Start Secure, Stay Secure
The key to developing a strong, effective cyber defense strategy to protect your organization isn't buying the shiniest new technology or following the latest industry hype — it's starting with well-established security fundamentals and developing a strong foundation to build off of.
Rethinking Software Development and Maintenance in the Age of AI
New and Updated Resources to Help Implement CIS's Security Best Practices
Strategies for Gaining Leadership Buy-in for Your Security Awareness Program
Building a Secure Foundation for Your Cybersecurity Program Using CIS Controls IG1
Ad Placement
For questions or information concerning this
contact CIS at learn@cisecurity. org or call 518.266.3460
Summer 2025 Volume 9 Issue 2
Editor-in-Chief
Michael Mineconzo
Managing Editor
Jay Billington
Copy Editors
Autum Pylant
David Bisson
Staff Contributors
Sarah Day
Josh Franklin
Stephanie Gass
James Globe
Carlos Kizzee
Charity Otwell
Autum Pylant
Robin Regnier
Thomas Sager
Natalie Schlabig
Valecia Stocchetti Cybersecurity
© 2025 Center for Internet Security. All rights reserved.
QuarterlyUpdate with John Gilligan
“The MS-ISAC remains a primary source of support for many U.S. SLTT organizations, especially those that are referred to as "cyber underserved"
With the recent U.S. military actions in Iran, the cybersecurity community is preparing for retaliation from Iran and its proxies. From experience, the issue is not "if" but "when" and "how" they retaliate. Some sectors have already seen a significant increase in cyber attacks. Also, the pattern of cyber attacks as a prelude to or a substitute for military action is now well-established. Unfortunately, much of the nation’s critical infrastructure remains vulnerable to such attacks. Schools, hospitals, water treatment facilities, and government offices continue to fall victim to ransomware, phishing, and denial of service. The Multi-State Information Sharing and Analysis Center® (MS-ISAC®) continues to focus on improving the cyber defenses and resilience of U.S. State, Local, Tribal, and Territorial (SLTT) organizations.
Funding actions taken by the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) in March reduced the funding available for the MS-ISAC by 50%. These reductions followed the elimination of funding for the Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®) in February. None of this changed the fact that the MS-ISAC remains a primary source of support for many U.S. SLTT organizations, especially those that are referred to as "cyber underserved" (i.e., those who do not have much technical expertise or funding and, as a result, are largely ignored by most cyber vendors).
The Center for Internet Security® (CIS®) has continued to fund the impacted services for an interim period. The MS-ISAC Executive Committee, in working with CIS, has launched a fee-based membership model to fill the gap left by the funding reduction. In this issue, Carlos Kizzee, SVP for MS-ISAC Strategy and Plans, describes this new model and answers common questions about the model.
The overall theme for this quarter’s issue is security fundamentals. This is appropriate because failure to enforce security fundamentals continues to be the
single most likely root cause of cyber incidents. The CIS Security Best Practices team provides an article discussing how to master CIS Controls Implementation Group 1 (IG1) as well as a new course from SANS covering IG1. The CIS Community Defense Model has shown that implementation of IG1 ensures that an organization is protected from 80+% of the most common cyber attack patterns. In addition to this article, the Security Best Practices team outlines several new and updated resources for the CIS Critical Security Controls and CIS Benchmarks.
Lance Spitzer from SANS explains how to secure leadership buy-in for security awareness programs. This is an important topic for organizations who are dealing with tight budgets but need training on best practices to defend against increasing cyber attacks.
With the growth of interest in artificial intelligence (AI), we also have two articles that address AI products. James Globe, VP of Strategic Cybersecurity Capabilities, proposes rethinking the software development lifecycle for AI products. In addition, Stephanie Gass lays out practical steps on AI governance for leaders.
I hope you enjoy this quarter’s issue. Have a great summer!
Best Regards,
John M. Gilligan President & Chief Executive Officer Center for Internet Security
NewsBits&Bytes
CIS Awards Nearly $250,000 to Purdue University’s Technical Assistance Program
The Center for Internet Security® (CIS®) is proud to announce that Purdue University’s Cyber Technical Assistance Program (cyberTAP) has been selected as the 2025 recipient of the Alan Paller Laureate Program grant. The nearly $250,000 award will support Purdue cyberTAP’s mission to enhance cybersecurity resilience among rural electric cooperatives and other underserved critical infrastructure providers.
This grant, named in honor of CIS Co-Founder Alan Paller, recognizes organizations that demonstrate exceptional commitment to advancing practical cybersecurity solutions and workforce development. Purdue cyberTAP was selected for its innovative approach to delivering cybersecurity services grounded in the CIS Critical Security Controls. Learn more about Purdue cyberTAP and the Alan Paller Laureate Program here.
New CIS Hardened Images Guide Now Available
Get practical guidance for securing cloud environments with our secure, compliant, easy to deploy, virtual machines: CIS Hardened Images . Our new resource provides quick access to background information, essential files, links, and documentation for securely deploying and managing CIS Hardened Images in your organization's cloud environment. Whether you're just getting started on your cloud journey and looking for help with onboarding and setup, or a seasoned pro looking to troubleshoot your deployment, this new resource provides the wealth of knowledge needed to successfully utilize CIS Hardened Images. Access the guide here.
FFIEC
CAT Sunset:
What You Need to Know
The Federal Financial Institutions Examination Council (FFIEC) developed its Cybersecurity Assessment Tool (CAT) to help financial institutions demonstrate compliance by identifying their risks and determining their cybersecurity preparedness. The FFIEC announced it will sunset CAT on August 31, 2025, potentially altering how these organizations inform their cyber risk management strategy.
This change affects supervised financial institutions that used FFIEC CAT as their cybersecurity self-assessment tool. These institutions will continue to be subject to risk-focused examinations going forward. Learn more on how you can proactively adapt to this event here.
CIS
Statement on the Passing of CIS Co-Founder and Board Director Ramon Barquin
CIS marks with deep sadness the passing of our dear friend and colleague, Dr. Ramon Barquin, Director of the CIS Board of Directors.
Ramon's career spanned more than five decades and took him to five continents. With a Ph.D. from MIT in electrical engineering and mathematics, Ramon taught at MIT, the Chinese University of Hong Kong, and the University of Maryland, and he made significant contributions during his time at IBM before founding Barquin International. He helped found The Data Warehousing Institute and brought his leadership to roles at The Washington Consulting Group, Atlantic University College, the Washington Hospital Center, and the DHS Data Privacy and Integrity Advisory Committee.
In 2000, he hosted the meeting that would become the birthplace of CIS. For nearly 25 years after, he served as a guiding light on our Board. The CIS Board of Directors and leadership team express their heartfelt condolences to Ramon’s family, friends, and colleagues, as they mourn the loss of this remarkable individual who impacted so many lives. Read more about Ramon and his invaluable contributions to the world here.
