CAG Vs. IG: Conflict Over InfosecPart 2 of Interview with John Gilligan on Consensus Audit Guidelines
"But, I think that a lack of objective criteria to some extent is a lack of experience in many of the IG shops and that serves to create a situation where even well-performing organizations can find that their IG gives them a poor report," Gilligan said in the second of a two-part interview with GovInfoSecurity.com.
Gilligan's primary grievance with IG security audit is that it's not placed in context. The flaws IGs identity may be factual, he says, but they're not always put in the perspective of the agencies' overall approach to cybersecurity.
In the interview, with GovInfoSecurity.com's Eric Chabrow, Gilligan also discusses what the consortium that published CAG is doing next.
In Part 1 of the interview, Gilligan addressed how agencies should take a deliberate approach in implementing CAG and the success the State Department has achieved through the implementation of critical controls.
During his 25 years in government, Gilligan served as CIO at the Energy Department. He now heads his own consulting firm, the Gilligan Group. Gilligan remains a big influence on government IT, not only leading the consortium that developed CAG but coauthored the influential Commission on Cybersecurity for the 44th Presidency report. He also serves as chairman of the Center for Internet Security, a not-for-profit with a mission to establish and promote the use of consensus-based standards to raise the level of security and privacy in Internet-connected systems.