Episode 146: What Security Looks Like for a Security Company
In episode 146 of Cybersecurity Where You Are, Tony Sager is joined by Angelo Marcotullio, Chief Information Officer at the Center for Internet Security®(CIS®); and Stephanie Gass, Sr. Director of Information Security at CIS. Together, they look back on periods of transition at CIS to discuss what security looks like for a security company.
Here are some highlights from our episode:
- 00:58. Introductions with Angelo and Stephanie
- 02:07. A pro and a con of IT consulting work
- 04:12. The importance of soft skills in bringing the Multi-State Information Sharing and Analysis Center® into CIS
- 06:12. Looking at security from a corporate perspective with the CIS Critical Security Controls®
- 07:08. How IT and IT security are essential to corporate strategy
- 07:45. The use of governance to support merging three business units into an integrated security company
- 12:04. The value of security champions in adapting to regulatory and business changes
- 15:15. What IT and Security teams can accomplish when they work as partners
- 17:18. The use of data to inform Board decisions and conversations around risk
- 20:38. How getting a seat at the table helps with understanding a Board's risk appetite and communicating that out to teams
- 25:01. How infrastructure built for growth, not the smallest business case, produced a smooth transition to work from home in March 2020
- 29:30. Advice for folks starting out in security
- 31.28. The importance of collaboration and culture in implementing security as an organization
Resources
- Episode 144: Carrying on the MS-ISAC's Character and Culture
- The CIS Security Operations Center (SOC): The Key to Growing Your SLTT's Cyber Maturity
- Guide to Implementation Groups (IG): CIS Critical Security Controls v8.1
- CIS Controls v8.1 Mapping to ISO/IEC 27001:2022
- CIS Controls v8.1 Mapping to SOC2
- CIS Controls v8.1 Mapping to NIST SP 800-171 Rev 3
- Reasonable Cybersecurity
- Episode 110: How Security Culture and Corporate Culture Mesh
If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected].

As of June 23, 2025, the MS-ISAC has introduced a fee-based membership. Any potential reference to no-cost MS-ISAC services no longer applies.