SLTT entities are responsible for operating much of the nation’s essential infrastructure, including water systems, healthcare facilities, emergency services, and public education. Yet they face increasingly sophisticated cyber and physical threats, and they often lack the resources or personnel necessary to mount an adequate defense. Volume 2 of our report makes clear that safeguarding U.S. SLTT infrastructure with coordinated, well-resourced defense strategies is not just a local concern but a national imperative.
A Growing Threat Landscape
The report outlines a sobering reality: U.S. SLTT organizations are under constant attack on the digital frontlines of an invisible but very real conflict. Nation-state actors, cybercriminals, and hacktivists are exploiting legacy systems, supply chain vulnerabilities, and emerging technologies like generative artificial intelligence to disrupt services and compromise sensitive data, often with devastating consequences. Ransomware attacks alone
The report arrives at a critical moment. U.S. SLTT entities are responsible for operating much of the nation’s essential infrastructure, including water systems, healthcare facilities, emergency services, and public education. Yet they face increasingly sophisticated cyber and physical threats, and they often lack the resources or personnel necessary to mount an adequate defense.
have cost hundreds of millions in recent years, with K-12 schools, public hospitals, and municipal utilities among the hardest hit.
Cyber-enabled physical threats are also on the rise. The report highlights incidents involving swatting, suspicious packages, and targeted violence against public officials. Increasingly, cyber and physical threats are converging, creating multidimensional threat risks that challenge traditional security models.
As cyber and physical threats grow more sophisticated, these organizations face mounting pressure to protect the systems that keep daily life running for Americans nationwide. Yet many SLTTs operate with limited budgets and staffing, making it difficult to keep pace.
The Case for Shared Defense
Volume 2 emphasizes that no single U.S. SLTT organization can defend itself alone. With over 90,000 public sector entities — many of them small and under-resourced — the most effective defenses to these threats involve efforts to align resources and capabilities. Threat actors will target wherever they can to achieve their objectives, but they will prioritize sensitive data that is the least protected. The MS-ISAC plays a central role in this model, offering 24x7x365 threat monitoring, real-time intelligence, and managed security services to more than 18,000 member organizations, including under-resourced jurisdictions in U.S. states and territories.
By pooling resources and expertise, U.S. SLTT organizations can achieve economies of scale, accelerate threat detection, and improve resilience within a trusted and collaborative environment. The report highlights the success of whole-of-state strategies, regional security operations centers (SOCs), and peer-to-peer collaboration as key accelerators of progress in this essential defensive alignment.
Strategic Priorities for the Road Ahead
The MS-ISAC Executive Committee identifies five strategic priorities to guide U.S. SLTT cybersecurity efforts in the coming years:
1. Enhancing Resilience Through Coordinated Information Sharing: U.S. SLTTs must consolidate threat intelligence platforms, streamline grant processes, and expand managed detection and response capabilities. Regional SOCs and integrated intelligence teams are essential to this effort.
Volume 2 emphasizes that no single U.S. SLTT organization can defend itself alone. With over 90,000 public sector entities — many of them small and under-resourced — the most effective defenses to these threats involve efforts to align resources and capabilities.
2. Building Public Trust Through Transparency and Engagement: Data portals that are open, interactive government websites, and simplified documentation help demystify government operations and foster accountability. Outreach campaigns and leadership buy-in are critical to restoring public confidence.
3. Strengthening Security for Small and Rural Communities: Smaller jurisdictions lack the capability and capacity to implement robust cybersecurity measures that counter the volume and sophistication of threats targeting them. The report calls for low-cost, easy-to-deploy solutions, cyber navigator programs, and tailored guidance for sectors like education, public health, and utilities.
4. Mitigating Insider Threats: Insider threats, whether accidental or malicious, pose significant risks. U.S. SLTTs must invest in data loss prevention technologies, access controls, network segmentation, and comprehensive training programs to reduce vulnerabilities.
5. Investing in Workforce Development and Retention: Talent shortages remain a major obstacle for the public sector. The report advocates for innovation in hiring practices, apprenticeship programs, and whole-of-state workforce strategies that will enable the nation to build a sustainable cybersecurity talent pipeline, especially for the public sector.
Success Stories from the Field
Volume 2 of our reports features case studies from states leading the way in U.S. SLTT cybersecurity:
• Maryland launched a successful Cybersecurity Workforce Accelerator Program across all 16 community colleges.
• Minnesota expanded its Cyber Navigator initiative and implemented a cost-share model to support local governments.
• New York invested $90 million in a statewide cybersecurity strategy, including shared services for small municipalities.
• Ohio created the Ohio Cyber Integration Center and launched the CyberOhio Local Government Grant Program.
• Oregon established a Cybersecurity Center of Excellence to support under-resourced communities and educational institutions.
These innovative, bold programs demonstrate how vision, strategic partnerships, focused investments, and effective governance frameworks can dramatically improve cybersecurity readiness.
A Call to Action
The report presents a clear message: U.S. SLTT organizations cannot afford to go it alone. The threats they face are global in source, growing in volume, and exponentially increasing in sophistication. The only viable path forward is through collaboration, alignment and sharing of capabilities, and sustained investment.
Volume 2 provides a roadmap for U.S. SLTT leaders, policymakers, and federal partners to build on recent progress and ensure the security of critical infrastructure for years to come. With the MS-ISAC as the trusted community for U.S. SLTT security and resilience, collaboration between public and private sector at the federal, state, and local levels will be best suited to meet the challenges ahead.
The report presents a clear message: U.S. SLTT organizations cannot afford to go it alone...The only viable path forward is through collaboration, alignment and sharing of capabilities, and sustained investment.
Carlos P. Kizzee is the Senior Vice President for MSISAC Strategy and Plans. In that position, Kizzee is accountable for the engagement, account management, and training and education activities associated with MS-ISAC membership as well as key programs assessing and enhancing the security maturity of state, local, tribal, and territorial government agencies and activities. Previously, Kizzee served with the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) as Vice President of Intelligence, building and supporting retail and hospitality industry security collaboration; and with Defense Security Information Exchange as Executive Director, promoting threat intelligence sharing and collaboration within the defense industrial base and actively supporting the development and establishment of the National Defense ISAC.
