CAG Vs. IG: Conflict Over Infosec

Part 2 of Interview with John Gilligan on Consensus Audit Guidelines
John Gilligan doesn't believe inspector general audits are worthless. If anything, some agencies IGs do a better job than others in identifying problems with IT security, says the former Air Force chief information officer and über-champion of the Consensus Audit Guidelines."I don't cast all of them with the same brush," he says. But there is a but, here.

"But, I think that a lack of objective criteria to some extent is a lack of experience in many of the IG shops and that serves to create a situation where even well-performing organizations can find that their IG gives them a poor report," Gilligan said in the second of a two-part interview with GovInfoSecurity.com.

Gilligan's primary grievance with IG security audit is that it's not placed in context. The flaws IGs identity may be factual, he says, but they're not always put in the perspective of the agencies' overall approach to cybersecurity.

In the interview, with GovInfoSecurity.com's Eric Chabrow, Gilligan also discusses what the consortium that published CAG is doing next.

In Part 1 of the interview, Gilligan addressed how agencies should take a deliberate approach in implementing CAG and the success the State Department has achieved through the implementation of critical controls.

During his 25 years in government, Gilligan served as CIO at the Energy Department. He now heads his own consulting firm, the Gilligan Group. Gilligan remains a big influence on government IT, not only leading the consortium that developed CAG but coauthored the influential Commission on Cybersecurity for the 44th Presidency report. He also serves as chairman of the Center for Internet Security, a not-for-profit with a mission to establish and promote the use of consensus-based standards to raise the level of security and privacy in Internet-connected systems.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.