Skip to content ↓ | Skip to navigation ↓

Today, I will be going over Control 17 from version 7 of the top 20 CIS Controls – Implement a Security Awareness and Training Program. I will go through the nine requirements and offer my thoughts on what I’ve found.

Key Takeaways in Control 17

  • Less focus on metrics. The previous security awareness control had multiple sections on metrics and improving the overall compliance score. This round of controls is focused more on just establishing a method to deliver continuous training while only highlighting a handful of the most common attack vectors.
  • Outsourcing continues to be ideal. Security teams are already under-staffed, underfunded, and overworked. Establishing an awareness training program from scratch will be a time-consuming process that may be better suited for a third-party to develop and deliver.

Requirement Listing in Control 17

1. Perform a Skills Gap Analysis

Description: Perform a skills gap analysis to understand the skills and behaviors to which workforce members are not adhering, using this information to build a baseline education roadmap.

Notes: Performing a true skills gap analysis across the organization is going to be a time-consuming process. If you are just starting out on your journey of security awareness training for the organization, it may be best to look for a third party for help.

2. Deliver Training to Fill the Skills Gap

Description: Deliver training to address the skills gap identified to positively impact workforce members’ security behavior.

Notes: Delivering the training is just closing the loop from the first section. Delivering the training can be either in-person presentations or automated videos delivered through the web. The size and complexity of your organization will most likely determine which route you will want to go.

3. Implement a Security Awareness Program

Description: Create a security awareness program for all workforce members to complete on a regular basis to ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of the organization. The organization’s security awareness program should be communicated in a continuous and engaging manner.

Notes: There are a couple of bullet points to break down with this section. The first is that the training should be delivered on a regular basis. Security awareness, as well as information security as a whole, is not a one-time solution. Second is that employees need to exhibit the behavior and skills based on the training they receive. Showing employees 20 bullet pointed slides on the definitions of phishing isn’t going to cut it. You need to make it fun and engaging then test them on what they learned after they have consumed the information.

4. Update Awareness Content Frequently

Description: Ensure that the organization’s security awareness program is updated frequently (at least annually) to address new technologies, threats, standards, and business requirements.

Notes: The tactics, techniques, and procedures attackers use are changing constantly. The training should reflect new attacks which are gaining popularity. Circling back to the previous section, employees are going to tune out if they are receiving the same training every quarter. Providing new information will help make concepts stick.

5. Train Workforce on Secure Authentication

Description: Train workforce members on the importance of enabling and utilizing secure authentication.

Notes: Some of the most high-profile attacks we’ve seen over the years could have been prevented with secure authentication, which is covered in Control 16. Strong passwords and multi-factor authentication goes a long way in protecting your network.

6. Train Workforce on Identifying Social Engineering Attacks

Description: Train the workforce on how to identify different forms of social engineering attacks, such as phishing, phone scams and impersonation calls.

Notes: As with secure authentication, many attacks against enterprises have a component of social engineering. “The human is the weakest link in the security chain” is evidenced by how successful social engineering can be. This can be the first line of defense in your security organization and should be taken seriously.

7. Train Workforce on Sensitive Data Handling

Description: Train workforce on how to identify and properly store, transfer, archive and destroy sensitive information.

Notes: Data is what attackers are most commonly after. As defenders, we take extra precautions to make sure that data is stored and transmitted in a secure manner. Having an employee copying sensitive data to an insecure location can undo the millions you’ve invested in security.

8. Train Workforce on Causes of Unintentional Data Exposure

Description: Train workforce members to be aware of causes for unintentional data exposures such as losing their mobile devices or emailing the wrong person due to autocomplete in email.

Notes: Insider threats can be caused by those with the best intentions. In some cases, a data loss prevention or mobile device management tool can prevent data exposure. However, there are going to be instances where a tool cannot detect something like a user putting in the wrong email in a web form. Training is going to be part of the two-pronged approach with data loss prevention to keep private data private.

9. Train Workforce Members on Identifying and Reporting Incidents

Description: Train employees to be able to identify the most common indicators of an incident and be able to report such an incident.

Notes: As is discussed in Control 19, the security team may not be able to identify every incident. In today’s world, it’s better to teach end users to be overly cautious and to over-report rather than under-report security incidents.


See how simple and effective security controls can create a framework that helps you protect your organization and data from known cyber attack vectors by downloading this guide here.

Read more about the 20 CIS Controls here:

Control 20 – Penetration Tests and Red Team Exercises

Control 19 – Incident Response and Management

Control 18 – Application Software Security

Control 17 – Implement a Security Awareness and Training Program

Control 16 – Account Monitoring and Control

Control 15 – Wireless Access Control

Control 14 – Controlled Access Based on the Need to Know

Control 13 – Data Protection

Control 12 – Boundary Defense

Control 11 – Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches

Control 10 – Data Recovery Capabilities

Control 9 – Limitation and Control of Network Ports, Protocols, and Services

Control 8 – Malware Defenses

Control 7 – Email and Web Browser Protections

Control 6 – Maintenance, Monitoring, and Analysis of Audit Logs

Control 5 – Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

Control 4 – Controlled Use of Administrative Privileges

Control 3 – Continuous Vulnerability Management

Control 2 – Inventory and Control of Software Assets

Control 1 –  Inventory and Control of Hardware Assets

You can also learn more about the CIS controls here.