03-26-20 - What? Business Rules That Actually Reduce Business Risk?

What? Business Rules That Actually Reduce Business Risk?

March 26, 2020

CISO | Security Vendor Relationship Series

This week's episode of Defense in Depth

Is Governance the Most Important Part of GRC?

Defense in Depth: Is Governance the Most Important Part of GRC?

 On this episode of Defense in Depth:

Co-host Allan Alford and guest Mustapha Kebbeh, CISO, Brinks, discussed:

  • By leading with governance, how do you make a governance, risk, and compliance (GRC) program meaningful?

  • Without the right governance it will be hard to accomplish the bigger picture.

  • GRC requirements have to adhere to the three A's: actionable, accountable, and achievable.

  • GRC programs require strong leaders. Without them, nobody will follow a governance effort.

  • There was debate on whether risk or governance should lead the GRC effort. But everyone appeared to agree that leading with compliance is very dangerous.

  • A list of rules, or governance, is completely pointless if it's not enforced. Enter risk, compliance, and a good leader and you've got the opportunity for enforcement.

  • Governance that's not tied to risk will probably be ignored and therefore useless.

  • The argument to lead with risk is because it has applicability to the business where it's questionable with governance and compliance. But for the purpose of this episode's argument, we were making a case for governance leading the conversation.

  • The main argument for governance over risk is that you can't truly understand the risk if there isn't some type of structure to understand what you're dealing with.

Thanks to this week's sponsor of Defense in Depth, CyberArk.

CyberArk

At

, we believe that sharing insights and guidance across the CISO community will help strengthen security strategies and lead to better-protected organizations. CyberArk is committed to the continued exploration of topics that matter most to CISOs related to improving and integrating privileged access controls.

Chris Meenan, IBM Security on why companies move to the cloud

 Your feedback 

Engaging with Cybersecurity Startups to Solve New Security Paradigms

Engaging with Cybersecurity Startups to Solve New Security Paradigms

“We don’t have 30 years of good understanding of what security for infrastructure looks like. We don’t have that for the cloud,” said Dustin Wilcox, CISO, Anthem in our conversation at Cybertech 2020 in Tel Aviv. “We also don’t have 30 years of knowledge of how the adversary is going to attack the cloud.”Wilcox believes that the answer to cloud security is going to be something completely different to what we had on premise. That’s because with the cloud there’s no longer a perimeter or equipment he can put controls on. Wilcox was at Cybertech to discover new solutions from creative and innovative Israeli startups.

Mike Wilkes, CISO, ASCAP on where security people pick up their knowledge

SUBSCRIBE TO BOTH PODCASTS

Go ahead and click on any of these links to subscribe to the podcast feed of your favorite podcast catcher.

If you're already a subscriber, THANK YOU! If you like either or both shows, please tell all your friends on social media and write a review on iTunes.