Center for Internet Security

Guide provides practical and specific guidance to organizations seeking to satisfy the general standard of “reasonable cybersecurity”

SAN FRANCISCO, CALIFORNIA, UNITED STATES, May 9, 2024 / — The Center for Internet Security, Inc. (CIS®) is pleased to announce the launch of its newest publication, “A Guide to Defining Reasonable Cybersecurity” at this year’s RSA Conference.

Several prominent data breaches, court cases, and state data privacy laws have placed the concept of “reasonable” cybersecurity in the public discourse, but there has been no real definition of what “reasonable” cybersecurity is…until now.

In partnership with recognized technical cybersecurity and legal experts, the independent nonprofit Center for Internet Security (CIS) is publishing this guide to provide practical and specific guidance to organizations seeking to develop a cybersecurity program that satisfies the general standard of “reasonable cybersecurity.”

“Many organizations turn to CIS and ask us for advice,” said Phyllis Lee, VP of Security Best Practices Content Development at CIS. “In this guide, we have identified an approach taken by several states that point to how to determine how an organization can achieve reasonable cybersecurity based on industry best practices.”

Building on laws and regulations currently in place, “A Guide to Defining Reasonable Cybersecurity” identifies what is minimally adequate for information security protections, commensurate with the risk and magnitude of harm that could result from a data breach.

This, in turn, should assist cybersecurity professionals, counselors, auditors, regulators, businesses, and consumers as well as lawyers and courts, in assessing whether an organization’s program meets this same standard when the compromise of protected information gives rise to litigation or regulatory action. It could also serve to reduce litigation resulting from data breaches.

Finally, this guide provides, as an example, how one framework, the CIS Critical Security Controls® (CIS Controls®) can be implemented prescriptively, and in a manner that affords all those who use and rely on the technology ecosystem the ability to assess whether reasonable cybersecurity measures were taken.

“It’s one thing to say that I adopted a cybersecurity framework, but it’s entirely different to prove that you implemented it correctly. That’s what the guidelines in ‘A Guide to Defining Reasonable Cybersecurity’ will do,” said Curt Dukes, CIS Executive Vice President & General Manager, Security Best Practices Automation Group.

For information, or to speak with CIS about the guide, please contact Sr. Media Relations Manager, Kelly Wyland at or call/text 518-256-6978.

About CIS:
The Center for Internet Security, Inc. (CIS®) makes the connected world a safer place for people, businesses, and governments through our core competencies of collaboration and innovation. We are a community-driven nonprofit, responsible for the CIS Controls® and CIS Benchmarks™, globally recognized best practices for securing IT systems and data. We lead a global community of IT professionals to continuously refine these standards to proactively safeguard against emerging threats. Our CIS Hardened Images® provide secure, on-demand, scalable computing environments in the cloud. CIS is home to the Multi-State Information Sharing and Analysis Center® (MS-ISAC®), the trusted resource for cyber threat prevention, protection, response, and recovery for U.S. State, Local, Tribal, and Territorial (SLTT) government entities, and the Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®), which supports the cybersecurity needs of U.S. elections offices. To learn more, visit or follow us on X: @CISecurity.

Kelly Wyland
Center for Internet Security
email us here
Visit us on social media: