How do cybersecurity professionals influence industry standards? A Q&A with CIS Benchmark contributors

When it comes to creating standards for cybersecurity, several of our team members at Lacework aren’t just bystanders — they have a direct hand in shaping those guidelines. Welcome to our roundtable discussion with a few of the cybersecurity professionals here at Lacework: Gareth Boyes, Rachel Rice, Shaun Archer, Ellie Goggin, Daniel Burns, Andrew Thompson, Vivian Tero, Daniel Thorpe, and Sana Nagar. Each of them has played a significant role as a contributor to the Center for Internet Security (CIS) Benchmarks, the only security configuration guides shaped by consensus and widely accepted across government, business, and academic circles. Join us as they discuss the importance of these benchmarks in the current cybersecurity landscape and explain what it takes to contribute to their development and refinement.

Q: Can you explain the importance of CIS Benchmarks for those who may not be familiar with them?

Rachel: Think of the CIS Benchmarks as a handbook for securing your environment. They’re the tried-and-true methods.

Daniel B: They offer domain-specific, categorized controls for people to follow. When you’re dealing with cloud security, with all the different platforms out there, it can be tough knowing how to secure everything. These benchmarks give you a solid starting point from a security perspective, leveraging the collective expertise of a whole community.

Rachel: Exactly, it’s a collective effort. These benchmarks aren’t just one person’s opinion — they’re formed by a community consensus on the best approaches to certain things.

Ellie: And the community is so accessible. There have been times when a couple of us were unsure about something, so we joined a community meeting to gather different perspectives. It’s a great way to learn and grow.

Q: How did you first get involved with CIS and what made you interested in becoming a contributor?

Gareth: When I was going through the CIS benchmarks, I spotted a few places that seemed a bit outdated, or had room for more detail. That’s when I felt motivated to see how I could get involved and help update them. 

Rachel: You can actually join the CIS communities and suggest changes right on the website. Then have these regular community calls where everyone talks about the proposed changes. I was glad to have a chance to take a step back, and instead of just consuming what’s already published, to actively be part of the process.

Ellie: We each pick a section and end up getting a really comprehensive understanding of that field. Whether it’s a networking section or an identity section, we learn the ins and outs of it, make it better, and then do it all over again. 

Daniel B: It’s nice to see the broad impact we can have as engineers. We’re not just contributing to our own product, but we’re expanding our reach across multiple countries, making a difference in the cybersecurity community as a whole. It feels great to be part of something bigger.

Shaun: We’re all very excited about this work and I think we’re making contributions that might even outshine many others in our field. It’s quite inspiring to see.

Q: What are some of the contributions you’ve made to CIS Benchmarks that you are most proud of?

Andrew: There were times when I came across sections that were worded in a way that didn’t quite make sense to me. So, a big part of my contribution has been in clearing up those complexities. Sometimes, it’s about tweaking the wording to make it clearer; other times, it’s about ensuring that the information is accurate and not misleading. I’d say that’s what I’m most proud of — making these benchmarks more user-friendly and accurate.

Q: Can you describe the process of proposing changes or updates to the benchmarks?

Daniel B.: We use this online platform called the CIS Workbench. CIS has communities you can join, and there’s a web interface where you can propose changes. In some cases, you can even propose to add something entirely new. As an example, let’s say there’s some information about S3 buckets that could be improved. You propose a change, make some edits, and then, it creates a change ticket. Once you’ve signed the contributor agreement, you’re all set to make direct edits if something needs an immediate fix.

Rachel: The great thing is, once you’ve proposed changes, they don’t just disappear into the void. There are community meetings where these changes are reviewed. So, your contributions really matter.

Daniel T: We even use these benchmarks to build our draft policies. We have an automated system that asks CIS for policies for different clouds. And we do spend a good amount of time with CIS explaining some of the improvements we’ve suggested and discussing it to get their feedback. 

Andrew: One interesting thing we’re doing is using the benchmarks to create Lacework policies that we use to check for cloud resources that are noncompliant with the policy. This has been a great resource in that sense.

Q: What advice would you give to someone interested in becoming a contributor to CIS Benchmarks?

Rachel: If you’re considering becoming a contributor to CIS Benchmarks, my advice would be to dive right into a community you’re interested in. Anyone can join, and it’s such a warm and welcoming group, especially during the community calls. The people at CIS who run them are incredibly supportive.

James: Everything is crowdsourced, so every voice counts. It’s all about coming to a consensus and validating everyone’s insights. It’s a fantastic platform to collaborate and contribute to the field of cybersecurity.

Daniel T.: When I joined my first call, the team seemed so excited to have a new person on board. It really speaks to the inclusive and enthusiastic spirit of the community.

Learn more

The CIS Benchmarks are a crucial resource for organizations, providing tried-and-true methods and domain-specific controls for securing environments. Through the collaborative process of proposing changes and updates, CIS contributors ensure that the benchmarks stay accurate, user-friendly, and reflective of the evolving cybersecurity landscape. If you are interested in learning more about Lacework and how it can help you stay aligned with these benchmarks, we invite you to check out our website.