Join us for the FREE Cyber Defense Forum | Live Online on October 9


Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

Announcing the SANS 2013 Critical Security Controls Survey Results!

Reducing real-world risk is the primary benefit of CSCs, which enjoy high level of support from CEOs and CIOs.

  • Bethesda, MD
  • June 13, 2013

SANS announces the results of its first-ever survey on the Critical Security Controls (CSCs), sponsored by FireEye, IBM, Symantec and Tenable Network Security. The survey results will be discussed at the SANSFIRE 2013 security training event in Washington, DC, June 17 and the full results will be released during a SANS Analyst Webcast on June 25 at 1 PM EDT.

In the survey, which was conducted online in April and May and drew 699 responses, only 12 percent of survey takers hadn't yet heard of the Critical Security Controls, while 73 percent said they are aware of and/or adopting the controls.

"The Critical Security Controls embody the best advice developed by an incredible range of talented people from across the entire industry and government," says SANS Director and CSC survey advisor, Tony Sager. "Even better, we're seeing the rapid emergence of a support "ecosystem" of tools, working aids, mappings, and Use Cases, mostly created by volunteers."

The largest group to take the survey (nearly 20%) came from government agencies, but 17% of survey takers were from financial institutions. Education, high tech, health care, manufacturing and utilities also had more than 5% representation in the survey.

Respondent organizations are adapting to the Controls guidelines in phases, prioritizing the most mature security technologies (such as anti-malware, boundary security and data recovery), according to survey results. They are also making use of evolving controls, including vulnerability assessment and configuration management. But other, less mature but still widely needed technologies are not as well used at this time.

"The high level of visibility and support at the CEO/CIO level was the most surprising survey finding," says John Pescatore, SANS Director of Emerging Security Trends and author of the Critical Controls Survey report. "Enterprises and agencies are using the Critical Security Controls as a "lens" to focus their resources on the security controls that demonstrate the most immediate real-world risk reduction to management. Security teams are using the Controls to assess and enhance existing security technologies for 'quick wins,' and wrapping newer controls into their development and upgrade cycles."

Those who register for the June 25 webcast where we release our results will be given access to the full results paper developed by John Pescatore with advice by SANS Director Tony Sager. During the webcast, attendees will learn:

  • The primary benefits for organizations adopting the controls
  • Their methodologies and processes for adopting the controls and reducing risk
  • How respondents are using controls to benchmark, measure and manage risk

Sager adds that the survey will help with the overall mission of the Critical Security Controls. "The Controls are focused on action," he explains. "What are the most effective things we can each do to improve our defenses, and how can we as a community help each other get there quickly?"

SANS Media Contact

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions worldwide. Renowned SANS instructors teach more than 60 courses at In-Person and Live Online cyber security training events, and more than 50 courses are available anytime, anywhere with our OnDemand platform. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system – the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (