Tony Sager

Tony Sager is an American cybersecurity professional who serves as Senior Vice President and Chief Evangelist at the Center for Internet Security (CIS). A retired 34-year veteran of the National Security Agency (NSA), Sager contributed to the development of the CIS Critical Security Controls, a widely implemented framework for cybersecurity best practices. He has also served on federal advisory boards focused on national cybersecurity policy and infrastructure protection.^[1]

Tony Sager
Sager (right) presenting at NSA Trusted Computing Conference, 2011
Nationality	American
Alma mater	Western Maryland College (BA), Johns Hopkins University (MS)
Occupation	Cybersecurity expert
Years active	1978–present
Employer	Center for Internet Security
Known for	CIS Critical Security Controls, NSA vulnerability analysis
Awards	Presidential Rank Award (Meritorious), NSA Exceptional Civilian Service Award, Global Cyber Security Hall of Fame

Sager earned a bachelor's degree in mathematics from Western Maryland College (now McDaniel College) and later received a master's degree in computer science from Johns Hopkins University.^[2]

Tony Sager’s career in cybersecurity spans more than four decades, beginning with his work at the National Security Agency and continuing through his leadership at the nonprofit Center for Internet Security.

Sager joined the NSA in the late 1970s through its COMSEC Intern Program. During his tenure, he held positions as a mathematical cryptographer, software vulnerability analyst, and head of the System and Network Attack Center. He later led the Vulnerability Analysis and Operations Group. In 2001, he initiated efforts to publish public security guidance and promote open standards.^[1][2]

Following his retirement from the NSA, Sager transitioned to public-interest work by joining the Center for Internet Security (CIS). At CIS, he played a central role in developing the CIS Critical Security Controls—a framework used worldwide to help organizations implement prioritized cybersecurity practices.^[3] In his current role, he leads outreach, collaboration efforts, and public policy initiatives to strengthen cyber resilience.^[1]

In parallel with his work at CIS, Sager has frequently partnered with fellow cybersecurity leaders, including Ron Ross of the National Institute of Standards and Technology (NIST). Their public appearances and joint commentary have emphasized the alignment between CIS Controls and NIST frameworks, such as the CSF and SP 800-53.^[4]

Sager’s contributions have extended beyond technical work into public service. In February 2022, he was appointed to the inaugural Cyber Safety Review Board by the DHS and Cybersecurity and Infrastructure Security Agency (CISA).^[5][1] He also serves on several advisory panels and nonprofit boards related to cybersecurity education and public safety.^[1]

Sager’s cybersecurity leadership has also included direct engagement with U.S. lawmakers. In 2009 Senate testimony, he described an NSA red team exercise that exposed vulnerabilities in U.S. Air Force systems. The NSA’s resulting guidance, deployed across 500,000 systems, led to measurable improvements—reducing patch times from 57 days to 72 hours, cutting costs by over $100 million annually, and lowering help desk demand. He emphasized that these outcomes were due not only to technical measures, but also to strategic procurement policies, including collaboration with Microsoft.^[6]

• Inducted into the Global Cyber Security Hall of Fame in 2023.^[7]
• Recipient of the SANS Difference Makers Lifetime Achievement Award in 2024.^[8]
• Awarded the Presidential Rank Award (Meritorious Level) twice during his NSA career.^[1][2]
• Received the NSA Exceptional Civilian Service Award.^[1][2]
• His NSA teams were recognized by SC Magazine, SANS, and Government Executive magazine.^[1]

• "Vulnerability Analysis and Operations (VAO): A National Security Agency Perspective" (July 2009). NSA Information Assurance Symposium presentation. "Vulnerability Analysis and Operations" (PDF). NIST. Retrieved June 15, 2025.
• "Cybersecurity at Scale: Piercing the Fog of More", Center for Internet Security blog (2023). "Cybersecurity at Scale: Piercing the Fog of More". Center for Internet Security. Retrieved June 15, 2025.
• Contributor to "CIS Community Defense Model 2.0", CIS white paper (2021). "CIS Community Defense Model 2.0". Center for Internet Security. Retrieved June 15, 2025.
• "I Tell Our Story", LinkedIn article by Tony Sager (November 2020). "I Tell Our Story". LinkedIn. Retrieved June 15, 2025.
• "My Summer of Information Superiority", LinkedIn article by Tony Sager (October 2020). "My Summer of Information Superiority". LinkedIn. Retrieved June 15, 2025.

• Featured speaker at Center for Internet Security and SANS Institute conferences.^[1]
• Interviewed by Cybercrime Magazine on the Community Defense Model.^[9]
• Appeared on CyberSecurity TV panel: "Making Policy Compliance Work for You."^[10]
• Guest on Forcepoint podcast: “Demystifying Security’s Wizards.”^[11]
• Featured on SC Media’s “CISO Stories” podcast.^[12]
• Keynote speaker at SANS Security East 2025.^[13]
• Quoted in The Washington Post on NSA disclosure and surveillance policy.^[14][15]
• Featured on Bloomberg Television's *The American Dream* (March 2025).^[16][17]

Sager’s work influenced public and private risk management and systems security practices. His involvement in CIS Controls contributed to their global adoption as a cybersecurity standard. His ongoing advisory roles underscore his influence on U.S. cybersecurity policy and practice.

• Center for Internet Security
• Cyber Safety Review Board

• Tony Sager at the Center for Internet Security
• Tony Sager profile at the SANS Institute
• Tony Sager on LinkedIn