Securing Emerging Technologies with Resources from CIS
To help organizations implement cutting edge technologies safely and securely, the CIS Security Best Practice team has released new resources and guidance, with assistance from our global community of IT security experts.
By Josh Franklin and Thomas Sager
As modern IT environments continue to evolve, the integration of emerging technologies such as Internet of Things (IoT) devices and Artificial Intelligence (AI) systems introduces new layers of complexity and risk. These innovative technologies offer advanced capabilities that can transform organizational operations but also expand the attack surface, making robust cybersecurity practices more important than ever. Our Security Best Practices team has developed two new resources to show how security best practices from the Center for Internet Security® (CIS®) provide a valuable foundation for organizations seeking to secure these complex environments, ensuring resilience, compliance, and trust in increasingly interconnected digital ecosystems.
Applying the CIS Controls to Internet of Things (IoT) Environments
The CIS Critical Security Controls® (CIS Controls®) are developed by a community of Information Technology
(IT) experts who apply their first-hand experience as cyber defenders to create these globally accepted security best practices. The experts who develop the CIS Controls come from a wide range of sectors, including retail, manufacturing, healthcare, transportation, education, government, defense, and others. While the CIS Controls address the general practices that most enterprises should take to secure their systems, some operational environments may present unique requirements not addressed by the CIS Controls.
One of these unique operational environments is the use of IoT devices. There is no universally agreed upon definition for IoT, but the majority of the various definitions commonly used share certain features:
• Communications: Whether this is via a local medium, such as radio frequency identification (RFID), Bluetooth, and Wi-Fi, or via a wide area network (WAN) protocol, such as cellular, IoT devices can communicate with other devices.
• Functionality: IoT devices have a core function with limited functionality. Most IoT devices do one thing and do it well.
• Processing capability: IoT devices have sufficient processing capability to make their own decisions and act on inputs received from outside sources but not enough intelligence to do complex tasks. For instance, they generally cannot run a rich operating system designed for a traditional desktop or mobile device.
Each definition of IoT has relevant strengths and weaknesses, and they do not act to invalidate each other. However, the lack of a consistent, agreed-upon definition
is actually part of the challenge within the IoT arena. IoT is a large, complex space. Common issues include:
• Ubiquity: IoT devices can be easily deployed to any location.
• Diversity: Devices are developed by different manufacturers with widely varying hardware and software platforms.
• Ecosystem: Multiple vendors are involved in creating most devices, including hardware, firmware, and software.
• Standardization: There are minimal agreed upon standards for securing access and communications for these devices.
The purpose of the CIS Controls Internet of Things Community is to consider how IoT devices used within an enterprise fit within the framework of the CIS Controls. Enterprise use of IoT presents unique and complex challenges for security professionals. IoT devices are being embedded into the enterprise across the globe and often cannot be secured via standard enterprise security methods, such as running a monitoring application on the device, as the devices can’t support these types of applications. Yet for ease of use, enterprise IoT devices are often connected to the same networks that employees use day in and day out, and they are often directly connected to the internet via a variety of network protocols (e.g., Ethernet, Bluetooth, wireless fidelity (Wi-Fi), cellular).
Through this community’s hard work, we’ve produced a new guide, Internet of Things Companion Guide for the CIS Controls v8.1, to help organizations purchase, deploy, and monitor commercially available IoT devices within their environments according the guidance of the CIS Controls.
An Introduction to Artificial Intelligence
AI has rapidly become a popular topic and a focus of discussion across multiple sectors. While AI is a concern to consider, nothing has changed to reduce the impact of good security fundamentals, such as those provided by the CIS Controls and CIS Benchmarks®. Data is still protected the same way, systems are still secured the same way, and the techniques used by attackers have not significantly changed. While AI is an important consideration for enterprises of any size, it hasn’t altered any of the principles of a strong cybersecurity program.
AI, like many other technologies that have been introduced over the years, may change how enterprises
conduct their business but not how they protect it. AI can be incorporated into operations in even a small or medium sized enterprise (SME) if the security concerns are addressed thoroughly. The emergence of AI has enabled the efficiency of certain attack trends, made natural-sounding communication simpler, and made simple attacks easier for Cyber Threat Actors (CTAs). While AI may lead to increases of scale, especially for less mature threat actors, it doesn’t introduce any new attack techniques or anything that cannot be prevented by previously available security controls.
For this reason, CIS recommends due caution but also the adoption of good security fundamentals such as the prioritized Safeguards found in the CIS Controls and the secure configurations provided by the CIS Benchmarks. To help outline some of the areas in which SMEs are likely to encounter impacts from AI and how to approach them, we’ve released a new white paper, An Introduction to Artificial Intelligence.
In this paper, we review the real-world impact AI has had on cybersecurity for the average SME as well as the use of AI in business operations. Although AI has enabled some efficiencies, the threat vector remains unchanged with the same recommended mitigations. To date, CIS has not observed any brand-new threats, only threat actors using AI to facilitate existing attempts. This further highlights the importance of cybersecurity fundamentals, such as the use of CIS Controls for essential cyber hygiene and the use of the CIS Benchmarks for secure configurations.
Joshua Franklin is a Senior Security Engineer for the CIS Critical Security Controls at the Center for Internet Security (CIS), where he is developing best practices for mobility, IoT, and elections. Prior to CIS, Franklin researched enterprise mobile security, cellular security, and electronic voting at the National Institute of Standards and Technology (NIST). While at NIST, he managed the mobile security laboratory at the National Cybersecurity Center of Excellence (NCCoE). Franklin graduated from George Mason University with a Master of Science in Information Security and Assurance. He has presented at a variety of cybersecurity conferences including DEF CON, RSA, and ShmooCon.
