Governance & Risk Management , Patch Management , Risk Assessments

Building an Effective Enterprisewide Security Program

Gregory Wilshusen of the GAO Offers Lessons Learned
Gregory Wilshusen, director, information security issues, U.S. Government Accountability Office

Identifying the right controls to manage specific risks is a vital component of an enterprise-wide security program, says Gregory Wilshusen of the U.S. Government Accountability Office.

See Also: A CISO's Guide to Communicating Risk

In an interview at Information Security Media Group's recent New York Security Summit, Wilshusen discusses lessons learned in the government sector that apply well to other sectors, including:

  • The need to offer security training to all end users;
  • The importance of testing policies, procedures and technologies;
  • The urgency of quickly resolving vulnerabilities when they're identified.

Wilshusen is director of information security issues at the U.S. Government Accountability Office, the investigative arm of Congress. He oversees its IT security investigations and audits of federal government agencies and programs. He is a frequent witness before Congressional panels, testifying on government IT security. A certified public accountant, certified internal auditor and certified information systems auditor, Wilshusen previously served as the controller for the North Carolina Department of Environment, Health and Natural Resources, and held senior auditing positions at Irving Burton Associates, a professional and technical services firm, and with the U.S. Army Audit Agency.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.