Tripwire’s President and CEO Jim Johnson discusses how there has been a significant shift in IT security as CISOs who were purely technical in their approach begin to realize they need to better understand the nature and language of business.
Johnson says the CISOs who really understand business “know how to put frameworks together” and ask themselves “how do I make this all make sense in a way that a business person can understand?”
Johnson also explains how there has been a shift away from trying to manage too many controls towards more focus on just Twenty Critical Controls.
These key controls are invaluable not only because they account for the majority of security events, but also because they can be converted to a single, easy to understand vulnerability indicator which can be shared with all business units and the C-Suite.
“When that relationship becomes strong, all the right things will begin to happen,” Johnson said, “the right level of investments will happen and the activities will generate better results because you have the combination of the business persona and the technical person.”
For more information on the Twenty Critical Controls, Tripwire’s Adam Montville (@adammontville) has done a fine job of breaking down the requirements one by one and providing a road for implementation:
- Control 1: Inventory of Authorized and Unauthorized Devices
- Control 2: Inventory of Authorized and Unauthorized Software
- Control 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
- Control 4: Continuous Vulnerability Assessment and Remediation
- Control 5: Malware Defenses
- Control 6: Application Software Security
- Control 7: Wireless Device Control
- Control 8: Data Recovery Capability
More articles in the series will be available soon, stay tuned!
Image courtesy of ShutterStock