Implementing CIS 18 is a huge job. Changing internal behavior to reduce cyber-risks is even bigger.
Cyber threats are ever increasing. CIS 18 is a useful framework for reducing the risk of an attack, but it requires a lot of effort from compliance professionals. This includes reviewing existing policies and creating new ones, maintaining security controls, tracking changes, and reporting on the 18 controls regularly.
Building your new cyber protection often requires organizational change. Such as implementing new technologies or finding new ways and habits to do things. The resistance to change from your co-workers is often the biggest threat in successful implementation of CIS 18.