Mar 26, 2020
All links and images for this episode can be found on CISO
Your policy should rarely change. But your ability to achieve
that policy is found in procedures or governance that should
inform, steer, and guide your team. Those procedures should change
often and others should follow. Are they?
this post for the basis for our conversation on this week’s
episode which features me and Allan Alford. Our guest is Mustapha Kebbeh
Thanks to this week's podcast sponsor,
At CyberArk, we
believe that sharing insights and guidance across the CISO
community will help strengthen security strategies and lead to
better-protected organizations. CyberArk is committed to the
continued exploration of topics that matter most to CISOs related
to improving and integrating privileged access controls.
On this episode of Defense in Depth, you’ll learn:
- By leading with governance, how do you make a governance, risk,
and compliance (GRC) program meaningful?
- Without the right governance it will be hard to accomplish the
- GRC requirements have to adhere to the three A's: actionable,
accountable, and achievable.
- GRC programs require strong leaders. Without them, nobody will
follow a governance effort.
- There was debate on whether risk or governance should lead the
GRC effort. But everyone appeared to agree that leading with
compliance is very dangerous.
- A list of rules, or governance, is completely pointless if it's
not enforced. Enter risk, compliance, and a good leader and you've
got the opportunity for enforcement.
- Governance that's not tied to risk will probably be ignored and
- The argument to lead with risk is because it has applicability
to the business where it's questionable with governance and
compliance. But for the purpose of this episode's argument, we were
making a case for governance leading the conversation.
- The main argument for governance over risk is that you can't
truly understand the risk if there isn't some type of structure to
understand what you're dealing with.