Every few months, a new security product promises to transform your defenses. AI-powered threat detection. Extended detection and response. Autonomous security operations. The marketing is compelling. The demos are impressive. And some of these tools genuinely do add value — eventually.

But here's what twenty years of network security work has taught me: organizations that invest in advanced capabilities before they've mastered the fundamentals are building on sand. The breaches aren't usually the result of some exotic zero-day that slipped past a next-gen firewall. They're the result of an unpatched system that nobody knew was there. A service account with a password that never changed. Firewall rules so old nobody remembers what they're for.

The good news is that the security community figured this out a long time ago. Two frameworks — the CIS Controls and the body of work that came out of SANS — exist precisely to answer the question: if you're going to build a security program from scratch, what do you do first? The answers are more practical, more grounded, and more immediately actionable than most organizations realize.

"Most breaches don't exploit cutting-edge vulnerabilities. They exploit the basics that were never done."

The "Basics" Problem in Mid-Market Security

Before getting into what CIS and SANS actually recommend, it's worth naming the pattern I see most often when I walk into a mid-market environment for the first time.

The company has spent real money on security. There's an endpoint detection product. Maybe a SIEM. A firewall that was configured by a consultant three years ago. A cloud security posture tool someone installed but hasn't looked at in months. The spending is real. The intention is good.

But underneath it all, there are fundamental gaps that render much of that investment far less effective than it should be:

The Basics Gap — What's Usually Missing

  • No complete asset inventory. Nobody knows exactly what's on the network. Shadow IT, forgotten servers, decommissioned devices that are still connected.
  • Inconsistent patching. Critical systems may be current. Edge cases — legacy systems, network devices, IoT — often aren't.
  • Weak account hygiene. Shared credentials, service accounts with admin rights, passwords that haven't changed in years, no MFA on critical systems.
  • Logging that isn't reviewed. Logs are collected but nobody has defined what to look for or built any alerting around anomalies.
  • No defined incident response process. When something happens, response is improvised. The cost is always higher when it is.

None of these are exotic problems. None of them require a seven-figure security budget to address. But they are the conditions under which the majority of successful attacks occur. And they're exactly what CIS Controls and SANS were designed to address — systematically and in priority order.

What Are the CIS Controls?

The Center for Internet Security (CIS) publishes a set of prioritized security actions called the CIS Controls — currently in version 8, organized around 18 control categories covering everything from asset inventory to incident response to penetration testing. The controls are designed to be vendor-neutral, practical, and sequenced so that earlier controls build the foundation for later ones.

What sets the CIS Controls apart from other security frameworks is their deliberate prioritization. They aren't a comprehensive list of everything you could possibly do for security. They're a ranked list of what you should do first — based on actual attack data, not theoretical risk models. The controls that appear early in the list address the vulnerabilities that attackers exploit most frequently. Controls that appear later address more sophisticated scenarios that, frankly, you're not exposed to if you haven't handled the basics first.

For mid-market organizations, CIS organizes implementation into three tiers called Implementation Groups (IGs):

CIS Implementation Groups

  • IG1 — Essential Cyber Hygiene (56 safeguards): The minimum standard for any organization with a digital footprint. Addresses the most common attack vectors. If you do nothing else, do IG1.
  • IG2 — Expanded Security (130 safeguards): For organizations handling sensitive data or facing increased operational risk. Builds on IG1 with more mature detection, response, and access management capabilities.
  • IG3 — Advanced Security (153 safeguards): For mature security programs facing sophisticated threats. Requires dedicated security staff and established processes.

Most mid-market companies should be targeting full IG1 compliance and working toward IG2. The majority aren't there yet — which means the framework gives you a clear, structured path to follow rather than starting from a blank page.

The 18 CIS Controls — and Why the First Six Are Non-Negotiable

The full list of 18 CIS Controls spans the entire lifecycle of a security program. But the first six deserve special attention because they address the fundamentals that everything else depends on. An advanced threat detection capability is far less effective when you don't know what assets you're supposed to be monitoring.

