Information security controls may not seem exciting, but they represent perhaps the most underrated set of tactics that enterprise information security practitioners have at their disposal to prevent worst-case scenarios.
After more than a decade as one of the top information security analysts at Gartner Inc., John Pescatore decided that advancing the evolution of enterprise security controls -- specifically the SANS Institute's 20 Critical Security Controls -- was a cause important enough for him to embark on a new career path.
"If you think about what are the most important things we can do, no matter what compliance regime is looking at us, the 20 controls is just a great effort," said Pescatore, now director of emerging security trends for the Bethesda, Maryland-based SANS Institute. "The most important things we do in security to stop bad things from happening are making up for deficiencies in the way IT owns and manages PCs and servers."
In this interview, conducted at the 2014 SANS Boston Leadership Summit, Pescatore discusses the importance of security controls to the operational side of information security.
He also discusses key takeaways from the 2014 SANS security salary survey, and the institute's work in collaboration with the U.S. Department of Veterans Affairs' VetSuccess program to provide training and mentorship to former members of the U.S. military looking for jobs in private sector information security.
Finally Pescatore discusses the "secrets" of Gartner and how an enterprise can make the most of working with a third-party research and consulting firm on information security.