Maintenance Is Not a Bug Fix: Rethinking the Development Lifecycle for AI Products
Modern software maintenance encompasses more than bug fixes. It entails the proactive and continuous practice of sustaining the reliability, efficiency, security, and ethical alignment. In the age of AI, maintenance is a strategic function that safeguards long-term product value, user trust, and operational sustainability
By James Globe
In today's software landscape, speed rules everything.
The software development life cycle (SDLC) and product development life cycle (PDLC) have long prioritized feature releases and rapid iteration. Teams sprint toward releases, launch new functionality, and move on to the next big deliverable. Bug fixes are slotted in reactively only when something breaks. But what’s missing from this model?
Maintenance.
Not the kind where a broken button gets fixed or a server gets restarted. We're talking about strategic, ongoing product sustainability. And in the age of large language models (LLMs) and services driven by artificial intelligence (AI) — where infrastructure costs are rising and models degrade over time — the lack of a formal maintenance phase could prove catastrophic.
Feature Factories and Forgotten Foundations
Modern SDLCs prioritize speed and iteration. Agile, DevOps, and product-led growth strategies all revolve around building and shipping quickly. This makes sense in theory. User needs evolve, competitors move fast, and technology waits for no one. This approach to software development has served us well for decades. But this “feature factory” culture leaves little room for sustaining what’s already been built. Quality control often plays catch-up. Product longevity is rarely celebrated. Sustainability becomes an afterthought. Maintenance
becomes a secondary task — something to do if there’s time between releases or worse when something breaks.
In AI and LLM-driven products, feature-driven development methodologies are risky. AI models degrade over time. We are moving into an age of information that depends on large amounts of data, which is a living and breathing commodity. Context and usage patterns are dynamic and evolve. Without proactive maintenance built into the life cycle, these systems lose alignment with their purpose — and their users. Organizations will have to shift paradigms when it comes to data-driven products and services because, without intentional maintenance, even the best AI products begin to erode in value, reliability, and trust. With increasingly complex infrastructure requirements and service offerings, sustainability, observability, and ethical safety nets need to incorporate maintenance into the life cycle and not leave it for a crisis.
Bug Fixes Aren’t Maintenance
Too often, organizations mistake bug fixing for maintenance when squashing bugs is reactive. True maintenance is proactive and strategic. Traditionally, software maintenance meant updating code, patching vulnerabilities, and ensuring uptime. In the digital world of LLMs and AI products, that’s not enough. I have created a new definition of what I call "Modern Software Maintenance," which is the proactive and continuous practice of sustaining the reliability, efficiency, security, scalability, and ethical alignment of digital products and services after deployment. It goes beyond bug fixes to
include retraining models, optimizing infrastructure, validating data pipelines, resolving tech debt, performing ethical audits, conducting data privacy self-assessments, and retiring outdated components. It must also encompass monitoring environmental impact and supporting product longevity. Organizations must ensure the availability of their systems with zero downtime for maintenance and upgrades.
Modern software maintenance encompasses reviewing pipelines before they break. It’s retraining a model before it drifts. It’s renewing documentation, testing vector databases for data decay, and auditing zero trust access policies before a breach.
Maintenance includes:
• Monitoring model behavior over time
• Updating APIs, libraries, and third-party dependencies
• Ensuring model outputs remain ethical, relevant, and aligned with changing societal norms
• Optimizing infrastructure costs (e.g., token usage in LLM APIs)
• Retiring or consolidating features that no longer serve users
Modern software maintenance does not involve glamorous tasks, but they are essential.
The LLM Era: Why Maintenance Matters More Than Ever
Organizations will have to come to grips with the reality that software maintenance is a mandatory phase of their SDLC or PDLC moving forward. The days of new feature headlines will remain; however, system reliability, availability, and trustworthiness will be the new product differentiators.
AI systems don’t just run; they evolve. Or at least they should. LLMs are built on large, compute-heavy infrastructures. Fine-Tuning, serving, updating, and monitoring these models require significant investments in both time and money. Without continuous care, the results can be damaging:
• Model Bias and Drift: LLMs can diverge from intended behavior due to outdated data or changing usage patterns.
• Infrastructure Waste: Unoptimized models, APIs, or RAG pipelines consume costly resources.
• Security and Compliance Risks: Unpatched dependencies, outdated datasets, and hallucinating chatbots may lead to ethical or legal violations.
• Loss of Trust: Users will abandon tools that become unreliable or irrelevant.
• Performance Decay: Chatbots using old data might provide outdated or incorrect information.
• Spiraling Costs: Running unused models and bloated APIs without optimization increases costs.
These risks are significant in a context where infrastructure costs, particularly for GPUs and LLM APIs, are inflationary and unpredictable. This economic trend requires organizations to focus on optimizing their builds, not just scaling them. It is expected that hallucination rates of an on-premises LLM product may rise over six months if the maintenance team does not plan regular model updates. Organizations need to monitor their cloud costs as their vector store might increase silently due to rising storage costs from saving unnecessary or duplicate embeddings.
Neglecting AI maintenance can result in hidden costs such as infrastructure waste, reputational damage, regulatory risk, and user frustration.
Building for Sustainability
Unless an organization possesses extensive infrastructure budgets comparable to major technology companies, sustaining LLM products without a structured maintenance plan is untenable. Open-Source LLMs progress rapidly, prompt structures evolve, and commercial LLM API pricing models are dynamic, likely subject to changes as the industry stabilizes over the forthcoming years. Even minor updates to models or APIs can influence latency, output quality, or token cost. The majority of LLM-based services not developed by Big Tech entities are already at risk of becoming unsustainable without proactive maintenance strategies.
It is essential to have a plan for:
• Scheduled retraining or fine-tuning
• Ensuring API backwards compatibility and integrity
• Conducting regular performance and cost audits
• Validating guardrails and monitoring behaviors
• Tracking data freshness and checking pipeline integrity
Without such a plan, the products and their underlying infrastructure will gradually deteriorate until failure occurs, resulting in brand damage, increased costs, and diminished user confidence.
Responsible AI product development necessitates a shift in mindset: viewing AI products not as static artifacts but as living systems. This involves:
• Integrating maintenance into roadmaps rather than relegating it to backlogs
• Establishing AI product stewards — dedicated roles or teams responsible for life cycle health
• Defining KPIs for maintenance, such as "Mean Time to Model Refresh" or "Drift Response Time"
• Evaluating ethical alignment regularly through internal audits and user feedback
• Decommissioning or simplifying features and systems that no longer provide value
Prioritize maintenance in product development. Your product development team may require a mindset shift from Agile, feature-driven indoctrination to new features and maintenance products and services. Your organization’s developers will have to start including the following factors in their SDLC and PDLC activities:
• Design for Maintenance: Integrate it from the start.
• Create Maintenance KPIs: Track metrics like "Mean Time to Model Refresh" and "Drift Detection Frequency."
• Assign Ownership: Establish roles such as AI Product Stewards.
