The CIS Critical Security Controls (CIS Controls) Community is fortunate to include many experienced IT security professionals who volunteer their time and expertise to help improve cybersecurity best practices and make the connected world a safer place. Alan Watkins has been a CIS volunteer since 2017 and a Controls Ambassador since 2019. He provided editorial input to version 8 of the CIS Controls and was a major contributor to version 7.1 updates, as well.
Since 1980, Watkins has held positions in IT Management, infosec, and education. He worked in the public sector for the City of San Diego for over 36 years, in law enforcement for 12 years, and then in several IT positions, culminating in his work as the City of San Diego’s IT Operations & Security Manager. He also taught graduate-level cyber courses online for 11 years. After leaving the public sector in 2011, he worked as an independent cybersecurity consultant until 2019.
Watkins was involved with the SANS 20 Critical Security Controls in the late 1990s before they became the CIS Controls. In 2017, he started promoting and using the CIS Controls as the basis for small businesses to implement cyber hygiene. As a result, he created a training course with eight modules to teach cybersecurity professionals how to implement the first six CIS Controls in v6.1 as part of a cyber hygiene program.
As an ambassador and volunteer in the CIS Controls Community, he was invited to provide input into the update from CIS Controls v6.1 to version 7, then to version 7.1 with the three new Implementation Groups (IGs), and, of course, version 8.
“I believe that the CIS Controls offer a viable starting point for small businesses without having to use the extensive list of controls in the NIST Special Publication 800-53 Rev-4 (at that time), which are overwhelming for most small businesses,” said Watkins.
As a CIS Controls Ambassador, he’s had the opportunity to participate in many Community projects.
“I provide feedback to requests from CIS and other CIS Community members, trying to find the best way to implement the CIS Controls. I am also a member of the CIS Communities for the Risk Assessment Method (CIS RAM) and CIS Community Defense Model,” he said. “Don’t be afraid to ask tough questions of CIS. This includes the wording and intent of a CIS Safeguard. If you feel there’s something wrong with the way it describes a situation or the suggested Control mechanism, then please say something.
"The purpose of the Community is not only to share knowledge but also to have a broad spectrum of expertise to discuss the Controls and make them truly be best practice.”
When asked what his favorite CIS Control is, he responded with “Control 14 – Security Awareness and Skills Training.”
“Taking into account that the majority of the Safeguards within the CIS Controls are procedural or technical in nature, this one Control has the potential for impacting the successful implementation of the others. After all, having a trained, educated, and cyber-aware workforce goes a long way in preventing cyber incidents,” he said.
Watkins has also been able to leverage his experience in the Controls Community for the overall cybersecurity community to develop four courses, comprised of 20 learning modules, for one of a few new certificate programs being developed by InfraGard – an Introduction to Cybercrime Prevention certificate program. The courses include Introduction to Network and System Security, Introduction to Business Disruption Attacks, Introduction to Insider Threats, and Introduction to Social Engineering.
Since he “officially retired” in 2019, Watkins concentrates on teaching and writing. In fact, he wrote a book that was published in July 2020, Creating a Small Business Cybersecurity Program: A Guide for Non-Technical Small Business Owners, based on Implementation Group 1 (IG1) of the CIS Controls v.7.1. The second edition of the book was published in January 2023 to incorporate CIS Controls v8. Concurrent with the new edition, he’s developed an updated training program for small business owners to learn how to implement the IG1 Safeguards, which should be available in Q3 of 2023.