Tony Sager

Tony Sager
Sager (right) presenting at NSA Trusted Computing Conference, 2011
Nationality	American
Alma mater	Western Maryland College (BA), Johns Hopkins University (MS)
Occupation	Cybersecurity expert
Years active	1978–present
Employer	Center for Internet Security
Known for	CIS Critical Security Controls, NSA vulnerability analysis
Awards	Presidential Rank Award (Meritorious) NSA Exceptional Civilian Service Award Global Cyber Security Hall of Fame

Tony Sager is an American cybersecurity professional who serves as Senior Vice President and Chief Evangelist at the Center for Internet Security (CIS). A retired 34-year veteran of the National Security Agency (NSA), Sager contributed to the development of the CIS Critical Security Controls, a widely implemented framework for cybersecurity best practices. He has also served on federal advisory boards focused on national cybersecurity policy and infrastructure protection.^[1]

Sager earned a bachelor's degree in mathematics from Western Maryland College (now McDaniel College) and later received a master's degree in computer science from Johns Hopkins University.^[2]

Tony Sager’s career in cybersecurity spans more than four decades, beginning with his work at the National Security Agency and continuing through his leadership at the nonprofit Center for Internet Security.

Sager joined the NSA in the late 1970s through its COMSEC Intern Program. During his tenure, he held positions as a mathematical cryptographer, software vulnerability analyst, and head of the System and Network Attack Center. He later led the Vulnerability Analysis and Operations Group. In 2001, he initiated efforts to publish public security guidance and promote open standards.^[1][2]

Following his retirement from the NSA, Sager transitioned to public-interest work by joining the Center for Internet Security (CIS). At CIS, he played a central role in developing the CIS Critical Security Controls—a framework used worldwide to help organizations implement prioritized cybersecurity practices.^[3] In his current role, he leads outreach, collaboration efforts, and public policy initiatives to strengthen cyber resilience.^[1]

In parallel with his work at CIS, Sager has frequently partnered with fellow cybersecurity leaders, including Ron Ross of the National Institute of Standards and Technology (NIST). Their public appearances and joint commentary have emphasized the alignment between CIS Controls and NIST frameworks, such as the CSF and SP 800-53.^[4]

Sager’s contributions have extended beyond technical work into public service. In February 2022, he was appointed to the inaugural Cyber Safety Review Board by the DHS and Cybersecurity and Infrastructure Security Agency (CISA).^[5][1] He also serves on several advisory panels and nonprofit boards related to cybersecurity education and public safety.^[1]

In 2009, Sager testified before the United States Senate Committee on Homeland Security and Governmental Affairs during a hearing on cybersecurity. He detailed a red team exercise conducted by the National Security Agency (NSA) that uncovered serious vulnerabilities in United States Air Force systems. As a result, the NSA developed and deployed security guidance across 500,000 systems, which led to significant operational improvements—including reducing patch times from 57 days to 72 hours, cutting costs by over $100 million annually, and decreasing help desk demand.

These improvements were not the result of technology alone, but were made possible through smart business practices—leveraging procurement policies, partnerships with vendors like Microsoft, and operational discipline.

He emphasized that cybersecurity outcomes are driven not only by technical solutions, but also by policy, procurement, and cross-sector collaboration.^[6]

• Inducted into the Global Cyber Security Hall of Fame in 2023.^[7]
• Recipient of the SANS Difference Makers Lifetime Achievement Award in 2024.^[8]
• Awarded the Presidential Rank Award (Meritorious Level) twice during his NSA career.^[1][2]
• Received the NSA Exceptional Civilian Service Award.^[1][2]
• His NSA teams were recognized by SC Magazine, SANS, and Government Executive magazine.^[1]

• "Vulnerability Analysis and Operations (VAO): A National Security Agency Perspective" (July 2009). NSA Information Assurance Symposium presentation. "Vulnerability Analysis and Operations" (PDF). NIST. Retrieved June 15, 2025.
• "Cybersecurity at Scale: Piercing the Fog of More", Center for Internet Security blog (2023). "Cybersecurity at Scale: Piercing the Fog of More". Center for Internet Security. Retrieved June 15, 2025.
• Contributor to "CIS Community Defense Model 2.0", CIS white paper (2021). "CIS Community Defense Model 2.0". Center for Internet Security. Retrieved June 15, 2025.
• "I Tell Our Story", LinkedIn article by Tony Sager (November 2020). "I Tell Our Story". LinkedIn. Retrieved June 15, 2025.
• "My Summer of Information Superiority", LinkedIn article by Tony Sager (October 2020). "My Summer of Information Superiority". LinkedIn. Retrieved June 15, 2025.

• Featured speaker at Center for Internet Security and SANS Institute conferences.^[1]
• Interviewed by Cybercrime Magazine on the Community Defense Model.^[9]
• Appeared on CyberSecurity TV panel: "Making Policy Compliance Work for You."^[10]
• Guest on Forcepoint podcast: “Demystifying Security’s Wizards.”^[11]
• Featured on SC Media’s “CISO Stories” podcast.^[12]
• Keynote speaker at SANS Security East 2025.^[13]
• Quoted in The Washington Post on NSA disclosure and surveillance policy.^[14][15]
• Featured on Bloomberg Television's *The American Dream* (March 2025).^[16][17]

Sager’s contributions to cybersecurity have had a lasting influence on both public and private sector approaches to risk management and systems security. As one of the original developers and advocates of the CIS Controls, he helped establish a prioritized, measurable framework that has become widely adopted across industries and governments worldwide.^[3] His emphasis on operationally tested security practices brought practical implementation strategies to the forefront of cybersecurity policy.^[1]

Through his leadership at the National Security Agency (NSA), Sager played a key role in transitioning government-developed cybersecurity methodologies—such as system hardening guidelines—into tools accessible for commercial and nonprofit use.^[6] This democratization of defense techniques helped elevate national standards for information assurance and laid the groundwork for greater public-private collaboration in cybersecurity.^[2]

After retiring from the NSA, Sager continued to shape the field through his work with the Center for Internet Security (CIS), where he guided the development of consensus-based security tools, best practices, and training.^[1] His advisory work with federal agencies, nonprofits, and industry organizations has reinforced his reputation as a trusted voice in cyber risk management and national resilience.^[5]

Tony’s leadership helped redefine cybersecurity as a mission built on shared responsibility and actionable defense, not just high-level policy or theoretical models.

^[7]

Sager's legacy also includes decades of mentorship and public engagement, from congressional testimony to keynote speeches and media interviews.^[13][6] His efforts have influenced federal cybersecurity strategies, including NIST frameworks and CISA programs, and continue to inform how organizations of all sizes secure critical systems.^[4][9]

• Center for Internet Security
• Cyber Safety Review Board