As technology continues to proliferate throughout organizations, IT auditors are increasingly becoming bogged down by the immense challenges that present themselves. Naturally, when help is presented in the form of frameworks or guidelines, one question always comes to mind, “What do I do first?” Answering that question was the basis for the creation of the Center for Internet Security’s (CIS) Critical Security Controls (CSC), says Tony Sager, Senior Vice President and Chief Evangelist for the Center for Internet Security.

But they’re more than just a list of things to do; Sager is quick to point to the complex ecosystem that has been built around these controls that ensure IT auditors are taking into account the various areas of risk tied to the business, such as privacy implications. Additionally, a “simplified” draft of the controls has also been released for small to medium-sized business.

“I think they are just overwhelmed, and yet most of our economy is really tied up in companies that may never hire a professional security person,” Sager told Internal Audit Insights in a recent video interview. “They need something that’s not super jargon-y and complex. They either need simple information they can use day-to-day, or we need to help them become better buyers [of technology and solutions].”

In the video interview below, Internal Audit Insights catches up with Sager, and Greg Johnson and Logan Davis of the Federal Reserve Bank of Richmond, who define the Center for Internet Security’s Critical Security Controls, and the benefits they provide for IT auditors today.



Tony, Greg, and Logan spoke at MISTI's recent IT Audit & Controls Conference. Stay tuned for this year's big event in San Diego, California, July 24-26.