• Budget for It: Include resources for updates and monitoring in TCO.
• Celebrate Longevity: Recognize products that sustain performance.
Use maintenance playbooks and embed life cycle hooks across CI/CD pipelines. Remember, maintenance is an upstream principle.
Conclusion: Make Maintenance Sexy Again
Maintenance builds trust, ensures system availability, and protects an organization's market position. It keeps your LLM thriving, reduces costs, protects users, and aligns technology with its purpose. Reliable tech requires long-term care. In the age of LLMs and AI services, maintenance must be deliberate, strategic, and continuous. Success involves ongoing care not just at launch but every day thereafter. Successful AI products are designed to evolve over time rather than shipping once and fading away. A product that adapts to its users and the world is a product that endures..
James Globe, CISSP, is the Vice President, Strategic Advisor Cybersecurity Capabilities at the Center for Internet Security® (CIS®). Globe serves as the senior leader within Operations and Security Services (OSS), responsible for advising on strategic cybersecurity capabilities, cybersecurity workforce, data analytic analysis, frameworks, and emerging and enabling technologies for use by U.S. SLTT members.
He has more than 20 years in technology leadership, including extensive experience engineering signal intelligence mission systems, workflow management systems, financial and banking systems, modeling and simulation systems, and web-based information portals for top-tier banking and defense contracting organizations, including Bank of America, SAIC, BAE Systems, and L3 Harris Technologies.
Globe earned a Bachelor of Science in computer science and mathematics from Georgia State University. He also holds a Master of Science from John Hopkins University in telecommunications and security engineering.
Updates and New Resources for CIS's Security Best Practices
To help organizations stay ahead of evolving cyber threats, the CIS Security Best Practice team is continuously developing new and updating our existing security guidance, with assistance from our global community of IT security experts
By Sarah Day, Josh Franklin, Charity Otwell, Robin Regnier, Thomas Sager, and Valecia Stocchetti
The CIS Security Best Practices team has been hard at work developing and updating our extensive catalog of resources to help support users of the CIS Critical Security Controls® (CIS Controls®) and CIS Benchmarks®. Below are some of the exciting new updates that we've implemented to help people and organizations adopt our security best practices and make the connected world a safer place.
New CIS Controls Resource Webpage
We are excited to share that we have a new webpage for CIS Controls Resources . Not only can you find our resources by version, but you can also find resources by category. Here are the new categories:
• About the CIS Critical Security Controls
• Environment-Specific Guidance
• Assess and Measure
• Implementation Tools/Guidance
• Minimize Your Threats
• Other Security Frameworks
• Success Stories
• Training, Webinars, and Podcasts
• Translations
New to downloading Controls v8.1 and trying to figure out what's next? Consider downloading:
• Guide to Implementation Groups
• A Roadmap to the CIS Critical Controls
• Establishing Essential Cyber Hygiene v8.1
The Cost of Cyber Defense: CIS Controls Implementation Group 1 (IG1)
Looking to implement cyber defenses? You probably want to know three things:
1. Which protections will you start with?
2. Which tools will be needed to implement those protections?
3. How much will an implementation cost?
Our guide, The Cost of Cyber Defense: Implementation Group 1 (IG1), which was recently updated, can help you answer those questions.
This guide organizes the CIS Safeguards of IG1, a subset of the Controls which helps you to establish essential cyber hygiene, into logical categories. It also identifies the types of tools needed to deploy and maintain these security actions.
To estimate the cost to implement these Safeguards, we researched the cost of licensing the commercial versions of the required tools for each of the 10 categories. Our estimate shows that obtaining and deploying commercially-supported versions of the tools should be less than 20% of the Information Technology (IT) budget for any size enterprise.
Download The Cost of Cyber Defense v1.1: CIS Controls IG1 to see how realistic and cost effective it can be for you to achieve essential cyber hygiene.
CIS Controls Assessment Specification
The CIS Controls are designed to help enterprises establish a robust foundation for their cybersecurity program. Since the CIS Controls cover a wide array of areas across many different asset types, measuring their implementation can be a complex task.
The purpose of the CIS Controls Assessment Specification is to provide a common understanding of what should be measured in order to verify that CIS Safeguards are properly implemented. The hope is that those developing related tools will then build these measures into their tools so that the CIS Controls are measured in a uniform way.
The Controls Assessment Specification focuses on determining whether or not a Safeguard has been measured. For enterprises looking to measure how well a Safeguard has been implemented, the CIS Controls Self Assessment Tool (CSAT) can assist in this area. Both are important aspects of implementation for enterprises, just with a different way of measuring.
Additionally, it is important to note that the Controls Assessment Specification places a focus on what to measure and not how to measure. For example, details for a specific configuration setting are not specified in the Controls Assessment Specification, since each technology is different and there is no one way to identify those configuration settings across the various technology platforms. The goal is to be as generic enough as possible so that it can accommodate the variations while also providing the ability to measure. For specific configuration settings, refer to the CIS Benchmarks .
CIS Controls Assessment Specification is available for CIS Controls v8.1, v8, and v7.1 .
Everything we do at CIS is community-driven. Bring your IT expertise to CIS WorkBench, where you can network and collaborate with cybersecurity professionals around the world... If you want to help secure our everchanging connected world and share your subject matter expertise, join one of our CIS WorkBench Communities!
OSCAL Adoption
OSCAL, also known as the Open Security Controls Assessment Language, is a set of formats developed by the National Institute of Standards and Technology (NIST) and other experts in the industry. OSCAL provides the platform to convert control catalogs, system security plans (SSPs), and assessments into machine-readable formats. This is in comparison to using a manual method of combing through pages of documents in order to build out spreadsheets and other manual documentation. Instead, it focuses on expressing the content in formats such as XML, JSON, and YAML. The end result is a method that allows you to easily access content from control catalogs and other security documentation, allowing an organization to focus on the things that matter most and cutting out the administrative functions of maintaining manual documentation. OSCAL also assists with the automation of mappings and improves an end organization’s transition from one framework version to the next.
With the Controls adopting OSCAL, we are committed to assisting our users and product vendors to help automate our controls catalog as well as the mapping process. Currently, the OSCAL framework contains OSCAL serializations of the Controls for both Version 8 and Version 8.1. End-organizations can utilize these catalogs in their own tooling or encourage product vendors to adopt the OSCAL serialization into their tooling.
Connect with Peers and Help CIS's Mission in CIS WorkBench Communities
Everything we do at CIS is community-driven. Bring your IT expertise to CIS WorkBench, where you can network and collaborate with cybersecurity professionals around the world. On CIS WorkBench, users can help draft
configuration recommendations for the Benchmarks, submit tickets, and discuss best practices for securing a wide range of technologies.
CIS WorkBench is where we gather feedback and input from our global community of IT professionals to help develop and update all our guides, mappings, white papers, and security best practices. If you want to help secure our ever-changing connected world and share your subject matter expertise, join one of our CIS WorkBench Communities! We're always looking for new insights to help improve our security best practices.
