Here are six minutes of the best moments from the 11/8/19 recording of our weekly CISO Series Video Chat.

We talked at great length about the CIS Top 20 checklist of controls.

Our panelists were Jeff Kohrman (@jeffkohrman), CEO of eCISO, and Greg van der Gaast, head of information security at The University of Salford.

Chris Foulon of ConQuest Federal and Allan Alford, co-host of Defense in Depth also participated in the chat.

Got feedback? Join the conversation on LinkedIn.

Best quotes from the chat room

“I think it’s more of a guideline of things to consider in building your security program, but it takes a technology focus, rather than a business focus.” – Chris Foulon, lead cyber risk consultant, ConQuest Federal

“Picking and choosing is great but the Problem with not benchmarking to a framework is, demonstrating to senior management that you are doing the right thing becomes an uphill battle (in most cases).” – Richard U

“Utilizing it to reduce risk and address regulatory requirements, such as CCPA, where guidance on what is compliant is evolving. The CA AG in 2016 referenced the CIS 20 controls as a way of applying ‘reasonable security’.” – Ken Beasley

“Anything you build becomes its own constant over time – the ‘less defensible’ is for up-front arguments before you train/condition.” – Allan Alford, co-host, Defense in Depth

“Iterating this quickly will lead to fatigue for employees and culture. So I’m looking for lowest common denominator and attacking it a little more waterfall.” – Matt Winkeler, Security Program Manager, Capacity

“Being a CISO today is like being an accountant before standard accounting practices were formed.” – Allan Alford, co-host, Defense in Depth

“The Board is interested in how the money you are requesting for controls will reduce security incidents and keep the orgs name out of the papers…” – Ralph Page, IT risk and compliance manager, MRO Holdings