Thomas Sager is a Cybersecurity Engineer for the CIS Critical Security Controls at CIS. In this role, he is dubbed as the team cryptographer for mapping of the CMMC and PCI frameworks to the CIS Critical Security Controls. Prior to joining the Controls team, Sager was a commercial security consultant under a federal contractor, greatly benefiting from the opportunity to work within a variety of client environments.
Beyond Data: The Imperative of Security Collaboration
In moving beyond a lack of data, security collaboration is key to creating a truly resilient cyber defense. It's time to shift from sharing static Indicators of Compromise to building a proactive network that shares contextual, tactical, and strategic threat intelligence across all sectors.
By Tom Stockmeyer
Most government organizations aren't suffering from a lack of threat data; they're struggling to make that data useful. We see the root of the problem every day: siloed tools, manual processes, and a lack of real-time threat intelligence sharing. In a world where sophisticated adversaries are evolving at a breakneck pace, this friction is a critical vulnerability. The threats are complex, but our defense ecosystem often lacks the coordination required to counter new threats effectively.
The concept of security collaboration, where organizations work together across sectors to safeguard critical infrastructure, is the solution. While some sectors have made progress, many sectors are still trying to figure it out. True collaboration can only be achieved by eliminating silos at every level — from detection and analysis to response. This is where real-time information sharing, automated threat response, and advanced threat intelligence play a crucial role.
The Power of Context and Actionable Intelligence
Traditionally, organizations shared static indicators of compromise (IOCs) with their peers but with little or no context. In a world where adversaries constantly upgrade their tactics, techniques, and procedures (TTPs), this type of information is quickly becoming redundant. The present threat landscape demands a shift. Organizations need to come together as trusted advisors by sharing not just data but knowledge about vulnerabilities, threat analytics, and TTPs as they are detected.
This shift moves us from simply chasing the last incident to proactively preparing for future challenges. A defense network built on collaboration enhances situational awareness and creates common goals for effective
True collaboration can only be achieved by eliminating silos at every level — from detection and analysis to response. This is where real-time information sharing, automated threat response, and advanced threat intelligence play a crucial role.
coordination. For government agencies, this means operationalizing threat intelligence and automating threat response to reduce the mean time to detect (MTTD) and mean time to respond (MTTR). As one State Director of Threat Intel Operations told us, "We were able to do in a couple of weeks what another company that only does sandboxing couldn't achieve." The difference wasn't just in the tool but in the ability to connect and integrate it into a collaborative workflow that was already in place, preventing the waste of a year and significant taxpayer dollars.
More Than Just Information Sharing
Security collaboration isn't just about sharing IOCs; it’s about exchanging contextual, strategic, and tactical threat intelligence with industry peers, information-sharing communities such as Information Sharing and Analysis Centers (ISACs) or Sector Risk Management Agencies (SRMAs), and other key stakeholders, thereby improving and even accelerating threat response across an ecosystem.
• Within an Organization: Threat intelligence must be operationalized and shared across IT, SecOps, and leadership teams to ensure everyone is working with the same information, driving faster and more informed decision-making. In a hybrid workplace where teams operate from different geographies and time zones, an advanced platform is necessary to seamlessly disseminate threat intelligence, fostering effective collaboration between different teams and stakeholders. The ability to automate end-to-end threat intel operations in a collaborative environment empowers disparate teams to leverage threat intelligence and drive security actions across cloud-based, on-premises, or hybrid infrastructures.
• Within an ISAC/ISAO: Information sharing communities need closer collaboration between member organizations. This can be facilitated by bidirectional platforms that enable members to automatically ingest, enrich, and act on threat intelligence shared by the hub. These avant-garde threat sharing solutions enable multi-source threat intelligence collection and bi-directional sharing between members, helping them maximize the value of their membership. This level of automated bi-directional collaboration between the hub and spoke is crucial for a strong, unified front.
• Across Sectors: Historically, cross-sector intelligence sharing has been limited. By building a multi-sectoral security collaboration network, organizations in one sector can learn from threats witnessed by enterprises in others, taking proactive measures and defending against common threats. This includes fostering ISAC-to-ISAC, SRMA-toSRMA, or ISAC/SRMA collaboration, ensuring every industry benefits from mutual learnings. Modern
automated threat intelligence solutions support this kind of sharing, leveraging a hub-and-spoke model to create trusted sharing communities and automate the entire threat intelligence lifecycle.
• Between Public and Private Entities: Building global cyber resilience to protect critical infrastructure demands deeper public-private security collaboration. Both sectors have unique advantages, and by working together and sharing best practices, mitigation strategies, and threat intelligence, we can effectively secure critical infrastructure from advanced threat actors. This close collaboration provides greater threat visibility and helps to improve detection, mitigation, and response capabilities for all.
It's Time to Collaborate
Cyber threats are a challenge for everyone regardless of size or sector. In view of evolving threats, we must unite to thwart them. The pressing need is to take concrete action and outline a clear, scalable path toward achieving a national collective defense. It's time to acknowledge collaboration as a top-tier priority and recognize the vital role it can play in thwarting attacks.
Tom Stockmeyer is Managing Director, Government and Critical Infrastructure at Cyware. He is a seasoned cybersecurity leader with a wealth of experience helping threat intelligence-sharing communities, such as Information Sharing and Analysis Centers (ISACs) and the Cybersecurity and Infrastructure Security Agency (CISA), to enhance the quality, automation, and real-time collaboration of threat intelligence sharing.
As a driving force in the field of cybersecurity, Stockmeyer has developed and implemented automated cross-sector sharing initiatives across critical infrastructure industries. His work has been particularly impactful in enabling military mobilization in sectors such as Space, Aviation, Maritime, and Railroads.
In addition to his work in cybersecurity, Stockmeyer has a strong commitment to community service and leadership. He is the founder of the Cyber Security Competency Group and served as a Board Advisor for the National Technology Security Coalition. His philanthropic work extends to the tech sector, where he held key leadership roles as the Development Chair of TechBridge and Christ the King School.