If you have expertise in risk, security, compliance, or technology and a collaborative spirit, you’re just the kind of person we’re looking for to help contribute to the CIS Controls Communities! Volunteer to help review, update, and develop CIS Controls resources like:
• Upcoming versions of the Controls
• Controls mappings
• Controls Cloud Companion Guide
• Controls Assessment Module
• CIS Community Defense Model
Additionally, you can also help develop and update the secure configuration guidelines of the CIS Benchmarks. Creating CIS Benchmarks recommendations requires a wide variety of skills. There are more than 12,000 professionals in the CIS Benchmarks Communities, and we're always looking for new members to help develop and maintain the CIS Benchmarks. If you're experienced with
one of the following technologies, our communities could definitely use your knowledge:
• Azure DevOps
• Check Point Firewall
• Cisco (preferred focus on NX-OS, ACI, ASA, iOS, Meraki, Firepower)
• F5 Networks
• GitHub
• GitLab
• Google Android
• Juniper Networks (preferred focus on Junos OS)
• MariaDB
• Microsoft SQL Server
• Palo Alto Networks
• PostgreSQL
• VMware (preferred with EXSi expertise)
All volunteers have the benefit of working with likeminded individuals who are committed to creating confidence in the connected world. The more you participate, the more exposure you get in the community you've joined. Participating in CIS WorkBench collaborations and attending working group meetings, for instance, can result in your name being listed as a "contributor" in the respective guide, mapping, or paper, and you can earn community badges to show how you've given back to the CIS community. Editors enjoy the added benefit of earning CPEs through (ISC)² for their work.
For our SLTT and K-12 communities, we have private communities that allow members to safely share ideas, have discussions with their peers, and help develop content on essential cyber hygiene. To join either Essential Cyber Hygiene for K12s or Essential Cyber Hygiene in the SLTT environment, reach out to controlsinfo@cisecurity.org for an invitation to join.
www.sans.org/partnerships/sltt
How Public Sector Organizations Can Create Leadership Buy-In for Security Awareness & Culture Programs
For security awareness programs to be truly effective, they must scale beyond annual training and quarterly phishing simulations. To establish a culture of security, full support from leadership is needed
By Lance Spitzer
For the past five years, the Verizon Data Breach Investigations Report has consistently found that 60–65% of all breaches globally involved a human element. Security awareness and culture programs are critical to public sector organizations' cyber defenses as attacks become more targeted and sophisticated.
Teaching employees to recognize and avoid cyber threats by identifying social engineering attacks, implementing strong authentication, and securely handling data is just as important as providing best-in-class security solutions and deploying top-notch cyber analysts.
However, for security awareness programs to truly make an impact, they must go beyond annual cybersecurity training or periodic phishing tests. These initiatives must be woven into the organization's culture, fostering continuous behavioral change and proactively mitigating human risk.
Reaching this level of maturity is virtually unattainable without strong commitment and visible support from leadership. That kind of buy-in provides an organizational commitment, signaling to employees that security is a core business value, not just a compliance initiative.
The Importance of Executive Support
Visible support sets the tone for cultural change. It also makes resource allocation much easier since executive sponsorship leads to more budget, personnel and time for security awareness.
Security awareness programs often falter without leadership backing — fragmenting over time, lacking sufficient funding, and eventually losing momentum. While the advantages of executive support are well-established, many security awareness officers and security leaders continue to face significant challenges in securing that critical buy-in.
Some reasons the security team struggles to receive buy-in include:
• It's Perceived as Low Priority — Many executives view security awareness as a compliance requirement rather than a strategic investment in risk reduction.
• There's a Difficulty Communicating the ROI — Unlike technical security controls, the impact of security awareness programs can be harder to quantify, making it challenging to justify budget requests.
• Competing Priorities — In many organizations, security awareness competes with other security initiatives for attention and funding. Without precise alignment to business goals, it can be deprioritized.
With many reasons leaders find to avoid investing in quality cyber education resources, overcoming these challenges requires a strategic two-pronged approach. Security leaders should appeal to organizational leadership by meeting them in the middle and appealing to issues that matter most in their eyes, such as promoting the mission and reducing risk.
Strategies for Securing Leadership Backing
1. Speak Leadership's Language
Agency leaders care about risk, reputation, and advancing the mission — security teams should frame security awareness in terms leaders understand by Identifying their strategic priorities and demonstrating how cyber training initiatives align with those priorities.
Security awareness is crucial in reducing one of the most significant elements of organizational risk: people. Security teams have become incredibly effective at using security solutions to combat cyber threats, but we continue to leave people insecure. In many ways, we're driving cyber attackers to target humans. We can manage one of our fastest-growing risks by investing in and securing our workforce.
In addition to addressing organizational risk, security awareness helps organizations promote innovation. Innovation requires adopting new ideas and technology, which also brings new challenges. A mature security awareness program empowers organizations to embrace emerging technologies like artificial intelligence while effectively managing the associated risks.
For example, AI offers significant potential to reduce resource spend by maximizing efficiency and further advancing the mission. Yet many organizations hesitate to implement it due to security and risk concerns. A well-developed security awareness program prepares the workforce to use AI tools safely and responsibly — enabling organizations to innovate, adapt faster, and maximize the value of technological advancements.
2. Use Data to Prove Impact
Numbers tell a story and can influence executives to act. Leveraging metrics underpins the argument for taking security awareness training more seriously and shows the mission value of investing in the best and most comprehensive training possible.
Security leaders can show the impact of security awareness training within their organization through metrics such as:
• Engagement — Tracking how a trained workforce prioritizes security and trusts the security team. Teams can measure the volume of questions to the security team, requests for the security team to speak at department meetings, or requests for it to get involved in new projects.
• Attacker Dwell Time — Demonstrating and tracking how a trained workforce can quickly identify and report suspected incidents, improving detection and dramatically reducing attacker dwell time.
• Account Takeover — Tracking and measuring how a trained workforce that adopts strong authentication measures reduces account takeovers, one of the most common attack vectors.
• Policy/Audit Violations — Showing how a trained workforce dramatically reduces policy and audit violations.
Security awareness programs should be a cornerstone of any cyber program to keep the enterprise safe from attackers and instill a culture of good cyber practices across an organization's workforce. While gaining leadership buy-in can be challenging, security teams can utilize metrics and language that resonates to persuade stakeholders to implement a change.
Lance Spitzner has over 25 years of security experience in cyber threat research, security architecture, and security culture and training. He played a pivotal role in pioneering the fields of deception and cyber intelligence by creating honeynets and founding the Honeynet Project . Spitzner has authored three security books, provided consultation services in 20+ countries, and has helped over 350 organizations build security behavior and culture programs to manage their human risk. He is both author and instructor for the SANS LDR433: Managing Human Risk and LDR521: Security Culture for Leaders courses. Spitzner is a frequent speaker and is active in numerous community projects. Prior to his career in information security, he served as an armor officer in the Army's Raid Deployment Force and holds an MBA from the University of Illinois.
