Work Here?
Center for Internet Security (CIS)
Work Here?
Maintains CIS Controls and Benchmarks
Center for Internet Security (CIS)
Work Here?
Maintains CIS Controls and Benchmarks
Overview
The Center for Internet Security (CIS) produces and maintains practical cybersecurity standards for the public and private sectors, including CIS Controls and CIS Benchmarks, and offers cybersecurity services and memberships. It operates through a global, community-driven process and uses CIS WorkBench as a platform for professionals to collaborate and share guidance. Organizations implement the CIS Controls and Benchmarks to improve security, with revenue coming from memberships, partnerships, and services. CIS differs from many competitors by being a nonprofit, collaborative effort rather than a product-focused vendor, aiming to improve security across the connected world through universally adopted guidance, with the goal of increasing confidence in the security of information infrastructure.
About Center for Internet Security (CIS)
Industries
Consulting
Government & Public Sector
Cybersecurity
Company Size
501-1,000
Company Stage
Early VC
Total Funding
$1.7M
Headquarters
New York
Founded
2000
Simplify's Take
What believers are saying
- CIS partners Astrix, Cequence for AI agent guides in 2026.
- inforcer joins SecureSuite vendors on August 27, 2025.
- National Sheriffs' Association partnership provides free tools since July 2024.
What critics are saying
- NIST CSF 2.0 erodes memberships as enterprises adopt free framework.
- OpenSCAP undercuts Benchmarks revenue with zero-cost compliance tools.
- CISA consolidates SLTT funding, slashing MS-ISAC revenue in 18 months.
What makes Center for Internet Security (CIS) unique
- CIS Controls v8.1 prioritize 18 safeguards for hybrid cloud security.
- CIS Benchmarks secure AI/HPC images on Amazon Linux 2023.
- MS-ISAC delivers 24/7 SOC monitoring for U.S. SLTT governments.
Help us improve and share your feedback! Did you find this helpful?
Funding
Total Funding
$1.6M
Above
Industry Average
Funded Over
1 Rounds
Benefits
Health Insurance
Dental Insurance
Vision Insurance
Unlimited Paid Time Off
Flexible Work Hours
Remote Work Options
Paid Vacation
Paid Holidays
401(k) Retirement Plan
401(k) Company Match
Stock Options
Company Equity
Wellness Program
Mental Health Support
Conference Attendance Budget
Family Planning Benefits
Fertility Treatment Support
Professional Development Budget
Phone/Internet Stipend
Home Office Stipend
Growth & Insights and Company News
6 month growth
↑ 0%1 year growth
↑ 1%2 year growth
↑ 4%Congratulations to CIS Security Teams on receiving 2025 Silver Fox Awards. On 5th February, Lynda Moore, Managing Partner of FM Contract Watch, visited the head office of CIS Security and presented five 2025 Silver Fox Awards. During 2025, the Silver Fox Audit team carried out about 200 audits throughout the CIS client base and the security teams at 55 Ludgate Hill, The White Collar Factory, Almack House, 6 St James Square and One Crown Place received an award due to preventing unauthorised access to their site and excelling in the overall score which includes Officer knowledge and site documentation. Congratulations to all the Security Teams on their excellent work.
CIS, Astrix & Cequence announce partnership to secure AI systems. The Center for Internet Security, Inc. (CIS(R) has joined forces with Astrix Security and Cequence Security to launch a new strategic partnership aimed at developing cybersecurity guidance specifically designed for environments powered by artificial intelligence (AI) and agentic systems. As AI rapidly evolves and introduces new risks related to autonomous decision-making, API access, and automated threats, this collaboration seeks to fill an urgent security gap with actionable and structured best practices. This initiative builds on the widely adopted CIS Critical Security Controls(R), extending their long-standing security principles into the emerging domain of AI-driven ecosystems. The partnership's first major output will be two companion guides. One will serve AI Agent Environments, offering instructions on securing the entire lifecycle of agentic systems. The other will focus on Model Context Protocol (MCP) environments, which are becoming increasingly important as AI systems integrate with tools, plugins, and external data sources. MCP environments, in particular, create unique challenges for cybersecurity teams. They often involve uncontrolled data flows, credential exposure, unsecured local execution, and unapproved third-party interactions. When MCP agents, registries, and tools dynamically connect to enterprise applications, the attack surface expands dramatically. The planned guidance will help organizations establish targeted, practical safeguards tailored to this new reality. Curtis Dukes, Executive Vice President and General Manager of Security Best Practices at CIS, highlighted the urgency of the effort, stating, "AI presents both tremendous opportunities and significant risks. By partnering with Astrix and Cequence, we are ensuring that organizations have the tools they need to adopt AI responsibly and securely." Astrix's expertise will be instrumental in protecting AI agents, MCP servers, and the Non-Human Identities (NHIs) that enable them. These NHIs - including service accounts, OAuth tokens, and API keys - play critical roles in connecting AI systems to essential business applications but can be exploited if not properly governed. Jonathan Sander, Field CTO at Astrix Security, emphasized the duality of potential and risk, explaining, "AI agents and the non-human identities that power them bring great potential but also new risks... Through this partnership, we're providing clear, practical guidance to keep AI ecosystems safe so organizations can innovate with confidence." Cequence Security will contribute its long-standing experience in API and application security, focusing on strengthening governance and visibility across agentic environments. Ameya Talwalkar, CEO of Cequence Security, underscored the importance of transparency and control, saying, "As organizations embrace agentic AI, trust hinges on visibility, governance, and control over what those agents can see and do to your applications and data." * Extend proven security frameworks into AI environments. * Provide clear, prioritized, and actionable safeguards for secure AI adoption. * Unite expertise from standards development, API defense, and application security to build stronger protections. The new guidelines - expected to release in early 2026 - will be accompanied by workshops, webinars, and additional educational resources. These efforts will help organizations implement recommendations effectively and build a shared understanding of how to secure AI systems. By establishing a common language and framework, the partnership hopes to enhance resilience, trust, and security across the rapidly growing AI ecosystem.