Before his career in cybersecurity, Stockmeyer served in the United States Marine Corps, where he honed his leadership and problem-solving skills.
Without Visibility, Every Executive Is
Liable
As cybersecurity becomes more integral to overall corporate strategy and safe harbor laws become more prevalent in state legislatures, executive leadership can no longer outsource accountability.
By Elizabeth Wu
One out of three executives don’t survive a data breach.
That’s not a metaphor. It is a documented reality. After a major cybersecurity incident, one in three senior leaders are removed through termination, resignation, or boardlevel fallout. This leadership turnover is not always the result of negligence. Often, it comes down to a lack of clarity, accountability, and real-time awareness. They didn’t know what they didn’t know, and it cost them their position.
This issue isn’t rooted in a lack of care. It’s a structural problem: a deep and persistent visibility gap between cybersecurity risk and executive oversight. For decades, cybersecurity was treated as a technical function, delegated to IT leaders or compliance teams. But that model no longer works. Today, the financial, legal, and reputational consequences of cyber incidents have made cybersecurity a C-suite and board-level priority.
The problem is most executive leaders haven’t been prepared to take on this responsibility. CEOs and COOs typically rise through finance, operations, or business strategy — not through information security. Cyber risk doesn’t appear in most MBA programs; it’s not commonly featured in leadership books. But in a world where data breaches and ransomware events can shut down operations and trigger class-action lawsuits, cybersecurity must become part of the leadership toolkit.
In many organizations, the disconnect between technical teams and leadership is subtle but dangerous. An IT or compliance leader gives a Board update using terms like risk exposure, control mapping, or audit readiness. The CEO nods, and the CFO takes notes, but no one asks hard questions or wants to appear uninformed. The assumption is that someone else understands it. Someone else owns it.
This dynamic isn’t just risky. It’s unsustainable. When something goes wrong, it’s not the framework or the vendor that is held accountable. It’s the people in charge.
After a major cybersecurity incident, one in three senior leaders are removed through termination, resignation, or board-level fallout. This leadership turnover is not always the result of negligence. Often, it comes down to a lack of clarity, accountability, and realtime awareness.
For example, many organizations point to their SOC 2 report as evidence of good cybersecurity practices. And while it is a valuable tool, it’s important to understand what it actually represents. SOC 2 was developed by the American Institute of Certified Public Accountants (AICPA) as an attestation standard. Its primary purpose is to help service organizations demonstrate compliance with principles related to data privacy, availability, processing integrity, and confidentiality especially in customer-facing environments.
In that context, SOC 2 was not designed to evaluate technical security architecture or respond to evolving cyber threats. Compliance is not the same as security,
and governance alone doesn’t guarantee protection. Both can create a false sense of readiness if not backed by real evidence. Legal protection requires organizations to demonstrate that standards are actively implemented, monitored, and continuously improved— not just certified or documented.
This is why Safe Harbor laws are so important and why they raise the stakes. In states like Ohio, Connecticut, and Texas, new legislation enables companies to claim legal protection after a cyber incident if they can prove alignment with recognized frameworks like the CIS Critical Security Controls® (CIS Controls®), NIST Cybersecurity Framework, and ISO 27001. These laws are changing how companies view cybersecurity readiness. They reward operational discipline, evidence-based decision-making, and executive-level oversight.
But they also require proof. To benefit from Safe Harbor, companies must demonstrate not just written policies but also real implementation. They need to show which controls are in place, which are still in progress, who owns each one, and how often risks are being reassessed. More importantly, executives must be able to speak to these questions in boardrooms, investor meetings, and potentially legal proceedings.
This is the very gap Cybersecurity Auditing Technologies is working to close by aligning with policymakers shaping Safe Harbor legislation and championing a shift in how cybersecurity is governed at the executive level. Rather than treating cybersecurity as a technical silo, we advocate for a model where leadership has continuous visibility into control ownership, organizational risk posture, and legal defensibility. Our work focuses on helping boards and C-suites move beyond passive compliance toward active governance where clarity replaces assumptions and where accountability is
The issue hasn’t been negligence; it’s been the absence of a clear standard for executive leadership in cybersecurity. That’s changing. The frameworks exist, the laws are catching up, and the responsibility is now unavoidable.
built into the decision-making process. This is not about more audits or certifications; it’s about enabling business leaders to lead with confidence before regulators or crises force them to.
The issue hasn’t been negligence; it’s been the absence of a clear standard for executive leadership in cybersecurity. That’s changing. The frameworks exist, the laws are catching up, and the responsibility is now unavoidable.
If you can’t see it, you can’t govern it. And if you can’t govern it, you will still be held accountable. Without visibility, every executive is liable. It’s time we built systems that reflect that truth.
Elizabeth Wu is the CEO and founder of Cybersecurity Auditing Technologies Inc., where she leads the development of executive-focused cybersecurity governance solutions aligned with CIS Controls and emerging Safe Harbor legislation. With over 25 years of experience auditing IT infrastructure, security policies, and operational controls, Wu has guided executives across industries and geographies in navigating the accountability gap between technical risk and board-level responsibility.
Her work emphasizes translating complex cybersecurity requirements into plain-English reporting that boards, CEOs, and COOs can act on with confidence. Wu's impact extends globally, from advising leaders in North America to shaping dialogues in international markets where cyber accountability and legal defensibility are becoming urgent priorities.
She brings a clear, executive lens to cybersecurity maturity and is committed to helping organizations move beyond checklists to real, defensible outcomes. Her work is centered on equipping leaders with the visibility, structure, and insight needed to govern cybersecurity as a strategic business function — not just a technical one.
Aligning Information Technology and Information Security Governance with the CIS Controls
Security and governance are intrinsically linked. A formal cybersecurity program is typically developed to protect the organization, and governance often drives the reasoning behind the safeguards implemented in the program as much as cyber threats.