Lay a Cybersecurity Foundation and Master CIS Controls IG1
The key to developing an effective cybersecurity program is starting with a solid foundation. CIS Controls Implementation Group 1 (IG1) can help organizations create strong baseline policies to defend against the most prevalent cyber threats
By Autum Pylant
Today’s digital threats don’t discriminate by size or sector. Building a solid cybersecurity foundation is no longer optional — it’s essential. Organizations of all sizes face a constant barrage of sophisticated attacks, making it crucial to implement effective security controls to enhance defenses. The CIS Critical Security Controls® (CIS Controls®) serve as a powerful cybersecurity framework that provide organizations with the prioritized guidance they need to stay secure. A vital starting point in that framework is Implementation Group 1 (IG1), also known as essential cyber hygiene.
IG1 represents the foundational set of CIS Safeguards that every organization, regardless of size or resources, should implement. These Controls are designed to address the most common and easily exploitable attack vectors, providing a significant reduction in risk with a manageable investment. Think of it as building a solid foundation for your cybersecurity house — without it, the entire structure is vulnerable.
The CIS Critical Security Controls (CIS Controls) serve as a powerful cybersecurity framework that provide organizations with the prioritized guidance they need to stay secure. A vital starting point in that framework is Implementation Group 1 (IG1), also known as essential cyber hygiene.
CIS Controls IG1 = Essential Cyber Hygiene
The importance of IG1 cannot be overstated. By focusing on essential cyber hygiene, organizations can drastically improve their ability to:
• Prevent Common Attacks: The CIS Safeguards in IG1 directly mitigate the techniques used in the vast majority of cyber attacks, including malware infections, phishing scams, and ransomware.
• Gain Visibility into Assets: Knowing what hardware and software you have is the first step in protecting it. IG1 emphasizes asset inventory and management, providing a clear picture of your attack surface.
• Control Access: Implementing strong access control measures, such as multi-factor authentication and least privilege principles, limits the damage an attacker can inflict even if they gain initial access.
• Detect and Respond to Incidents: IG1 includes Safeguards for logging and monitoring security events, enabling organizations to quickly identify and respond to suspicious activity.
Implementing IG1 is not just about ticking boxes; it's about building a culture of security within your organization. It requires a commitment from leadership, engagement from IT staff, and awareness from all employees.
Effectiveness of the CIS Controls
Enterprises naturally want to know how effective the CIS Controls are against the most prevalent cyber attacks. The Center for Internet Security® (CIS®) answers that question and more through its Community Defense Model (CDM) v2.0.
The findings in the CDM demonstrate the security value of IG1 CIS Safeguards against the top five attack types: malware, ransomware, web application hacking, insider privilege and misuse, as well as targeted intrusions. These security measures defend against:
• 77% of malware ATT&CK (sub-)techniques
• 78% of ransomware ATT&CK (sub-)techniques
• 86% of web application hacking ATT&CK (sub-)techniques
• 86% of the insider privilege and misuse ATT&CK (sub-)techniques
• 83% of Targeted Intrusions ATT&CK (sub-)techniques
The CDM shows that IG1 provides enterprises a high level of protection, positioning them to defend against the top five attack types.
Guidance to Master CIS Controls IG1
SANS Institute is offering a new one-of-its-kind course, " SEC366: CIS Implementation Group 1™," designed to equip you with the knowledge and skills necessary to effectively implement CIS Controls IG1 within your organization.
This course provides a practical, hands-on approach to understanding and implementing each IG1 control. You'll learn how to:
• Prioritize and implement the most critical Controls
• Use free and open-source tools to enhance your security posture
• Develop policies and procedures to support ongoing security efforts
• Measure and track your progress in implementing IG1
Delivered on the SANS OnDemand platform, this six-hour course is a proactive first step toward protecting your organization’s valuable assets and building a more resilient cybersecurity posture.
Sign up to empower your organization with the foundational security controls it needs to thrive in the face of modern cyber threats. Building a strong cybersecurity foundation starts with CIS Controls IG1, and mastering IG1 starts with the right training.
Autum Pylant is the Communications Manager at the Center for Internet Security, Inc. (CIS®) where she works alongside the Security Best Practices (SBP) team to promote the CIS Controls, CIS Benchmarks, and CIS Hardened Images. She has 20+ years of communications and public affairs experience. Previously, she was a technical writer for General Dynamics Mission Systems and a news editor for Photonics Media. Pylant proudly served in the United States Air Force for 10 years as a military broadcaster for the American Forces Network (AFN). She holds a Bachelor of Science degree in computer security from Strayer University, a master’s degree in clinical mental health counseling from the University of Texas at Tyler, a Master of Public Administration (MPA) from the University of Texas at Arlington, and a doctorate in public administration (DPA) and public policy with a focus on cybersecurity governance from West Chester University of Pennsylvania.
CIS Implementation Group 1
Develop Cybersecurity Capacity
Small and medium-sized organizations face the same modern cybersecurity threats as larger enterprises, but often lack the resources and expertise to defend against them effectively. SEC366 bridges that gap by equipping non-security professionals with the foundational skills needed to implement essential security controls, empowering organizations to safeguard their critical assets and stay resilient in the face of evolving cyber risks.
Why CIS IG1 is Essential
CIS Implementation Group 1 (IG1) provides a foundational set of 56 cyber defense safeguards—a baseline standard of security for organizations of all sizes. These safeguards are particularly valuable for smaller organizations and can be implemented by nonsecurity personnel using readily available commercial off-theshelf hardware and software. IG1 focuses on establishing essential protections to defend against the most common cyber threats, ensuring a strong foundation for any organization’s cybersecurity efforts.
Hands-On CIS IG1 Training
Deliver Immediate Impact
Ad Placement
Hands-on labs engage participants with simulated real-world scenarios that enhance one’s understanding of how to apply CIS IG1 safeguards in a practical, cost-effective way.
These labs cover:
• CIS Navigator and policy library review
• CIS Self-Assessment Tool (CSAT)
• Device and software inventory with PowerShell
• Secure configuration with CIS-CAT
• Scanning for sensitive data
• Building tabletop exercises
• CIS Risk Assessment Method (CIS-RAM)
Upon completion, participants will be able to:
• Efficiently reduce cyber risks with actionable safeguards
• Align cybersecurity measures with business and compliance requirements
• Report cybersecurity efforts to leadership in clear, business-focused terms
Register
CybersideChat
Building Artificial Intelligence (AI) Governance
By Stephanie Gass, Senior Director of Information Security, CIS
Thank you everyone for such a successful 2025 ISAC Annual Meeting. I had the opportunity to present with a team member about building artificial intelligence (AI) governance. There were great discussions, and the topic of AI was key during multiple sessions.
