This event was hosted by Chris Bell, one of our CSP Directors who has over 35 years experience in the Information Technology Industry with the last 25 years in the Infosec space. The panel of experts discussed how management can be confident that their security posture of the organisation is actually OK and protected against potential disruptive threats. Assurance and Compliance (and their role in assessing and demonstrating security posture) was discussed in conversations by the panelists. Attendees had the opportunity to explore this subject further through hearing insights and expertise from our local leaders in the information security community, with a live Q&A.

1. Security Assurance or Security Compliance
?

2. Assurance or Compliance ?
• What is the difference ?
• Can we have one without the other ?
• Where should an organisation focus its efforts ?

3. Stuart Frost BEM
Peter Nota
Peter is a highly regarded security leader. He is currently the Chief Information Security Officer (CISO) at
Provident Financial group. Peter has held a number of senior leadership roles within international
Commercial and Financial organisations including those operating in highly regulated sectors . Prior to
joining Provident, Peter was the Vice President and CISO for the UK and European operations of Equifax.
With over the 30+ years InfoSec experience across financial services, retail, distribution and consultancy he
has established, developed and managed information security teams, developed and implemented infosec
strategy, policy and process for a variety of organisations. Peter holds several security designations together
with a BA(Hons) in Business and Finance in addition to an MBA.
Stuart is a senior leader within the UK civil service and is the head of the Enterprise Security and
Risk management function within a major Government department. As a governance Risk and
Compliance (GRC) specialist and expert in Cyber Security, Information Security and Enterprise Risk
Management, he has built a successful career spanning 25+ years. Stuart has created, developed,
and led large scale multi-disciplinary, geographically dispersed teams. He is passionate about
ensuring security strategies align with the organisations objectives to jointly deliver strategic
priorities whilst building security capability and increasing security maturity levels within an
organisation. Stuart holds a number of security designations and is a board member for ISACA UK.
Our Guest Speakers

4. Compliance
Adherence to, and the ability to demonstrate adherence to, mandated requirements
defined by laws and regulations, as well as voluntary requirements resulting from
contractual obligations and internal policies.
https://www.isaca.org/

5. Assurance
A general term for the confidence that can be derived from objective information over the
successful conduct of activities, the efficient and effective design and operation of internal
control, compliance with internal and external requirements, and the production of insightful and
credible information to support decision making. ¹
Assurance refers to a number of related activities designed to provide the reader or user of the
report with a level of assurance or comfort over the subject matter.²
Government functional standard 007 ¹
https://www.isaca.org/ ²

6. “The hackers focused on overcoming our security controls while the security and compliance
teams were measuring our security in terms of adherence with formal compliance
certification.”
This was the surprised analysis of the success of a global ransomware attack from a Fortune
500 victim’s compliance and security matters experts.
Target, SecurePay, Sally Beauty, FedEx, Staples, Dairy Queen, KMart and many other
enterprises that have certifications of compliance with a security standard, yet suffered
breaches, have 24/7 professional teams focused on maintaining their security and compliance
status.
Compliant, Yet Breached: Compliance vs. Security (isaca.org) 2017
OOPS !!

7. Q&A
What do you struggle with in Cyber Security?