Unleashing Your Campus’s Cyber Potential: What We Learned from the CIS Controls Fireside Chat

On September 11, 2025, NYSERNet gathered higher education IT leaders for a dynamic Fireside Chat: Unleashing Your Campus’s Cyber Potential – The Power of CIS Controls in Higher Ed. 

Facilitated by Nicole Holden, NYSERNet’s Principal Security Engineer, the panel featured: 

• Mike Benedetto, Chief Information Security Officer, American Museum of Natural History 

• Phyllis Lee, Vice President of Content Development, Center for Internet Security (CIS) 

• Matt Nappi, Chief Information Security Officer and Assistant Vice President, Stony Brook University 

• Marcos Vieyra, Chief Information Security Officer, University of South Carolina 

Together, they explored why the CIS Controls remain one of the most practical frameworks for improving cyber resilience on campus—and how institutions of all sizes can make meaningful progress. 

Key Insights from the Panel 

✅ Start with the Why – Phyllis Lee reminded us that the CIS Controls were designed to solve real-world problems: to give IT teams a prioritized, achievable path to cyber resilience, beyond just “checking the compliance box.” 

✅ Complement, Don’t Compete – Matt Nappi explained how CIS Controls can sit alongside frameworks like NIST or ISO. The takeaway? CIS provides the actionable baseline that supports compliance and strengthens security culture. 

✅ Early Wins Matter – Mike Benedetto emphasized how implementing Controls creates quick, visible improvements that build momentum. Those early gains help teams show progress and strengthen conversations with leadership. 

✅ The Challenge of Change – Marcos Vieyra noted that shifting to the Controls can be daunting at first, but the peer support network makes the journey more approachable and sustainable. 

If you’ve ever wondered how to move from “checking the box” to actually reducing risk, this conversation was for you. The panelists compared notes on what’s working with the CIS Controls in higher ed—across decentralized environments, constrained budgets, and competing compliance demands. Five clear themes rose to the top: 

1. CIS is the foundation that makes everything else easier 
   Frameworks like NIST and ISO set the governance bar. CIS tells you what to do next with a prioritized, threat-informed sequence. As one panelist summed up: we don’t have to make up the baseline—the community already agreed on it, and it updates as threats change. 
   
   
2. Crosswalks help you “speak compliance” while staying practical 
   CIS crosswalks let campuses map operational progress to multiple obligations (NIST CSF, ISO 27001, HIPAA, etc.). That means tactical work—asset inventories, patching cadence, hardening—automatically rolls up into the compliance story leadership needs.
    
3. It’s a communication tool, not just a checklist 
   From asset inventory to vulnerability management, the Controls provide a shared vocabulary. Instead of “because security says so,” teams can point to specific attributes tied to risk reduction. This removes emotion and accelerates buy-in across campus IT units.
    
4. Quick wins build momentum 
   Small, visible steps like tightening inventories, standardizing baselines, and using Implementation Groups to phase progress create credibility—and make bigger changes easier. 
   
   
5. You don’t have to do this alone 
   The strongest message of the day: lean on the community. The CIS ecosystem (and NYSERNet’s peer network) lets institutions of all sizes benefit from shared expertise—so you’re not competing for every skill set on your own. 

Ready to act? Start here. 

✅ Take the free NYSERNet Guided IG1 Self-Assessment 
A structured way to see where you stand on Implementation Group 1. You’ll get clarity on strengths, gaps, and your most impactful next moves—perfect prep for the cohort. 
👉 Sign Up for the Self-Assessment 

🌐 Join the CIS Controls & Benchmark Cohort (Launching October 1) 

A year-long peer group designed for higher ed teams that want steady, real progress: 

• Monthly virtual meetups for guided discussions, show-and-tell, and shared problem-solving 

• Continuing education sessions unpacking IG1–IG3 decisions based on risk and resourcing 

• Community benchmark access to track your progress alongside peers 

• Goal tuning so you can adjust as things change 

👉 Register for the Cohort Series 

Keep the learning going 

📺 Watch the replay: Fireside Chat – Unleashing Your Campus’s Cyber Potential: The Power of CIS Controls in Higher Ed