Sounil Yu, author of Cyber Defense Matrix, discusses the importance of terminology in cybersecurity and the distinction between safety and security. He explains how the Cyber Defense Matrix helps organize and identify gaps in security capabilities. He also introduces the concept of the D.I.E. Triad (distributed, immutable, ephemeral) and how it can reduce the impact of liabilities in cybersecurity. The conversation highlights the need to redefine the economic equation of cybersecurity from a cost to an investment. The talk explores the concepts of cyber safety and cybersecurity and how they relate to risk management and defense strategies. The guests discuss the importance of having necessary defenses in place, even for smaller businesses that may not be direct targets. They also delve into the three-line model and how it aligns with the cyber defense matrix. The matrix is a valuable tool for understanding the full scope of cybersecurity and making risk-based decisions. The conversation emphasizes the need for a common language and understanding between tech and audit professionals.

• Terminology is crucial in cybersecurity to ensure clear communication and understanding.
• The Cyber Defense Matrix helps organize and identify gaps in security capabilities.
• The D.I.E. triad (distributed, immutable, ephemeral) can reduce the impact of liabilities in cybersecurity.
• Redefining the economic equation of cybersecurity from a cost to an investment is essential. Having necessary defenses in place is vital for all organizations, regardless of their size or direct targeting.
• The cyber defense matrix is a helpful tool for understanding the full scope of cybersecurity and making risk-based decisions.
• Common language and understanding between tech and audit professionals are crucial for effective communication and collaboration.
• Risk tolerance and appetite should clearly articulate and align with the organization's goals and resources.
• The cyber defense matrix can be used as an assurance map to identify controls and risk coverage gaps.

00:00 Introduction and Background

06:18 The D.I.E. Triad

14:13 The Importance of Terminology

26:40 Risk Tolerance and Risk Appetite

35:07 The Role of Language and Common Understanding

In this episode, Mike Leuzinger and Andy Kolenko discuss policy as code from a technology and audit perspective. Policy as code extends infrastructure as code, allowing organizations to automate and manage policies across multiple technology stacks. It can enable continuous compliance, self-service for auditors, and more robust controls through automation. However, challenges include dealing with heterogeneity and the complexity of new technologies. Bridging the gap between technologists and auditors is crucial for successful implementation. The conversation explores the challenges and benefits of implementing policy as code in an organization. Mike, Andy, Clariss, and Bill discuss the complexity of keeping up with proprietary schemas and controls and the importance of relying on vendors and industry standards. They also touch on the responsibility of setting and managing Policy as Code, highlighting the industry's lack of established processes and ownership. The conversation emphasizes the need for collaboration between auditors and technology partners and the importance of staying updated on compliance guidance and leveraging tools like Open Policy Agent and the AWS Well-Architected Framework.

• Policy as code extends infrastructure as code, enabling organizations to automate and manage policies across multiple technology stacks.
• Policy as code enables continuous auditing and monitoring, providing more continuous assurance to stakeholders.
• Self-service for auditors reduces miscommunication and allows them to obtain the necessary evidence without relying on clients.
• Policy as code strengthens controls through automation, preventing security vulnerabilities from going into production.
• Challenges of policy as code include dealing with heterogeneity and the complexity of new technologies.
• Bridging the gap between technologists and auditors is crucial for successfully implementing policy as code. Keeping up with proprietary schemas and controls remains challenging, and organizations should rely on vendors and industry standards to stay ahead.
• The responsibility for setting and managing Policy as Code is still unclear, and there is a need for more established processes and ownership.
• Collaboration between auditors and technology partners is crucial for the successful implementation of Policy as Code.

In this episode, Lynn, Roberto, & Matt from John Deere discuss their digital transformation journey and its impact on IT and Internal Audit. They highlight the importance of agility in internal audit and how it helped prioritize work and enhance relationships with stakeholders. The team also shares the challenges they faced during the transformation and the strategies they used to overcome them. Additionally, they discuss the concept of defining deployable and its role in bridging the gap between technology and audit. The conversation explores the partnership between audit and other departments, the importance of metrics and measuring outcomes, applying software engineering principles to audit, and advice for implementing Agile in audit.

• Digital transformation requires agility in internal audit to prioritize work and enhance stakeholder relationships.
• Challenges during the transformation can be overcome through continuous improvement and a focus on cultural change.
• Defining deployable is crucial in bridging the gap between technology and audit.
• Psychological safety and modeling behaviors are vital to creating a culture of trust and innovation.
• Partnerships between audit and other departments are crucial for automation and improving audit processes.
• Metrics should focus on measuring outcomes rather than just activities.
• Applying software engineering principles to audits can improve efficiency and effectiveness.
• When implementing Agile in audit, start small, adapt, build relationships, and disrupt with precision.