I am going to take this time to write at a much higher level some foundations for your organization to consider when designing AI governance. First, we need to understand what is AI governance. AI governance is the process by which decisions are made about AI risks and the ability to manage that risk to an acceptable degree. AI governance should define priorities, tolerances, and implementation methods. Governance is key, as it assists in the prevention of misuse and unintended consequences,
creates a level of public trust, and promotes innovation in safe and ethical ways.
1. Create an AI Definition
Each organization views AI differently within the context of their organization. Does the definition refer to AI collectively or strictly generative AI?
AI Historian Pamela McCorduck defined AI as the “odd paradox” where as computer scientists find new and innovative solutions, computational techniques once considered AI lose the title as they become common and repetitive.
This contributes to the lack of a global definition of AI. Creating a definition that is meaningful and consistent across your organization enables employees to more easily navigate the requirements that surround your AI governance program. It provides the ability for users to quickly identify tools and services defined by the organization as AI inclusive, facilitating the innovation processes.
2. Define Your Risk
Each organization should have defined risk levels and tolerances. It is critical to have the risk defined, as it informs a variety of activities throughout the organization, such as
AI
Historian Pamela McCorduck
defined AI as the “odd paradox” where as computer scientists find new and innovative solutions, computational techniques once considered AI lose the title as they become common and repetitive.
risk appetite, documentation frameworks, revenue generation, decision making and forecasting, and culture within the organization, as well as provides guidance to implement proactive security.
3. Basic Principles
Organizations, laws, and regulations are creating basic principles to guide AI, and these are the common themes we should embrace when building or using AI.
• Bias and Discrimination – Ensuring AI tools do not perpetuate or amplify biases. We need to assess that our AI tools aren’t
reinforcing systemic inequalities or unfairly impacting specific groups. That starts with diverse data, regular audits, and assessing the outcomes.
• Privacy and Data Protection –Protecting user data and ensuring it is used ethically. With large models, it’s easy to forget that input data might be sensitive. Whether it’s customer information or internal IPs, we need strong controls to ensure ethical and legal use.
• Transparency and Explainability – Making AI decisions understandable. We can’t govern what we don’t understand. AI systems should be designed to provide interpretable decisions, especially in regulated environments.
• Accountability – Holding developers and users of AI accountable for its impacts. Accountability is key. We need to define clear roles, like who’s responsible for the model, its outputs, and its consequences. Is it the users or developers? This will help strengthen our governance posture.
• Safety – Ensuring AI tools do not cause harm to humans or the environment. That includes technical safety — like preventing model abuse — as well as broader safety concerns. For instance, are we deploying AI in ways that respect human well-being and environmental sustainability?
These guidelines help us decide how to build, what to monitor, and when to intervene.
4. Evaluate Your Readiness
Do you have a readiness checklist? Some key elements to consider for your checklist include organizational appetite, usage restrictions, creating a governance board, establishing an AI policy, AI policy communication, identify and approve models and utilities, training requirements, ethical disclosure, production usage, and tracking success.
The Importance of Human Guidance for AI Governance
Not all organizations will need to start with the basics, but the four steps outlined above will help lay the foundation for your AI governance program. As you begin to mature, you will want to consider risk assessments, model evaluation reviews, AI lifecycles, vendor AI assessments, and overall operationalization of AI within your organization.
Finally, never forget the human element. AI is shaped by those people who build, train, and use it. This is necessary for the human-in-the-loop (HITL) concept. Human involvement provides alignment with your organizational needs, validation of the usefulness of AI outputs, identification
Finally, never forget the human element. AI is shaped by those people who build, train, and use it... People are the key to ensuring AI use and creation is ethical, fair, safe, and aligned with societal values.
of biases, and support for ethical and responsible use of models. People are the key to ensuring AI use and creation is ethical, fair, safe, and aligned with societal values.
Reimagining Your MSISAC Membership
By Carlos Kizzee, Senior Vice President of MS-ISAC Strategy & Plans
For over two decades, the Multi-State Information Sharing and Analysis Center® (MS-ISAC®) has been a cornerstone in providing essential cybersecurity services to U.S. State, Local, Tribal, and Territorial (SLTT) governments. Traditionally funded through Congressional appropriations via a Department of Homeland Security (DHS) Cooperative Agreement, recent budget cuts have threatened these crucial services. To ensure the sustainability of these offerings, the MS-ISAC is introducing a fee-based membership model for eligible SLTT entities, offering a cost-effective solution for continued access to MS-ISAC resources.
A New Era of SLTT Cybersecurity
The fee-based membership model is designed to sustain and enhance
cybersecurity support for SLTT entities. By investing in membership, organizations gain access to valuable services, tailored threat intelligence, and a collaborative community. This model not only ensures continuity in combating complex threats but also bolsters national resilience by equipping even the most resource-limited SLTTs to effectively detect, respond to, and recover from cyber incidents. Through shared investment, the SLTT community can continue to develop cyber-resilient services that protect and serve their citizens.
The MS-ISAC Single Organization Membership Model empowers individual organizations to independently fund their participation in the MS-ISAC, benefiting those who prefer autonomous membership management over state or territory-wide funding. Key aspects include:
• Autonomous Funding: Organizations can independently finance their membership, granting them control over participation and financial commitments.
• Financial Adjustments: Organizations transitioning from individual to state-wide membership receive credits or refunds, ensuring financial equity.
Through shared investment, the SLTT community can continue to develop cyberresilient services that protect and serve their citizens.
• Core Benefits: Both Single Organization and State/TerritoryWide Memberships offer identical core benefits, providing essential resources and support.
• Optional Add-On Benefits: Members can purchase additional fee-based benefits to customize their membership according to specific needs.
• Confidentiality Assurance: Member attribution remains confidential, safeguarding privacy and security.
• Full Membership Status: All organizations are considered full MS-ISAC members and must adhere to the MS-ISAC Member Agreement and Terms & Conditions.
Benefits of New Membership Model
The Single Organization Membership Model offers a strategic advantage for organizations seeking to enhance their cybersecurity capabilities. By providing flexibility, privacy, and comprehensive support, this model empowers organizations to tailor their membership experience to meet specific needs and strategic goals.
• Flexibility and Control: Organizations can customize their membership to align with their unique requirements and strategic objectives. This autonomy allows them to manage their involvement in the MS-ISAC effectively, ensuring that their cybersecurity posture is strengthened according to their specific needs.
• Enhanced Privacy: The confidentiality of member attribution is a key feature, safeguarding sensitive information and ensuring that privacy is maintained. This assurance of privacy is crucial for organizations that handle sensitive data and require discretion in their cybersecurity operations.
• Comprehensive Support: Members gain access to core benefits and optional add-ons, providing a robust framework for enhancing cybersecurity capabilities. This comprehensive support
ensures that organizations are well equipped to tackle cybersecurity challenges and protect their infrastructure. Access to core benefits and optional add-ons enhances cybersecurity capabilities.
