Episode 146: What Security Looks Like for a Security Company

Update: 2025-07-30

Description

In episode 146 of Cybersecurity Where You Are, Tony Sager is joined by Angelo Marcotullio, Chief Information Officer at the Center for Internet Security®(CIS®); and Stephanie Gass, Sr. Director of Information Security at CIS. Together, they look back on periods of transition at CIS to discuss what security looks like for a security company. Here are some highlights from our episode:

00:58 . Introductions with Angelo and Stephanie
02:07 . A pro and a con of IT consulting work
04:12 . The importance of soft skills in bringing the Multi-State Information Sharing and Analysis Center® into CIS
06:12 . Looking at security from a corporate perspective with the CIS Critical Security Controls
07:08 . How IT and IT security are essential to corporate strategy
07:45 . The use of governance to support merging three business units into an integrated security company
12:04 . The value of security champions in adapting to regulatory and business changes
15:15 . What IT and Security teams can accomplish when they work as partners
17:18 . The use of data to inform Board decisions and conversations around risk
20:38 . How getting a seat at the table helps with understanding a Board's risk appetite and communicating that out to teams
25:01 . How infrastructure built for growth, not the smallest business case, produced a smooth transition to work from home in March 2020
29:30 . Advice for folks starting out in security
31.28. The importance of collaboration and culture in implementing security as an organization

Resources

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

Comments

In Channel

Episode 151: 2025 Cybersecurity Predictions H2 Review — Pt 2

2025-09-0346:42

Episode 150: A Roundtable Chat to Celebrate 150 Episodes

2025-08-2733:27

Episode 149: Human Error, AI Missteps, and Other VM Risks

2025-08-2033:21

Episode 148: How MDR Helps Shine a Light on Zero-Day Attacks

2025-08-1332:15

Episode 147: Actualizing Threat Intel for Effective Defense

2025-08-0643:11

Episode 146: What Security Looks Like for a Security Company

2025-07-3034:01

Episode 145: 2025 Cybersecurity Predictions H2 Review — Pt 1

2025-07-2335:33

Episode 144: Carrying on the MS-ISAC's Character and Culture

2025-07-1633:04

Episode 143: Iran's Growing Multidimensional Threat Activity

2025-07-0931:57

Episode 142: SLTTs and Their Nuanced Cybersecurity Needs

2025-07-0234:10

Episode 141: A Human-Centered Take on Password Policies

2025-06-2543:18

Episode 140: Threat-Informed Travel Safety Tips

2025-06-1834:28

Episode 139: Community Building for the Cyber-Underserved

2025-06-1134:03

Episode 138: The Use of GenAI to Refine Your TTX Development

2025-06-0433:54

Episode 137: National Cybersecurity Through SLTT Resilience

2025-05-2842:00

Episode 136: How WiCyS Advances Women in Cybersecurity

2025-05-2138:35

Episode 135: Five Lightning Chats at RSAC Conference 2025

2025-05-1423:30

Episode 134: How GenAI Lowers Bar for Cyber Threat Actors

2025-05-0739:48

Episode 133: DieNet's DDoS Hacktivism and Evolving TTPs

2025-04-3032:33

Episode 132: Day One, Step One, Dollar One for Cybersecurity

2025-04-2334:35

00:00

Episode 146: What Security Looks Like for a Security Company

#box-pro-ellipsis-175725766590595{-webkit-line-clamp:2;}Episode 146: What Security Looks Like for a Security Company

Episode 146: What Security Looks Like for a Security Company

Episode 146: What Security Looks Like for a Security Company