Start Here
Control 01

Inventory & Control of Enterprise Assets

Know everything on your network — every device, every endpoint, every system. You cannot secure what you don't know exists.

Start Here
Control 02

Inventory & Control of Software Assets

Track all authorized software. Unauthorized applications are a common entry point and lateral movement vector.

Start Here
Control 03

Data Protection

Know where your sensitive data lives, how it's classified, and how it's protected at rest and in transit.

Start Here
Control 04

Secure Configuration

Harden systems against default configurations. Most devices ship insecure by default. This control addresses that systematically.

Start Here
Control 05

Account Management

Control who has access to what, enforce least privilege, disable unused accounts, and manage service accounts with the same rigor as user accounts.

Start Here
Control 06

Access Control Management

Ensure access is granted based on business need and revoked when that need changes — including role changes and departures.

Control 07

Continuous Vulnerability Management

Establish a consistent patching cadence and track open vulnerabilities against risk-based timelines.

Control 08

Audit Log Management

Collect and retain logs from critical systems. Define what you're looking for. Build alerting. Without this, you're flying blind.

Control 09

Email & Web Browser Protections

The most common user-facing attack vectors. Anti-phishing, link filtering, and DNS-layer protection belong here.

Control 10

Malware Defenses

Deploy and actively manage endpoint protection — not just install and forget. Verify coverage and review alerts.

Control 11

Data Recovery

Tested, working backups of critical data and systems. "Tested" is the operative word — untested backups are not backups.

Control 12

Network Infrastructure Management

Manage and secure routers, switches, firewalls. Enforce change control. Remove legacy protocols. Segment networks.

Control 13

Network Monitoring & Defense

Actively monitor network traffic for anomalies. Understand what normal looks like so you can identify what isn't.

Control 14

Security Awareness & Skills Training

People are both your biggest vulnerability and your best defense. Training that changes behavior — not just checks a compliance box.

Control 15

Service Provider Management

Vendor risk isn't theoretical. Document who has access to your environment and hold them to your security standards.

Control 16

Application Software Security

Secure development practices, third-party component management, and application-level vulnerability assessment.

Control 17

Incident Response Management

Define and document how you'll respond before something happens. Practice it. The cost of improvised response is always higher.

Control 18

Penetration Testing

Validate your defenses by having someone try to break them under controlled conditions. Confirms controls are working as designed.

The gold-highlighted controls above — the first six — are what I consider non-negotiable for any organization building a security program. They're not glamorous. They don't come with a dashboard that impresses auditors. But they close the gaps that attackers actually exploit, and they create the visibility that makes everything else you invest in far more effective.

Where SANS Fits In

SANS Institute is one of the most respected names in cybersecurity training and research. When practitioners refer to the "SANS Top 20," they're referencing a lineage of controls — originally published jointly by SANS, NSA, and other agencies — that directly evolved into today's CIS Controls. SANS continues to support and extend that work through its training curriculum, research publications, and implementation guidance.

The SANS perspective adds particular value in two areas that matter greatly for organizations actually trying to implement a security program, not just document one:

Attacker-Informed Prioritization

SANS research is grounded in real-world incident data — what attackers actually do, in what sequence, against what types of targets. The controls aren't theoretical; they're ranked by observed attack frequency and impact. This means when SANS says "start here," they're saying it because that's where attackers start.

This attacker-centric view of the control set is critical for mid-market organizations that need to make prioritization decisions with limited resources. You don't have to address everything simultaneously. You need to close the gaps that create the most exposure — and SANS helps you identify exactly those gaps.

Implementation Depth

SANS provides detailed technical guidance, training courses, and implementation benchmarks that help organizations move from "we know what to do" to "here's exactly how to do it." For technical teams building out controls for the first time, this is invaluable. Knowing that you need to implement secure configurations is one thing. Having a validated benchmark for Cisco, Fortinet, or Microsoft environments that tells you exactly what to configure and how to verify it is something else entirely.