In addition to the Single Organization membership, the State/Territory-Wide Membership option allows states or territories to fund membership for all eligible organizations within their jurisdiction, sharing only the organization’s name and contact email with the state. Both options provide the same core benefits, with additional fee-based add-ons available.
Strategic Value of MS-ISAC Membership
The MS-ISAC membership is strategically designed to offer sustainable cybersecurity solutions tailored to the needs of SLTT entities. It fosters a trusted partnership for defending community and national infrastructure, built by SLTTs for SLTTs. The membership provides a comprehensive ecosystem of cyber defense, serving as a leading example of a community defense model. With affordable pricing, it maximizes membership accessibility, ensuring that even resource-constrained entities can benefit from its offerings.
The MS-ISAC funding model is crucial for ensuring long-term support for vital cybersecurity services, thereby
strengthening the SLTT community nationwide. With SLTTs at the forefront of defending against cyber attacks, the MS-ISAC, powered by the 24x7x365 CIS Security Operations Center, offers real-time threat intelligence and response to support SLTTs lacking round-the-clock security teams.
Don't let cyber threat actors disrupt the essential services you provide. Access to MS-ISAC benefits outside of the fee-based membership model will expire as of October 1. Be sure to sign up for paid MS-ISAC membership by September 30 to maintain access to your existing services and benefits, as well as new capabilities that will rolled out in the coming months.
To enroll in the new membership model, you can sign up via the CIS Portal or contact info@cisecurity. org for assistance. For more information, read our MS-ISAC Single Organization Membership Guide.
The MS-ISAC membership is strategically designed to offer sustainable cybersecurity solutions tailored to the needs of SLTT entities. It fosters a trusted partnership for defending community and national infrastructure, built by SLTTs for SLTTs.
UpcomingEvents
August
August 2 - 7
Black Hat USA will be held at the Mandalay Bay Convention Center in Las Vegas, NV, with a six-day program. The event will open with four days of specialized cybersecurity Trainings (August 2–5) with courses for all skill levels, followed by the two-day main conference on August 6–7 featuring more than 100 selected briefings, dozens of open-source tool demos in Arsenal, a robust Business Hall, networking and social events, and much more. Learn more at https://www. blackhat .com/us-25/.
August 3 - 7
The Texas Association for Strategic Solutions and Collaborations in Computing (TASSCC) will host the 2025 TASSCC Annual Conference at the Grand Hyatt San Antonio River Walk in San Antonio, TX. The conference is Texas’s premier event for state IT leaders, partnering to advance education and networking among professionals supporting information technology for Texas public sector and higher education. Learn more at https:// www.tasscc.org/page/2025conference .
August 17 - 20
The National Association of State Technology Directors (NASTD) will host the 2025 NASTD Annual Conference at the Renaissance Nashville Hotel in Nashville, TN. The conference will bring together state technology leaders and professionals from across the country to address some of the latest technologies impacting state government and offer ideas on managing the resulting changes. Learn more at https:// www.nastd.org/membership797440/ new-page-annual-sponsorship765.
August 19
The 5th Annual Detroit Cybersecurity Summit will take place at the Detroit Marriott Renaissance Center in Detroit, MI. It will bring together leaders and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, U.S. State, Local, Tribal, and Territorial (SLTT) government entities can receive free admission. Contact the CIS CyberMarket® team for more details. Learn more at https:// cybersecuritysummit.com/summit/ detroit25/.
August 20
The Inaugural Vancouver Cybersecurity Summit will take place at the J.W. Marriott Parq Vancouver in Vancouver, BC. It will bring together leaders and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, U.S. SLTT government entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https://cybersecuritysummit.com/ summit/vancouver25/
August 24 - 27
GMIS International will host GMIS MEETS at the Westin Indianapolis Hotel in Indianapolis, IN. Created by and for leaders in the public sector IT industry, the event offers informative educational sessions on topics important in today's environment, interaction with industry-leading providers, networking opportunities, and much more. MS-ISAC Regional Engagement Manager Megan Incerto will lead a breakout session on cybersecurity resources for state and local governments. Learn more at https://www.gmis.org/ page/2025homepage .
August
26
The 2nd Annual Portland Cybersecurity Summit will take place at the Hyatt Regency Portland at the Oregon Convention Center in Portland, OR. It will bring together leaders and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, U.S. SLTT government entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https:// cybersecuritysummit.com/summit/ portland25/.
August
26
The Infrastructure Cybersecurity Summit will take place virtually. This event will examine the current landscape of cyber threats targeting critical infrastructure, with insights from security professionals across energy, transportation, healthcare, and other essential sectors. CIS SVP and Chief Engineer Marcus Sachs will speak on a panel discussing how to protect utilities from cyber threats. Through our partnership, U.S. SLTT government entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https:// cybersecuritysummit.com/summit/ infrastructure25/.
September
September 9
The Inaugural Minneapolis Cybersecurity Summit will take place at the Minneapolis Marriott City Center in Minneapolis, MN. It will bring together leaders and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, U.S. SLTT government entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https://cybersecuritysummit.com/ summit/minneapolis25/.
September 9 - 12
The 16th Annual Billington Cybersecurity Summit will take place at the Walter E. Washington Convention Center in Washington, D.C. Over 2,500 attendees will come together to network and learn the latest cybersecurity trends, best practices, and threats at the summit from 200+ top speakers participating in more than 40 thoughtprovoking general and breakout sessions exploring the key cyber topics of the day. Learn more at https:// billingtoncybersummit.com/.
September 10
The 11th Edition of the Chicago Cybersecurity Summit will take place at the Hyatt Regency Chicago in Chicago, IL. It will bring together leaders and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, U.S. SLTT government entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https:// cybersecuritysummit.com/summit/ chicago25-sept/
September 16 - 18
The National Center for State Courts (NCSC) will host its Court Technology Conference (CTC) at the Kansas City Convention Center in Kansas City, MO. CTC provides judges, court administrators, court managers, technologists, and others with three days of learning and networking with industry experts at the world’s largest court technology conference. MS-ISAC Stakeholder Engagement Manager Elijah Cedeno will co-lead a session on the CIS Controls, IG1 compliance, and cybersecurity services for U.S. SLTTs, as well as co-lead a tabletop exercise. Learn more at https:// courttechnologyconference.org/
September 19
The 13th Edition of the Atlanta Cybersecurity Summit will take place at the Hyatt Regency Atlanta in Atlanta, GA. It will bring together leaders and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, U.S. SLTT government entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https:// cybersecuritysummit.com/summit/ atlanta25-sept/.
September 23 - 25
The National Cyber Summit will be held in Huntsville, AL, at the Von Braun Center. The summit offers unique educational, collaborative, and workforce development opportunities for industry visionaries and rising leaders. CIS SVP and Chief Engineer Marcus Sachs will lead a breakout session on encryption, engineering, and OT security, and the CIS team will be on the expo floor, sharing resources on our security best practices with attendees. For more information, visit https://www. nationalcybersummit.com.
