Language: English
10-11, 16:00–16:50 (America/New_York), Track 1 (206b)
In the always evolving domain of cybersecurity, the interplay between Governance, Risk, and Compliance (GRC) teams and offensive security teams is crucial for creating a strong security posture. Darryl's presentation delves into the dynamic role that GRC teams can play in enhancing and empowering the efforts of offensive security professionals.
Darryl will explore the foundational elements of GRC and its traditional role in organizational cybersecurity. GRC teams are typically viewed as the architects of policies, the assessors of compliance, and the managers of overall enterprise risk. However, their potential contribution can extend far beyond these traditional roles, particularly in support of offensive security initiatives.
The core of the presentation focuses on the specific ways GRC teams can support and elevate the work of offensive security teams.
Key points include:
-
Risk-Informed Offensive Strategies: GRC teams can provide valuable insights into the risk landscape, helping offensive teams prioritize their efforts on areas of highest risk and potential impact.
-
Policy and Compliance Alignment: By ensuring that offensive strategies align with organizational policies and compliance requirements, GRC teams can help avoid regulatory pitfalls and maintain ethical standards in security testing.
-
Resource Optimization: GRC insights can aid in effectively allocating resources, ensuring that offensive efforts are both strategic and sustainable.
-
Bridging the Communication Gap: GRC teams can act as a bridge between technical offensive security teams and executive management, translating technical vulnerabilities into business risks and impacts.
The presentation will also feature case studies demonstrating successful collaborations between GRC and offensive security teams. These real-world examples will provide attendees with practical insights into how such collaborations can be structured and the tangible benefits they bring.
Attendees will leave the session with a comprehensive understanding of the value GRC teams bring to offensive security, and actionable strategies for fostering this collaboration within their own organizations.
This presentation is aimed at:
-
Cybersecurity Professionals: This includes offensive security experts such as penetration testers, ethical hackers, and red team members, as well as those specializing in defensive and other cybersecurity roles. They would benefit from understanding how GRC activities can directly impact and enhance their work.
-
GRC Professionals: Individuals working in governance, risk, and compliance, including risk managers, compliance officers, and policy makers. This presentation will be particularly valuable for these professionals to understand their role in supporting and enabling offensive security initiatives.
-
IT and Security Managers: Managers and executives responsible for overseeing IT and cybersecurity departments will gain insights on how integrating these teams can bolster organizational security posture.
-
Business Executives and Board Members: Senior executives and board members who need to understand the importance of aligning cybersecurity efforts with governance and compliance to make informed decisions about investments and strategies in cybersecurity.
-
Auditors and Legal Professionals: Professionals responsible for auditing IT and security practices, as well as legal advisors specializing in technology and cybersecurity law, would find the presentation relevant for understanding how GRC and offensive security collaboration can ensure better compliance and legal adherence.
-
Academics and Researchers in Cybersecurity and IT Governance: Educators and scholars who are involved in the study or teaching of cybersecurity, IT governance, risk management, and compliance.
-
Students in Cybersecurity and Related Fields: Students pursuing studies in cybersecurity, information technology, law, and business, who are interested in the practical applications and integration of cybersecurity principles in the real world.
Darryl MacLeod brings over two decades of cybersecurity experience, with a focus on strategic advisory, offering virtual Chief Information Security Officer (vCISO) services, and managing comprehensive information security programs.
Darryl is an active participant in the cybersecurity community, having spoken at multiple conferences, including Security BSides St. John's, GoSec, Texas Cyber Summit, RVAsec, and Blue Team Con. He also serves on the Board of Directors for AtlSecCon.