The SANS Critical Security Controls — Where They Align with "Basics First"

  • SANS research consistently finds that the majority of successful breaches exploit failures in the top five controls — asset inventory, software inventory, secure configurations, controlled use of admin privileges, and vulnerability management.
  • The SANS Security Awareness curriculum emphasizes that human behavior — phishing susceptibility, password habits, social engineering — accounts for a significant share of initial access events.
  • SANS incident response research shows organizations without documented response plans spend significantly longer in containment phases, dramatically increasing breach costs.

Why Basics First Is a Strategy, Not a Compromise

There's a perception in some organizations that focusing on the fundamentals is a sign of immaturity — a stage you move through quickly on the way to more sophisticated capabilities. I'd push back on that hard.

The most sophisticated security programs I've seen — in large enterprises with dedicated security teams and seven-figure budgets — still treat the CIS Controls as their baseline. They run regular audits against IG1 and IG2 not because they're struggling to achieve them, but because maintaining them requires active effort. Systems change. Configurations drift. New assets appear. Staff turns over.

For mid-market companies, the calculus is straightforward. The cost of implementing IG1 — even comprehensively — is far lower than the cost of a single significant breach. And the coverage it provides against the most common attack vectors is genuinely high. Studies consistently show that organizations with strong fundamentals experience significantly fewer successful attacks than those with more advanced tools but weaker basic hygiene.

What Frameworks Give You That Ad-Hoc Security Spending Doesn't

  • Prioritization: You can't fix everything at once. Frameworks tell you what to fix first based on actual risk — not vendor sales cycles.
  • Coverage: Without a framework, it's easy to over-invest in one area (endpoint protection) while leaving critical gaps in another (logging, account management).
  • Measurability: Frameworks give you a baseline. You can track progress, report to leadership, and demonstrate improvement over time.
  • Compliance alignment: CIS Controls map directly to major compliance frameworks — HIPAA, PCI-DSS, SOC 2, CMMC. Implementing them has downstream benefits that extend beyond security.
  • Defensibility: In a breach scenario, an organization that can demonstrate it was implementing recognized security standards is in a materially different position than one that cannot.

Where to Start — A Practical Sequence

If you're looking to move from understanding these frameworks to actually implementing them, here's how I recommend approaching it:

Step 1: Know What You Have

Before you can secure your environment, you need a complete picture of it. This means a full asset inventory — every device, server, and endpoint — and a software inventory of what's running on those assets. This is CIS Controls 1 and 2, and it's where every engagement I run starts. The findings here are usually illuminating, and not always in comfortable ways.

Step 2: Assess Against IG1

Once you have an accurate asset inventory, assess your current state against all 56 IG1 safeguards. Gap analysis at this level is straightforward and produces a prioritized remediation list that you can actually work from — not a theoretical risk register that sits in a spreadsheet.

Step 3: Close the High-Risk Gaps First

Not all gaps are equal. Prioritize by likelihood of exploitation and potential impact. In most environments, account management (Control 5), access control (Control 6), and audit logging (Control 8) offer the highest return on remediation effort. Default configurations and unpatched systems follow closely.

Step 4: Build Toward IG2

IG2 extends the foundation with more mature detection and response capabilities — network monitoring, incident response planning, security awareness training. Organizations that have a solid IG1 foundation find IG2 to be a natural progression, not a leap.

Step 5: Validate and Maintain

Controls degrade over time. What's configured today may not be configured correctly a year from now. Regular validation — through internal audits, vulnerability scanning, and periodic penetration testing (Control 18) — ensures your program stays effective, not just documented.

The Bottom Line

CIS Controls and SANS don't ask you to boil the ocean. They ask you to build a real foundation — systematically, in priority order, based on what attackers actually exploit. That's not a compromise. That's a strategy.

The organizations that treat security as a checkbox exercise — buying tools, passing audits, moving on — are the ones that make the news. The organizations that take a fundamentals-first approach, measure their progress against an established framework, and continuously close gaps are the ones that don't.

If you're not sure where your organization stands against the CIS Controls, that's the first thing to find out. The answer shapes every investment decision that follows.

Not sure where you stand against CIS Controls?

Our $2,500 network security assessment maps your current environment against the CIS Control framework and delivers a prioritized remediation roadmap — in 5–7 business days.

Request Your Assessment →