CISO Tradecraft® #228 - CIS CSAT (with Scott Gicking)
Apr 14, 2025
In this discussion, Scott Gicking, a former FBI cybersecurity specialist and seasoned CISO, shares insights on the Center for Internet Security's Controls Self-Assessment Tool (CSAT). He explains how CSAT transforms traditional assessments into a streamlined, software-driven process. Scott highlights the importance of creating a three-year roadmap for security improvements and emphasizes the need for honest self-assessments to build trust with executives. Tune in for valuable tips on enhancing cybersecurity maturity and organizational security posture!
AI Snips
Chapters
Transcript
Episode notes
From FBI CPA To Entertainment CISO
- Scott Gicking described his 27-year FBI career, shifting from a CPA to specializing in computer crimes and serving as the U.S. cybersecurity contact in London.
- He later became CISO for a major entertainment company after a catastrophic industry incident and then served as CISO for Hyundai North America.
CIS Is A Practical, Defensible Framework
- CIS provides practical, prioritized controls and configurable guides that smaller orgs can use instead of costly certifications like ISO or SOC 2.
- Using CIS is a defensible position that helps configure systems to industry-hardened standards.
Assess, Assign, Then Prioritize
- Use the CSAT tool to run an IG1 assessment, assign control owners, and validate their answers to build an accurate current-state picture.
- Prioritize red/orange controls first and use the tool's executive reports and benchmarking to justify budget requests.