2. Center for Internet Security - The Early Years
Part 2 of 5
The Cosmos Club meeting in August 2000 was the spark. But once the handshakes were done, the real work began: turning a big idea into an actual organization.
The first critical decision was leadership. The founders persuaded Clint Kreitner to come out of retirement and take the helm of the Center for Internet Security. This was, in hindsight, an inspired choice. Clint was many things — a Navy officer, engineer, serial entrepreneur, hospital and health system leader — but not a cybersecurity insider. That turned out to be exactly what CIS needed. He brought a unique mix of technical and management discipline, with a particular passion for measurement and benchmarking. Those instincts shaped the culture and direction of CIS from the very beginning.
The model was simple but powerful:
Gather volunteer experts from across the community.
Build practical, high-quality security configuration guidance - the CIS Benchmarks.
Give them away for free.
Sustain the organization with a membership model that provided tools and support, and work with the security vendor community to deliver CIS content at large scale.
Clint once joked to me, “I’ve never run a business that gave away its best product for free!” But that philosophy became a hallmark of CIS - lead with mission, and let sustainability follow.
By early 2001, CIS had released a growing library of Benchmarks and tools and signed up over 100 member companies. Download counts soon passed 400,000 a year. At the same time, CIS began to step into a leadership role in the broader security community. We partnered with NSA, DISA, GSA, FBI (NIPC), and SANS to build national consensus around Windows 2000 security recommendations — culminating in a joint announcement with White House Cybersecurity Advisor Richard Clarke. For me, this remains one of the best examples of public–private collaboration on practical, actionable security.
Momentum built quickly. CIS Benchmarks were cited in the PCI/DSS standard, became the basis for a government-wide “Master License,” and were even offered by Dell in preconfigured laptops and desktops.
Of course, this impact was only possible because of people. In those early years (through about 2010), the employee roster was short: Clint Kreitner, Bert Miuccio, John Banghart, Dave Waltermire, Michele Petersen, Dave Shackleford, Steve Piliero, Blake Franz, Steve Kreitner, and Laurie Hester. But behind them was a remarkable volunteer corps - industry stars like Hal Pomeranz, Chris Calabrese, Randy Marchany, and Jay Beale, plus many others whose contributions deserve more recognition. If you were one of those volunteers, please reach out. Your fingerprints are all over CIS’s story.
And some of the key ideas that defined CIS - especially around measurement and scoring - came from visionaries outside the organization, including Pat Himes (First Union National Bank) and Dave Nelson (NASA).
For the first decade, CIS accomplished all this with fewer than ten employees, supported by a distributed volunteer army. At the same time, the roots of what would become the larger CIS family were taking hold elsewhere: the creation of the Multi-State ISAC in 2003, and NSA’s early work to distill lessons from large-scale defense into what later became the CIS Critical Security Controls.
The lesson is clear: lasting change rarely starts with committees, crowds, or grand paper strategies. It begins with a few committed people, a shared sense of purpose, and the will to act