Train From Home on Your Schedule with OnDemand - Special Offers Available Now


Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS Releases Results of the 2nd Annual Critical Security Controls Survey: From Adoption to Implementation

Interest in CSCs Growing, Barriers to Adoption, Measurable Improvements

  • Bethesda, MD
  • September 3, 2014

A new SANS survey reports 90% of organizations taking the survey have adopted some or all of the Critical Security Controls (CSCs), and that financial and government industries are leading adopters of these controls.

The CSCs are a well-known roadmap for enterprise information assurance. This new SANS survey, sponsored by EiQ Networks, McAfee/Intel Security, Qualys and Tripwire, follows up on results of a 2013 survey, which showed a 73% adoption rate.

"Organizations across a broad range of industries are making steady progress toward adopting, integrating and automating the CSCs," says James Tarala, SANS Analyst and author of the survey results paper. "Still there are problems inhibiting adoption of all of the controls. Staffing issues, lack of budget and silos that limit communication between IT security and operations continue to be barriers adopters encounter."

In this 2014 survey, 63% of respondents blamed adoption woes on insufficient staffing or personnel resources, 54% cited lack of budget, and 36% blamed adoption problems on the ongoing disconnect among operational and security silos. These are key problems identified in last year's survey that haven't gone away.

Not all have adopted all controls, nor are they following the order of the controls currently listed as 1-20. But of those who are able to measure improvement from the controls they've adopted, 24% cited clearer visibility, 16% noted the controls improved risk posture and 11% improved their ability to detect advanced attacks

"The survey identifies a number of things the Council on CyberSecurity [which hosts the controls] can do to support the community of adopters, says Tony Sager, director of the SANS Innovation Center and chief technologist for the Council on CyberSecurity. "For example, they can use more guidelines and case studies, which we are working on."

The need for more usable case studies of successful implementations was identified by 65% of respondents, while 54% said they need better operational best practices.

Because the primary sectors represented in this survey were financial and government, creating guidelines for these two sectors would be a great place to start sharing new information on best practices from those working in the front lines across these sectors.. Sager adds, "The Controls are not about having the best list of things to do--they are about members of a community helping each other improve their security!"

Full results will be shared during a September 9, 2014, webcast at 1 PM EDT. Register to attend the complimentary webcast at

Those who register for the webcast will also receive access to the published results paper developed by SANS Analyst and CSC expert, James Tarala.

Hear about wins & misses with Critical Security Controls. Webcast 9/9, 1 pm EDT. #securitycontrols

9/9 Webcast: full results of Critical Security Controls survey & current state of adoption. #INFOSEC

What advances & difficulties have CSC adopters encountered in adopting controls? Webcast 9/9. #INFOSEC

SANS Media Contact

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions worldwide. Renowned SANS instructors teach more than 60 courses at In-Person and Live Online cyber security training events, and more than 50 courses are available anytime, anywhere with our OnDemand platform. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system – the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (