CIS Control 14: Security Awareness and Skills Training

The human element is consistently one of the most critical factors in an organization's security posture. CIS Control 14: Security Awareness and Skills Training from the CIS Critical Security Controls Version 8 framework establishes the requirements for educating an enterprise's workforce on how to interact with systems, assets, and sensitive data securely.

A successful security awareness program mitigates risks associated with social engineering, inadvertent data exposure, and poor credential management by transforming end-users from potential liabilities into active defenders.

Designing a Modern Security Awareness Program

An effective security awareness program must evolve beyond a canned, once-a-year training video followed by a rudimentary phishing test. While foundational annual training is required for all staff, security teams should implement a continuous education lifecycle.

This involves delivering frequent, topical messages that tie security principles to real-world events. Practical examples of contextual training include:

• Emphasizing strong password creation and credential management immediately following a high-profile media report of a major password dump.
• Alerting staff to the rise of tax-related phishing scams during tax season.
• Issuing warnings about malicious package delivery emails and SMS messages during the winter holidays.

The training content must be reviewed and updated at least annually, or whenever significant enterprise changes occur (e.g., a major shift to remote work, adoption of new core software, or a merger). Regularly updated content increases the overall culture of security and actively discourages employees from adopting risky procedural workarounds.

Tailoring Content by Role and Regulatory Posture

Not all users face the same threats or handle the same data. Training must account for an enterprise's specific regulatory environment and the distinct threat profiles of different departments.

For instance, users in finance, human resources, and contracts have access to highly sensitive data, making them primary targets for advanced attacks. Social engineering tests should include role-specific tactics. A finance team member might receive simulated Business Email Compromise (BEC) attempts posing as an executive requesting an urgent wire transfer, or a fraudulent invoice originating from a compromised partner's email account.

Industry-specific regulatory postures should also shape the curriculum:

• Financial firms require rigorous compliance-related training on handling non-public personal information.
• Healthcare enterprises must focus deeply on the protection of patient health records.
• Merchants and retail organizations need specific training on handling credit card data securely.

Core Safeguards of CIS Control 14

The implementation of Control 14 is broken down into specific operational safeguards that organizations must deploy.

Social Engineering and Authentication

Workforce members must be trained to recognize and report social engineering attacks (Safeguard 14.2), such as phishing, pre-texting (creating a fabricated scenario to steal information), and tailgating (following authorized personnel into a secure physical area). This ties directly into the technical defenses established in CIS Control 9: Email and Web Browser Protections.

Furthermore, training must cover authentication best practices (Safeguard 14.3). Users should understand the importance of Multi-Factor Authentication (MFA), password composition constraints, and proper credential management, reinforcing the policies enforced by CIS Control 5: Account Management and CIS Control 6: Access Control Management.

Data Handling and Exposure Prevention

To support the objectives of CIS Control 3: Data Protection, personnel must understand how to identify, properly store, transfer, archive, and destroy sensitive data (Safeguard 14.4).

This training extends to physical space management, often referred to as clear desk and clear screen policies. Employees must be trained to:

• Lock their screens whenever stepping away from their enterprise asset.
• Erase physical whiteboards in conference rooms and clear virtual whiteboards at the conclusion of meetings.
• Securely store physical assets and printed data.

Additionally, workers must be trained on the common causes of unintentional data exposure (Safeguard 14.5). Edge cases and common pitfalls include the mis-delivery of sensitive data via email auto-complete errors, losing a portable end-user device during travel, or inadvertently publishing internal data to unintended, public-facing audiences (such as open cloud storage buckets).

Incident Reporting and Asset Maintenance

When preventive measures fail, user response time is critical. Employees must be trained to recognize a potential security incident and know exactly how to report it (Safeguard 14.6), ensuring rapid escalation to the teams managing CIS Control 17: Incident Response Management.

Finally, Control 14 requires training the workforce to identify and report if their enterprise assets are missing security updates (Safeguard 14.7). Users should understand how to verify if their software patches are out-of-date or if automated management tools (such as endpoint agents) are failing, acting as a human fallback for CIS Control 7: Continuous Vulnerability Management.

Practical Implementation and Edge Cases

When deploying these safeguards, organizations often encounter "alert fatigue" or resistance to training. A crucial edge case in phishing simulations is avoiding scenarios that break employee trust—for example, using false promises of bonuses or sensitive HR communications to trick users.

Instead, focus on cultivating a positive security culture. Reporting mechanisms (like a "Phish Alarm" button) should provide immediate positive reinforcement rather than punitive measures for clicking a malicious link. By prioritizing continuous, relevant, and supportive education, organizations can turn their workforce into a resilient frontline defense.