By Sarah Day
The CIS Critical Security Controls® (CIS Controls®) are a set of prioritized, prescriptive actions for defenders to protect against the most common and prevalent realworld cyber attacks. The CIS Controls are essential to cyber hygiene, and this foundational level includes information security (IS) governance. Within this prioritized list of best practice recommendations are 26 Safeguards that specifically support the Governance security function. Governance links business risks with technology controls to demonstrate the value that effective guidance brings to the maturity of any cybersecurity program.
Governance and the CIS Controls
Governance is at the core of all controls regulations, frameworks, and guidelines — even when they’re not
For years, the Center for Internet Security® (CIS®) has been asked why there isn’t a governance Safeguard in the CIS Controls. The answer is that governance guidance and decisions are what bring an enterprise to use the CIS Controls.
specifically touted as such. For instance, CIS Controls v8.1 aligns with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) security function categories, which recently emphasized Governance in the CSF 2.0 release. This update reflects a growing recognition that governance is not just a supporting element but a core driver of an effective cybersecurity program.
It also helps answer a key question: "Why do we implement a specific Safeguard?" There are many reasons we do, but most often, it comes back to an enterprise’s desire to establish an information security program to protect its business. This information security program — and the choice to implement it down to the finer details — is governance.
For years, the Center for Internet Security® (CIS®) has been asked why there isn’t a governance Safeguard in
the CIS Controls. The answer is that governance guidance and decisions are what bring an enterprise to use the CIS Controls.
A security program is created and put in place to protect the business — to specifically protect from cyber threats and to meet compliance requirements. We may implement a Safeguard for lengthy passwords and multi-factor authentication to prevent a myriad of unauthorized access threats, but an overarching reason we do that is because governance often states an objective for reasonable cybersecurity safeguards to protect the enterprise. Many people rightfully focus on the threat as the reason, but ultimately governance is the driving factor. Just as ransomware can prevent the business from making money, not being compliant might prevent the business from participating in some markets or business actions (such as accepting credit cards).
The Journey to Mature IT and IS Governance
Governance is not static; it will evolve and expand with the business based on new business risks and technical capabilities. Governance is a journey and not a destination, whereas compliance is a destination. We’ve seen for years that enterprises which are “compliant” though not “secure” can be compromised. Organizations that treat governance as a dynamic process rather than static policy are better equipped to respond to emerging threats and maintain long-term resilience.
To support organizations in navigating this journey, CIS has released a new white paper: Information Technology and Information Security Governance. This resource explores governance from a leadership perspective, offering insights into:
• How governance applies to the CIS Controls
• How to assess the current state of governance within your enterprise
• How to identify gaps and opportunities for improvement
• How to mature your existing governance program
Governance matters regardless of maturity because you set the tone and structure for how you will build your protection strategy against threats. Formalized governance means you put thought and intention behind all of the CIS Controls and Safeguards you implement. It also means you can help set your path forward as you grow and evolve to keep up with the ever-changing threat landscape.
Whether you're just beginning to formalize your governance strategy or looking to refine an existing program, this white paper provides a valuable roadmap for aligning cybersecurity with enterprise leadership and strategic decision-making.
We’ve seen for years that enterprises which are “compliant” though not “secure” can be compromised. Organizations that treat governance as a dynamic process rather than static policy are better equipped to respond to emerging threats and maintain longterm resilience.
Sarah Day is a Senior Cybersecurity Controls Engineer for the Center for Internet Security. She is responsible for the Community Defense Model, CIS Risk Assessment Methodology, and other Controls projects that help serve the cybersecurity underserved. She has seven years of consulting experience for IT general controls, IT and information security risk assessments, and other controls assessments for financial institutions, healthcare, retail, higher education, manufacturing, local government, and other industries.
CybersideChat
How to Build Your Cybersecurity Culture
By Stephanie Gass, Senior Director of Information Security, CIS
As Cybersecurity Awareness Month is upon us, this gives us an opportunity to foster the growth of our cybersecurity culture. It's not just about our organizations; it's also about how we protect our communities in an increasingly digital world. After all, cybersecurity is not just an IT issue; it is about creating public trust. Building a strong cybersecurity culture is essential to safeguarding critical services, sensitive data, and community well-being.
Why Cybersecurity Culture Matters
U.S. State, Local, Tribal, and Territorial (SLTT) organizations often operate with limited resources, yet they manage vital infrastructure like emergency services, water systems, and public records. A cybersecurity culture helps to enable all employees, from elected officials to the frontline, to understand their roles in protecting the communities’ assets and wellbeing. Cyber threats continue to evolve, but so can our defenses when cybersecurity becomes part of who the organization is.
Here are five ways to build and foster a cybersecurity culture:
1. Lead from the Top
• From governors to legislatures to board of directors, it is important to champion cybersecurity as a strategic priority.
• Cyber risk should be incorporated into executive briefings and budget decisions.
2. Education
• Implement regular role-based training on topics like phishing, creating and maintaining secure passwords, elevated privileges, and data handling.
• During Cybersecurity Awareness Month, provide workshops, posters, and engaging activities like a Tabletop Exercise (TTX).
3. Security Is Everyone’s Responsibility
• Encourage everyone in the organization to report suspicious activities without repercussion regardless of whether it is reported anonymously.
• Provide call-outs to those organizations, business units, and/ or individuals that consistently implement good cyber hygiene practices.
4. Simplification through Standardization
• Create and maintain clear and concise policies and procedures.
• Look to find quick wins by implementing some of the
Implementation Group 1 (IG1) Safeguards of the CIS Critical Security Controls® (CIS Controls®). Put in place multi-factor authentication (MFA), automatic updates, IDS/IPS, firewalls, and data classification.
5. Engage with Your Community
• Partner with your local schools, libraries, tribal councils, and civic groups to promote cybersecurity awareness.
• Connect with other organizations, such as the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (DHS CISA) along with the Multi-State Information Sharing and Analysis Center® (MS-ISAC®), to share your knowledge and resources.
Seize October as a Shared Responsibility
Cybersecurity Awareness Month is your opportunity to assess your current posture and promote a culture of resilience and vigilance. Whether you are a small town, tribal community, major city, county, state, or organization just beginning your journey, cybersecurity is a shared responsibility, and building your culture is key to enhancing public trust.
www.sans.org/partnerships/sltt
ISACUpdate
MS-ISAC: A Cybersecurity Lifeline for America's SLTTs
By Carlos Kizzee, Senior Vice President of MS-ISAC Strategy & Plans
During a time of escalating cyber threats, the Multi-State Information Sharing and Analysis Center® (MS-ISAC®) remains a cornerstone of defense for U.S. State, Local, Tribal, and Territorial (SLTT) governments. From small-town school districts to large jurisdictions, the MS-ISAC provides critical threat intelligence, incident response, and security services that many organizations simply cannot afford on their own.
Despite its proven value and continuously growing threats targeting U.S. SLTT governments, the Department of Homeland Security (DHS) has formally decided to discontinue its support for the SLTT community via the MS-ISAC. This marks a significant shift in the federal government’s
From small-town school districts to large jurisdictions, the MS-ISAC provides critical threat intelligence, incident response, and security services that many organizations simply cannot afford on their own.
approach to SLTT cybersecurity, placing the responsibility for sustaining these vital services and securing communities across the country squarely on the shoulders of SLTT entities themselves.
While federal funding was terminated, the MS-ISAC will continue to support SLTT organizations going forward. To ensure continuity of critical services, the MS-ISAC introduced a fee-based membership model in June 2025.
National Support: A Unified Call to Congress
Since the first federal funding cuts took effect this year, national leaders and organizations have rallied in support of the MS-ISAC, urging DHS and Congress to restore federal funding appropriated for U.S. SLTT cybersecurity services provided through the MS-ISAC:
• Letters to Congress: The National Association of Counties (NACo) — joined by National Association of State Chief Information Officers (NASCIO), the U.S. Conference of Mayors, and others — sent a letter to congressional appropriators urging inclusion of the MS-ISAC in FY 2026 funding.
• Arizona Senators: Senators Mark Kelly and Ruben Gallego voiced support for restoring funding, citing the impact on Arizona’s rural and tribal communities.
• Consortium for School Networking: CoSN launched a national advocacy campaign urging Congressional support for K-12 cybersecurity, which highlighted the MS-ISAC’s role in protecting K-12 infrastructure, noting that Congressional funding cuts are “forcing districts to make difficult decisions and putting students’ learning and data at risk.
• Rear Admiral (Ret.) Mark Montgomery: The retired military leader and cybersecurity expert published a compelling op-ed in The Hill warning that defunding the MS-ISAC is making state and local governments “increasingly vulnerable to foreign actors.”
This groundswell of support underscores the critical importance of SLTT cybersecurity and the unique and irreplaceable value the MS-ISAC provides. We are deeply grateful to the national leaders and organizations who stood up for the MS-ISAC this year, recognizing its vital role in protecting SLTT communities and
advocating for the cybersecurity support they deserve.
Progress and Persistent Gaps
The 2024 Nationwide Cybersecurity Review (NCSR), conducted by the MS-ISAC, provides a detailed look at the cybersecurity maturity of U.S. SLTT organizations. This year’s report reflects input from over 4,150 organizations, including over 3,500 local entities, marking a continued upward trend in participation.
U.S. SLTTs reported key security concerns that they face. The top five reported concerns remained the same for the ninth consecutive year, though the year-to-year ranking changed. The ranking of the 2024 top security concerns were a lack of sufficient funding, increasing sophistication of threats, emerging technologies, a lack of documented processes, and inadequate availability of cybersecurity professionals.
• 73% of NCSR respondents reported “Lack of sufficient funding” as a top security concern.
• 65% of NCSR respondents reported “Increasing
sophistication of threats” as a top security concern.
• Over 3,300 of the NCSR respondents (80%) stated they have less than five dedicated security employees.
These findings reinforce the need for cost-effective, high-impact cybersecurity services — precisely what the MS-ISAC continues to offer through its new membership model.
The Unparalleled Value of MS-ISAC Membership
The fee-based MS-ISAC membership model offers a sustainable path forward that preserves and enhances critical cybersecurity support for U.S. SLTT entities. By investing in membership, eligible organizations retain access to high-value services, contextualized threat intelligence, and a trusted, collaborative community.
A recent study on the value of MS-ISAC membership revealed:
• The MS-ISAC delivers an estimated more than $200k in services for as little as $995/year.
• Passive threat monitoring, just one of many MS-ISAC benefits, can cost in excess of $110k on the commercial market alone.
• State/Territory-Wide membership, a membership option involving states or territories paying for all organizations in their jurisdiction, saves states an estimated minimum of $122k and as much as $19M when compared to the cost of all eligible entities paying for an individual membership.
Whether funded by states, territories, or directly by the organizations themselves, the MS-ISAC empowers its U.S. SLTT members — including even the most resource-constrained entities — to detect, respond to, and recover from cyber threats as well as benefit from the knowledge and best practices in doing so together. MS-ISAC membership unlocks millions in cybersecurity value — including round-the-clock CIS SOC access and essential U.S. SLTT-focused services — while offering scalable, optional enhancements to meet every organization’s evolving needs.
A Critical Investment in National Security
For more than two decades, the MS-ISAC has stood as a trusted partner in defending America’s SLTT governments against cyber threats. The introduction of a fee-based MS-ISAC membership model ensures that U.S. SLTTs can continue to access world-class cybersecurity services regardless of federal budget cycles. This shift represents more than just a funding solution — it’s a strategic investment in the long-term security and sustainability of our nation’s digital infrastructure. With strong momentum from state and local leaders and a growing community of committed members, the MS-ISAC is not only weathering the storm; it’s building a strong, self-reliant, and stable future for cybersecurity across the country.
To enroll in the new membership model, you can sign up via the CIS Portal or contact info@cisecurity.org for assistance. For more information, read our MS-ISAC Membership Resources .
UpcomingEvents
October
October 8
The 10th Edition of the Silicon Valley Cybersecurity Summit will take place at the Santa Clara Marriott in Santa Clara, CA. It will bring together leaders and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, U.S. SLTT government entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https:// cybersecuritysummit.com/summit/ siliconvalley25-oct/.
October 9
The Gen AI Application Security & Risk Cybersecurity Summit will take place virtually. This conference brings together top experts and innovators to explore how Artificial Intelligence (AI) is reshaping the future of application security. You’ll learn about the top risks of adopting Generative AI (Gen AI) along with effective strategies for securing AI systems and applications, including how organizations are using AI not just to automate vulnerability detection but also to fundamentally shift from reactive defense to proactive resilience. Through our partnership, U.S. SLTT government entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https:// cybersecuritysummit.com/summit/ owasp-appsec/.
October 9
The 7th Annual Charlotte Cybersecurity Summit will take place at the Westin Charlotte in Charlotte, NC. It will bring together leaders and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, U.S. SLTT government entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https:// cybersecuritysummit.com/summit/ charlotte25/.
October 10 – 11
Docent Institute presents CornCon 11, which will be held at the RiverCenter in Davenport, IA. The conference spans industries, allowing attendees to take part in numerous speaking sessions, workshops, and breakouts as well as visit the expo floor. Topics include, but are not limited to, ransomware, cyber insurance, Internet of Things (IoT), intelligence gathering, data visualization, and more. CIS VP of Security Operations and Intelligence Randy Rose will lead a breakout sessions at the event on malware and social engingeering, and the CIS team will be at the event showcasing our cybersecurity resources. Learn more at https:// corncon.net/.
October
12 – 15
The National Association of State Chief Information Officers (NASCIO) will host the NASCIO 2025 Annual Conference at the Hyatt Regency Denver in Denver, CO. This event will bring together state CIOs and their staff from across the country to facilitate relationship building, peer learning and collaborative solutioning among members. Learn more at https:// www.nascio.org/conferences-events/ annual- conference/.
October 13 – 16
Qualys will host its Risk Operations Conference (ROCon) Americas 2025 at the JW Marriott Houston by the Galleria in Houston, TX. The event event will bring together top security leaders and practitioners to learn cutting-edge strategies, gain insights, and discover new solutions that proactively manage and reduce cyber risk. CIS Director for Critical Security Controls Charity Otwell will be a featured panelist at the event, discussing transforming compliance into readiness. Learn more at https:// www.qualys.com/rocon/2025/houston.
October 13 – 16
TeamLogic IT will host the TeamLogic IT Owners Summit at the Loews Arlington Hotel and Convention Center in Arlington, TX. The event will bring together Managed Service Providers (MSPs) and solution providers from around the country to learn from industry experts, network with peers, and discover innovative new technologies. The CIS team will be on the show floor sharing our resources to implement our security best practices. Learn more at https://www.eventsquid. com/mobileapp.cfm?event_id=25908.
October 14
The 4th Annual Tech Valley Cybersecurity Summit will take place at the Rivers Casino Event Center in Schenectady, NY. Hosted by LogicalNet, this event is an unmissable opportunity to learn from industry experts and share ideas with like-minded business leaders and executives from around the Northeast – without distractions. CIS CISO Sean Atkinson will be a featured panelist during the event. Learn more at https://logical.net/cybersecuritysymposium/2025/.
October 16
The 10th Edition of the Boston Cybersecurity Summit will take place at the Westin Copley Place in Boston, MA. It will bring together leaders and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, U.S. SLTT government entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https:// cybersecuritysummit.com/summit/ boston25-oct/.
October 17
The 7th Annual Scottsdale Cybersecurity Summit will take place at the J.W. Marriott Camelback Inn Scottsdale in Scottsdale, AZ. It will bring together leaders and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, U.S. SLTT government entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https:// cybersecuritysummit.com/summit/ scottsdale25/
October 20 – 22
The Analyst1 Annual Federal Exchange will take place at the General Gordon R. Sullivan Conference and Event Center in Arlington, VA. The event will provide three days of insight, innovation, and collaboration for cybersecurity professionals and federal agency stakeholders shaping the future of federal threat intelligence. CIS VP of Security Operations and Intelligence Randy Rose will be a featured panelist at the event, discussing AI adoption and security implications with other experts. Learn more at https://analyst1.com/ analyst1-federal-exchange-2025/.
October 21 – 22
The 15th Annual Cybersecurity Summit will take place at the Minneapolis Marriott Northwest in Minneapolis, MN. The event's mission is to bring together business, government, military, and academic leaders to collaborate, troubleshoot, showcase, and celebrate solutions for today’s critical cybersecurity challenges. Attendees will be able to attend thought-provoking sessions, network with peers across industry and government, and discover innovative solutions and strategies to keep pace with ever-changing threats. Learn more at https://www. cybersecuritysummit.org/
October 21
The 12th Edition of the Dallas/ Plano Cybersecurity Summit will take place at the Renaissance Dallas at Plano Legacy West Hotel in Plano, TX. It will bring together leaders and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, U.S. SLTT government entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https:// cybersecuritysummit.com/summit/ dallas25-oct/.
October 27 – 29
CyberRisk Alliance will host InfoSec World at the Disney's Coronado Springs Resort in Lake Buena Vista, FL. Now in its 31st year, InfoSec World stands as one of the premier cybersecurity conferences for business and security leaders. Recognized as The Business of Security event, it brings together industry experts, thought leaders, and practitioners to share cutting-edge insights, strategies, and solutions. CIS Senior Director of Information Security Stephanie Gass will speak during the event's Women in Cyber panel. Customers and members of CIS can received 25% off registration with code ISW25-CIS25. Learn more at https:// www.infosecworldusa.com/
October 28
The MS-ISAC and Samish Indian Nation will co-host the 2025 Washington MS-ISAC Regional Event at the Fidalgo Bay Resort in Anacortes, WA. The event will provide the opportunity for IT leaders and professionals from across the state to learn, collaborate, and share best practices in cybersecurity. Members of the MS-ISAC Stakeholder Engagement team will lead sessions on cybersecurity best practices and resources for U.S. SLTT organizations. Learn more and register at https://www.samishtribe.nsn.us/ departments/it/ms-isac-regional-event .
