Speaker: Russell Eubanks
Event: BSides Knoxville
Date: May 9, 2025
Watch on YouTube: https://www.youtube.com/watch?v=TdQPVzHWLhA
Introduction
At BSides Knoxville 2025, Russell Eubanks delivered a compelling presentation focused on bridging the gap between compliance and true security assurance. Drawing from extensive experience in healthcare, telecom, and financial services, Russell challenged attendees to go beyond simply meeting regulatory checkboxes and build cybersecurity programs that truly work.
Key Takeaways
- Compliance Is a Starting Point, Not the Destination
- Regulatory standards like PCI, HIPAA, and SEC create minimum thresholds (“tall enough to ride”), but these do not guarantee security effectiveness.
- Organizations often stop at the checkbox without integrating practices into operational strategy.
- Move from Compliance to Assurance
- Instead of merely conducting annual risk assessments, organizations should aim for continuous, actionable risk management.
- Ask: “Are we just doing what’s required, or what’s actually needed?”
- Mapping and Simplifying Compliance
- The Cybersecurity Risk Foundation (CRF) identified over 93 frameworks, translating 4,000+ requirements into a distilled set of 400 actionable safeguards.
- These map back to NIST, GDPR, PCI, HIPAA, SEC, NYDFS, and more to simplify cross-regulatory compliance.
- Framework Evaluation with Objective Criteria
- We developed a 12-point grading system (e.g., program governance, agent health, technical safeguards, mapping to threats) to evaluate frameworks like:
- NIST CSF v2
- ISO 27001:2022
- CIS Controls v8.1
- CRF’s own Safeguards
- We developed a 12-point grading system (e.g., program governance, agent health, technical safeguards, mapping to threats) to evaluate frameworks like:
- Letter Grades Assigned to Frameworks
- NIST CSF v2: Strong in governance but lacking in areas like network device management
- ISO 27001: Strong in program operations, weak in system monitoring
- CIS Controls: Great for asset inventory and control, but lacks coverage in governance
- CRF Safeguards: Transparent self-assessment shows strengths and room for growth
- Popular Doesn’t Mean Comprehensive
- Framework adoption often follows popularity (e.g., new versions, headlines) rather than completeness.
- Organizations should be wary of relying on popularity instead of effectiveness.
- Policy Challenges and Resources
- Many organizations lack updated, actionable security policies.
- CRF partnered with SANS to refresh policy templates—freely available and updated yearly.
- Practical Recommendations for Action
- Create a security team charter—a clear, concise document outlining roles and objectives.
- Perform self-assessments using tools like those from CRF to identify gaps.
- Align your controls not only with compliance but with business objectives and risk realities.
Final Thoughts
Russell encourages professionals to transition from reactive, checkbox-oriented mindsets to proactive, value-driven cybersecurity leadership. He urges attendees to bring clarity to their organizations by aligning cybersecurity strategy with mission outcomes and embracing tools that bring structure and simplicity.
His two main gifts to the audience were:
- The CRF Safeguards and Framework Mapping Tools
- Updated, Free SANS-Co-Branded Security Policies
He closed by urging every team to take the small but transformative step of crafting a security charter and assessing their actual operational safeguards—”not just to be tall enough to ride, but to be tall enough to lead.”
Resources
- 🔗 Cybersecurity Risk Foundation (CRF):
https://crfsecure.org- Over 400 unified safeguards mapped to 93+ frameworks
- Free tools, frameworks, and evaluations
- 📄 SANS Free Policy Templates:
https://www.sans.org/free- Co-branded, annually updated policies from CRF & SANS
- 🎓 Book Recommendation:
Dare to Lead by Brené Brown
(“To be clear is to be kind.”)