The Center for Internet Security, Inc. (CIS®) has released a crucial publication, “A Guide to Defining Reasonable Cybersecurity,” launched at this year’s RSA Conference, offering essential direction in a complex landscape.
Recent high-profile data breaches, significant court cases, and evolving state data privacy laws have brought the concept of “reasonable” cybersecurity into sharp focus. However, a clear and actionable definition of what constitutes “reasonable” cybersecurity has been notably absent – until now.
CIS, a respected independent nonprofit organization, in collaboration with leading technical cybersecurity and legal authorities, has addressed this gap. This Defining Guide provides practical and specific advice for organizations aiming to establish a cybersecurity program that meets the generally accepted standard of “reasonable cybersecurity.”
Phyllis Lee, VP of Security Best Practices Content Development at CIS, emphasizes the demand for clarity: “Many organizations turn to CIS seeking direction. In this defining guide, we present an approach, informed by various states, to help organizations understand how to achieve reasonable cybersecurity grounded in industry best practices.”
Building upon current legal and regulatory frameworks, “A Guide to Defining Reasonable Cybersecurity” establishes the minimum requirements for adequate information security safeguards. These safeguards are carefully considered against the potential risks and scale of harm resulting from a data breach.
Consequently, this defining guide is designed to be a valuable resource for a wide range of professionals, including cybersecurity experts, consultants, auditors, regulators, business leaders, consumers, legal counsel, and the courts. It aids in evaluating whether an organization’s cybersecurity program aligns with the necessary standard, particularly when data compromise leads to legal disputes or regulatory actions. Furthermore, it has the potential to proactively reduce litigation arising from data breaches.
Crucially, the defining guide illustrates how a framework like the CIS Critical Security Controls® (CIS Controls®) can be implemented in a prescriptive and verifiable manner. This approach empowers all stakeholders within the technology ecosystem to confidently assess whether appropriate and reasonable cybersecurity measures have been implemented.
Curt Dukes, CIS Executive Vice President & General Manager, Security Best Practices Automation Group, underscores the guide’s practical value: “Stating that a cybersecurity framework is adopted is insufficient. The critical aspect is proving correct implementation. The guidelines within ‘A Guide to Defining Reasonable Cybersecurity’ provide the means to achieve this crucial level of demonstrable assurance.”
For further details about the defining guide, or to arrange an interview with CIS experts, please contact Senior Media Relations Manager, Kelly Wyland at [email protected] or by phone/text at 518-256-6978.
About CIS
The Center for Internet Security, Inc. (CIS®) is dedicated to making the connected world safer for individuals, businesses, and governments through collaboration and innovation. As a community-driven nonprofit, CIS is responsible for the CIS Controls® and CIS Benchmarks™, globally recognized best practices for IT system and data security. CIS leads a global community of IT professionals in continuously refining these standards to proactively defend against emerging threats. CIS Hardened Images® offer secure, scalable, on-demand computing environments in the cloud. CIS is also home to the Multi-State Information Sharing and Analysis Center® (MS-ISAC®), the trusted cybersecurity resource for U.S. State, Local, Tribal, and Territorial (SLTT) government entities, and the Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®), supporting U.S. election office cybersecurity needs. For more information, visit cisecurity.org or follow us on X: @CISecurity.