October 29
The Ransomware Cybersecurity Summit will take place virtually. Ransomware attacks have become one of the most pressing threats to organizations across industries. This conference gathers cybersecurity experts to dive deep into the ransomware landscape, explore proactive defense strategies, and provide actionable guidance for effective recovery and long-term resilience. Through our partnership, U.S. SLTT government entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https:// cybersecuritysummit.com/summit/ ransomware25/
October 30
The 10th Edition of the Seattle/ Bellevue Cybersecurity Summit will take place at the Hyatt Regency Bellevue in Bellevue, WA. It will bring together leaders and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, U.S. SLTT government entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https:// cybersecuritysummit.com/summit/ seattle25-oct/
November
November 6
The 7th Annual Houston Cybersecurity Summit will take place at the Westin Houston, Memorial City, in Houston, TX. It will bring together leaders and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, U.S. SLTT government entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https://cybersecuritysummit.com/ summit/houston25/.
November 13
The Identity & Access Cybersecurity Summit will take place virtually. This conference brings together leading experts to explore how security teams can reinforce identity security and ensure access is granted only to the right individuals at the right time. Dive into cutting-edge strategies to protect your workforce, systems, and data from evolving identity-based threats. Through our partnership, U.S. SLTT government entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https:// cybersecuritysummit.com/summit/ identityaccess25-nov/.
November 18
The 16th Edition of the New York Cybersecurity Summit will take place at the Sheraton New York Times Square Hotel in New York, NY. It will bring together leaders and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, U.S. SLTT government entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https:// cybersecuritysummit.com/summit/ newyork25-nov/.
November 18 – 21
Microsoft Ignite will be held at the Moscone Center in San Francisco, CA. Microsoft users from around the world will come together to discover solutions that will help modernize and manage their own intelligent apps, safeguard their business and data, accelerate productivity, and connect with partners while growing their community. The CIS team will be on the expo floor at Booth 5337 sharing our resources for working securely in Microsoft environments. Learn more at https:// ignite.microsoft.com.
November 19
The Nationwide Cybersecurity Summit will take place virtually. This immersive event offers actionable insights through interactive panels and keynote sessions, covering topics such as zero trust, ransomware defense, and the impact of AI on cybersecurity. Attendees will gain access to CISO-led discussions, regulatory updates, and cutting-edge security solutions. Through our partnership, U.S. SLTT government entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https:// cybersecuritysummit.com/summit/ nationwide25/.
November 20
The 10th Annual Los Angeles Cybersecurity Summit will take place at the Fairmont Century Plaza in Los Angeles, CA. It will bring together leaders and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, U.S. SLTT government entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https://cybersecuritysummit.com/ summit/losangeles25/.
November 20 – 22
The National League of Cities (NLC) will host the NLC City Summit at the Salt Palace Convention Center in Salt Lake City, UT. The event is one of the most comprehensive conferences for local elected officials and municipal staff. City Summit is where local leaders can connect, learn, and engage with experts and their peers; build their leadership skills and gain proven strategies to support the work they are doing in their community; and take their leadership to new heights. Learn more at https:// citysummit.nlc.org/.
November 21
The U.S. Cyber Challenge Cybersecurity Summit & Awards will be held at the Carahsoft Conference & Collaboration Center in Reston, VA. Join national leaders, innovators, and security experts for a dynamic summit exploring the evolving intersection of cybersecurity, advanced technologies, and public service. As threats grow more complex and missions become increasingly digital, the Summit will spotlight how modern governments can adapt and thrive. CIS CEO John Gilligan will co-host the event's award ceremony. For more information, visit https://web. cvent.com/event/ed5a537d-63bf-409cb88f-b9ea301bb52d/summary
December
December 1 – 5
AWS re:Invent will take place at multiple venues in Las Vegas, NV. AWS users from around the globe will come together at AWS' premier learning event for five exciting days of keynotes, breakout sessions, chalk talks, interactive learning opportunities, and career-changing connections with AWS leaders, experts, and peers. The CIS team will be on the expo floor at Booth 461 sharing our resources for working securely in AWS environments. Learn more at https://reinvent. awsevents.com/.
December 1 – 5
The Health-ISAC Fall Americas Summit will be held at the Omni La Costa Resort & Spa in Carlsbad, CA. Attendees will learn from leading experts in health sector security at interactive educational sessions, network with C-suite decision-makers and peers in global health security, and learn how to strengthen your organization's ability to increase health sector safety through threat and solution-sharing as part of the global community. For more information, visit https://health-isac.org/summitmeeting/2025-fall-americas/
December 2
The Cloud Security Cybersecurity Summit will take place virtually. This conference will bring together executives and security leaders to navigate the most pressing challenges of securing today’s cloud environments. Through our partnership, U.S. SLTT government entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https://cybersecuritysummit.com/ summit/cloudsecurity25/.
December 4
The 3rd Annual Jacksonville Cybersecurity Summit will take place at the Sawgrass Marriott Golf Resort & Spa in Ponte Vedra Beach, FL. It will bring together leaders and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, U.S. SLTT government entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https:// cybersecuritysummit.com/summit/ jack sonville25/.
December 9
The Finance Cybersecurity Summit will take place virtually. This conference will bring together top industry experts to address the evolving threat landscape, share proven strategies for safeguarding financial ecosystems, and explore the tools and technologies reshaping security in financial services. Through our partnership, U.S. SLTT government entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https://cybersecuritysummit.com/ summit/finance25-dec/.
Interested in being a contributor?
Please contact us:
CyberMarket@cisecurity.org
www.cisecurity.org
518.266.3460
cisecurity.org learn@cisecurity.org
518-266-3460
Center for Internet Security
@CISecurity
TheCISecurity
cisecurity CenterforIntSec