September
25
The 8th Edition of the Philadelphia Cybersecurity Summit will take place at the Philadelphia Marriott Downtown in Philadelphia, PA. It will bring together leaders and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, U.S. SLTT government entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https://cybersecuritysummit.com/ summit/philadelphia25-sept/.
September 30
The 6th Edition of the Columbus Cybersecurity Summit will take place at the Renaissance Columbus Downtown Hotel in Columbus, OH. It will bring together leaders and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, U.S. SLTT government entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https:// cybersecuritysummit.com/summit/ columbus25/
September 30
The Network Security Cybersecurity Summit will take place virtually. This virtual conference will bring together industry leaders to explore the future of network security, address critical vulnerabilities, and share actionable insights on building resilient, scalable, and secure networks. Through our partnership, U.S. SLTT government entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https:// cybersecuritysummit.com/summit/ network security25/.
September 30
The 6th Edition of the San Diego Cybersecurity Summit will take place at the Hilton San Diego Bayfront in San Diego, CA. It will bring together leaders and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, U.S. SLTT government entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https:// cybersecuritysummit.com/summit/ sandiego25-sept/.
September 30 – October 1
National Center for State Courts (NCSC) will host its Cybersecurity and Disaster Recovery Midwest Region Workshop in St. Louis, MO. This event, as part of a series of regional workshops, will help state courts and their teams make progress on their cybersecurity and disaster preparedness. MS-ISAC Stakeholder Engagement Manager Elijah Cedeno will co-lead sessions at the event on cybersecurity readiness and the CIS Controls.
October
October 2 - 3
The GovRAMP Cyber Summit will take place at the J.W. Marriott Chicago in Chicago, IL. This summit for public sector leaders, service providers, and cybersecurity professionals advancing secure cloud governance delivers expert-led sessions, policy-focused dialogue, and actionable insights centered on strengthening supplier risk management, enabling framework harmonization, and accelerating secure technology adoption across state and local governments. CIS VP of MS-ISAC Strategy and Plans Karen Sorady will lead a panel at the event discussing cybersecurity at the state and local government level. Learn more at https:// govramp.org/2025-cyber-summit/.
October 8
The 10th Edition of the Silicon Valley Cybersecurity Summit will take place at the Santa Clara Marriott in Santa Clara, CA. It will bring together leaders and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, U.S. SLTT government entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https:// cybersecuritysummit.com/summit/ siliconvalley25-oct/
October 9
The OWASP AppSec Cybersecurity Summit will take place virtually. This virtual conference, presented in partnership with OWASP, will bring together industry leaders to explore how artificial intelligence is reshaping the future of application security. Attendees will learn how organizations are using AI not just to automate vulnerability detection, but to fundamentally shift from reactive defense to proactive resilience. Through our partnership, U.S. SLTT government entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https:// cybersecuritysummit.com/summit/ owasp-appsec/
October 9
The 7th Annual Charlotte Cybersecurity Summit will take place at the Westin Charlotte in Charlotte, NC. It will bring together leaders and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, U.S. SLTT government entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https:// cybersecuritysummit.com/summit/ charlotte25/.
October 9 - 10
The Healthcare Information and Management Systems Society (HIMSS) will host the HIMSS Healthcare Cybersecurity Forum in Houston, TX. The event is designed to equip healthcare executives and cybersecurity professionals with insights into the key issues at the intersection of AI and cybersecurity. Guided by experts, you’ll leave the event with strategies to secure AI-driven workflows, prevent ransomware attacks, stop data leaks, and ensure compliance with privacy regulations. Learn more at https:// www.himss.org/events-overview/ ai-forum-series/.
October 12 - 13
The National Association of State Chief Information Officers (NASCIO) will host the NASCIO 2025 Annual Conference at the Hyatt Regency Denver in Denver, CO. This event will bring together state CIOs and their staff from across the country to facilitate relationship building, peer learning and collaborative solutioning among members. Learn more at https:// www.nascio.org/conferences-events/ annual- conference/.
October 14
The 4th Annual Tech Valley Cybersecurity Summit will take place at the Rivers Casino Event Center in Schenectady, NY. Hosted by LogicalNet, this event is an unmissable opportunity to learn from industry experts and share ideas with like-minded business leaders and executives from around the Northeast – without distractions. The CIS team will be on the show floor sharing our cybersecurity resources. Learn more at https://logical.net/ cybersecurity-symposium/2025/.
October 16
The 10th Edition of the Boston Cybersecurity Summit will take place at the Westin Copley Place in Boston, MA. It will bring together leaders and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, U.S. SLTT government entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https:// cybersecuritysummit.com/summit/ boston25-oct/.
October 17
The 7th Annual Scottsdale Cybersecurity Summit will take place at the J.W. Marriott Camelback Inn Scottsdale in Scottsdale, AZ. It will bring together leaders and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, U.S. SLTT government entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https:// cybersecuritysummit.com/summit/ scottsdale25/
October 21 - 22
The 15th Annual Cybersecurity Summit will take place at the Minneapolis Marriott Northwest in Minneapolis, MN. The event's mission is to bring together business, government, military, and academic leaders to collaborate, troubleshoot, showcase, and celebrate solutions for today’s critical cybersecurity challenges. Attendees will be able to attend thought-provoking sessions, network with peers across industry and government, and discover innovative solutions and strategies to keep pace with ever-changing threats. Learn more at https://www. cybersecuritysummit.org/.
October 21
The 12th Edition of the Dallas/ Plano Cybersecurity Summit will take place at the Renaissance Dallas at Plano Legacy West Hotel in Plano, TX. It will bring together leaders and cybersecurity professionals to learn about the latest cyber threats. Through our partnership, U.S. SLTT government entities can receive free admission. Contact the CIS CyberMarket team for more details. Learn more at https:// cybersecuritysummit.com/summit/ dallas25-oct/.
October 27 - 29
CyberRisk Alliance will host InfoSec World at the Disney's Coronado Springs Resort in Lake Buena Vista, FL. Now in its 31st year, InfoSec World stands as one of the premier cybersecurity conferences for business and security leaders. Recognized as The Business of Security event, it brings together industry experts, thought leaders, and practitioners to share cutting-edge insights, strategies, and solutions. The CIS team will be on the expo floor sharing our cybersecurity resources. Customers and members of CIS can received 25% off registration with code ISW25-CIS25. Learn more at https:// www.infosecworldusa.com/.
Interested in being a contributor?
Please contact us:
CyberMarket@cisecurity.org
www.cisecurity.org
518.266.3460
cisecurity.org learn@cisecurity.org
518-266-3460
Center for Internet Security
@CISecurity
TheCISecurity
cisecurity CenterforIntSec