Episode 9: Mitigating Risk: Information Security Governance

Information security governance ensures that an organization has the correct information structure, leadership, and guidance. The governance aspect helps ensure that an organization has the proper administrative controls to mitigate risk. Then, risk analysis helps ensure that an organization properly identifies, analyzes, and mitigates said risk. Information security governance can also be classified as governance, risk and compliance (GRC).

In this edition of Cybersecurity Where You Are, host and CIS Chief Information Security Officer (CISO), Sean Atkinson welcomes guest Mosi Platt to the show. Platt is the GRC Manager at Frame.io. The two longtime friends discuss where they fall on the often-debated security or compliance front, and how managing risk is the reason both groups exist.

This week’s Cybersecurity Where You Are podcast highlights:

• The importance of information security governance
• Security vs. compliance
• Data – determining what you need and where to find it
• Understanding risk from a decision-basis
• Critical elements to fulfill business requirements
• Producing value in a compliance program
• Applying agility for continuous improvement

Good compliance = good security

Security is the practice of implementing effective technical controls to protect an organization’s digital assets. Compliance, on the other hand, is the application of that practice to meet regulatory or contractual requirements. Unfortunately, more often than not, organizations focus on compliance once a year when it’s time to certify that their “security is good.” The process of being compliant and secure should be a continuous process.

Compliance can help you understand why security needs to be a certain way, and vice versa. They can help solve each other’s problems, rather than serve as competing elements in the risk management process. It also might help to realize that security and compliance are both something you have, not something you do. The “do” here is managing risk, and risk-based security gives compliance value.

The Atkinson 9

Tune in to this week’s Cybersecurity Where You Are podcast for the “why” behind Mosi Platt’s answers to the infamous “Atkinson 9”:

• What is your favorite CIS Control?
  Platt: Security Awareness and Skills Training (Control 14 in v8, Control 17 in v7.1)
• What is your least favorite part of your profession?
  Platt: Compliance without risk.
• Why do you like the cybersecurity industry?
  Platt: I feel like it’s the only profession in technology that creates and protects value.
• Why don’t you like cybersecurity?
  Platt: There’s a stigma between authorized users and unauthorized users; there’s good guys and bad guys. I think it exposes us to nationalist and racist security practices that we don’t realize.
• What source of data log or telemetry do you love?
  Platt: VERIS Community Database (VCDB).
• What is the biggest waste of time in cybersecurity?
  Platt: Security by obscurity.
• What profession other than your own would you like to attempt?
  Platt: Author.
• What profession would you avoid?
  Platt: Web-design.
• At the end of your career, how would you like to be remembered?
  Platt: Continuously trustworthy.