London, UK, Aug 27th 2025 - inforcer is proud to announce it has joined the Center for Internet Security (CIS) as a CIS SecureSuite Product Vendor Member.
For decades, Venables served as CISO and cyber executive across some of the world's largest organizations, including Google Cloud, Goldman Sachs, Deutsche BankSAN FRANCISCO, April 25, 2025 /PRNewswire/ -- Ballistic Ventures , the venture capital firm dedicated exclusively to funding and incubating entrepreneurs and innovations in cybersecurity, is pleased to announce that Phil Venables , the renowned cybersecurity leader and former Chief Information Security Officer (CISO) of Google Cloud, has joined the firm as a Venture Partner. Venables brings decades of experience in building and advising cybersecurity and risk management programs across some of the world's most influential companies and government bodies.With a distinguished career spanning leadership roles at Google Cloud, Goldman Sachs, and Deutsche Bank, Venables has played a pivotal role in shaping the cybersecurity landscape. His deep experience in both the private and public sectors, including serving on the President's Council of Advisors on Science and Technology (PCAST), makes him an invaluable addition to the Ballistic team."We have known and worked with Phil for years, and he was our first call to be a trusted advisor when assembling Ballistic," said Ted Schlein , Co-founder and General Partner at Ballistic Ventures. "Phil's unparalleled expertise in securing critical systems, advising governments, and building resilient cybersecurity programs has already been tremendously valuable to us, and we're pleased to have him join us in an even greater capacity as Venture Partner. His insights will also help guide our portfolio companies as they tackle the ever-evolving security threats of today and tomorrow."Venables' contributions to the cybersecurity industry are extensive. He helped found the Center for Internet Security (CIS) and served on its board from 2014 until 2020, and he currently serves on multiple boards and committees, including for MITRE's Science and Technology Advisory Committee, HackerOne, Interos, Ballistic portfolio company Veza , and he is Strategic Security Advisor at Google Cloud
Criminals are blackmailing YouTube creators into adding malicious crypto-mining malware to their videos, according to research from cybersecurity firm Kaspersky.The hackers have been taking advantage of the growth in Russia of Windows Packet Divert drivers, which enable internet users to circumvent geographic restrictions.Kaspersky’s systems have detected these drivers on 2.4 million devices over the past six months, with each successive month since September witnessing an increase in downloads.The popularity of these drivers has led to a growth in YouTube videos on how to download and install them. But the criminals have even found a way to insert links to the SilentCryptoMiner malware into the descriptions of such videos.One increasingly common tactic is to submit a copyright strike against a video and then contact its creator, claiming to be the original developer of the driver it discusses.According to Kaspersky, the criminals were able to reach one popular YouTuber with 60,000 subscribers, ultimately adding a malicious link to videos with over 400,000 views.But instead of leading to a legitimate repository such as GitHub, the offending links took viewers to an infected archive, which has since racked up over 40,000 downloads.Kaspersky estimates that, by threatening YouTube creators with copyright strikes and takedowns, the criminals responsible have been able to infect some 2,000 computers in Russia with crypto-mining malware.However, the security company suggests that the total could be significantly higher if it included other campaigns that have been launched in Telegram channels.While crypto-mining malware has been around for several years now, Leonid Bezvershenko—a Security Researcher at Kaspersky’s Global Research and Analysis Team—says that pressuring creators with false copyright complaints is a more aggressive and unique tactic.“While certain threats—like miners and info stealers—regularly leverage social platforms for distribution, this tactic of coercing influencers shows how cybercriminals are evolving,” he tells Decrypt. “By capitalizing on the trust between YouTubers and their audiences, attackers create large-scale infection opportunities.”The mining malware used by the attackers, SilentCryptoMiner, is based on the well-known open-source miner XMRig, and is used to mine such tokens as Ethereum, Ethereum Classic, Monero, and Ravencoin.It injects itself into a computer’s system procedures via process hollowing, and can be controlled remotely by its originators, who can stop mining whenever the original system procedure is active.“In this specific campaign, most of the victims we identified are in Russia, and the malware itself was primarily available to Russian IP addresses,” confirms Bezvershenko, who nonetheless affirms that attackers often go wherever they see an opportunity.This latest campaign comes at a time when crypto-mining viruses have become widespread as a form of malware, with the Center for Internet Security finding that CoinMiner was its second-most observed malware of 2024, behind drive-by downloader SocGholish.And in December of last year, cybersecurity researchers at ReversingLabs found that attackers are increasingly inserting crypto-mining malware in popular open source coding packages and tools, which can often attract hundreds of thousands of weekly downloads.While it may be hard to avoid legitimate-yet-infected coding packages if you’re a developer, Kaspersky advises general web users to stay vigilant and verify the source of any download.As Bezvershenko says, “If a YouTube creator or a guide asks you to disable your antivirus or claims a file is completely safe, treat it with caution and perform an additional security check.”Edited by Stacy Elliott.Daily Debrief NewsletterStart every day with the top news stories right now, plus original features, a podcast, videos and more
Center for Internet Security (CIS) is Hiring for 5 Jobs on Simplify!
Find jobs on Simplify and start your career today
About Center for Internet Security (CIS)
Industries
Consulting
Government & Public Sector
Cybersecurity
Company Size
501-1,000
Company Stage
Early VC
Total Funding
$1.7M
Headquarters
New York
Founded
2000
Center for Internet Security (CIS) is Hiring for 5 Jobs on Simplify!
Find jobs on Simplify and start your career today