Skip to content ↓ | Skip to navigation ↓

In a time of limited resources, security programs are also experiencing pressure to do more with less. The 20 Critical Security Controls (20 CSC) provides the baseline for implementing the required technical controls that are required to ensure a robust network security posture.

The 20 CSC have also emerged as the “defacto yardstick by which corporate security programs can be measured,” according to the Cybersecurity Law Institute.

The controls were previously governed by SANS, but the ongoing development and adoption of the controls are now the responsibility of the Council on CyberSecurity, an independent, expert, not-for-profit organization with a global scope.

The Council on CyberSecurity was formed to seize this moment and catalyze change – specifically, to accelerate the widespread availability and adoption of effective cyber security measures, practice and policy.

In this video Tony Sager, Jim Johnson and Thom Langford discuss how implementing some or all of the 20 CSC enables an organization to ensure they have established a security program based on the broadest set of technical security controls that provide the opportunity for security to better enable the organization’s primary objectives with confidence.

Tony Sager (@CouncilonCyber) is the Chief Technologist for the Council on CyberSecurity, responsible for leading the community in identifying promising practices and leading projects to help validate, measure, scale and share these practices for widespread adoption. One of the most renowned projects Sager helped develop was the Top 20 Critical Security Controls, a large-scale, grass-roots project that includes participants and adopters from every part of the world and every portion of the cyber ecosystem. Prior to the Council on CyberSecurity, Sager served as Director of the SANS Innovation Center and Chief Operating Officer of the National Security Agency (NSA).

Jim Johnson has served as Tripwire’s President and Chief Executive Officer and as a director since 2004. Prior to joining Tripwire, Johnson spent 27 years at Intel Corporation, where he served as Vice President of the Internet Service Operation and Director of Marketing for the Internet and Communications Group. He also co-founded and served as General Manager of Intel’s PC Enhancement Division, its retail products group. Johnson holds a B.S. degree in Electrical Engineering from the University of California at Berkeley and an M.S. degree in Computer Science from Stanford University.

Thom Langford (@ThomLangford) is the Director of Security Risk Management in Sapient’s Global Office, responsible for advising on delivery, compliance and current industry security risks. Langford is also recognized as an award-winning blogger and international public speaker. Prior to his security leadership role at Sapient, Langford was as an IT Manager and IT Architecture Consultant at PricewaterhouseCoopers.


Related Resources:



picCheck out Tripwire SecureScan™, a free, cloud-based vulnerability management service  for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology.


picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].


Title image courtesy of ShutterStock