No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Featured

Taking An “Inside-Out” Approach to Security and Compliance

by Corporate Compliance Insights
November 15, 2018
in Featured, Leadership and Career
Justin Sulhoff of Optiv Security

Q&A with Justin Sulhoff of Optiv Security

Today we feature an interview with Justin Sulhoff, Practice Manager, PCI Services at Optiv Security, a $2 billion security solutions integrator. He tells us why an “inside-out” approach to security and compliance is essential to mitigating risk in today’s world of never-ending regulations and increasingly sophisticated cyber threats.

Maurice Gilbert: How do you stay current on ethics and compliance issues?

Justin Sulhoff: There is a constant need to “keep the blade sharpened,” so to speak, when it comes to compliance, ethics and information security as a whole. The industry is constantly changing due to the need to adapt to new technologies, threats, standards and regulations. Staying current requires lots of reading. I also attend webinars, conferences and local industry group meetings during my free time.

MG: What do you believe is the optimal reporting structure for the CCO and why?

JS: All organizations are unique in their structure and how they delegate roles and responsibilities to internal stakeholders. Ideally, the CCO should maintain organizational independence, so no conflicts of interest arise from rolling up under an organizational unit whose interests may be at odds with the goals and needs of compliance. For example, you wouldn’t want to have an internal audit group that is testing controls as part of the same team that’s responsible for implementing and maintaining controls, as that could present a clear conflict of interest.

MG: How do you affect change within your client’s environment?

JS: Client compliance needs are often a significant driver of the overall security initiatives of that organization. Optiv’s compliance team is skilled at assessing a client’s current security and compliance posture and identifying any areas that are noncompliant. From that perspective, we affect dramatic change in a client environment by providing trusted advisory, remediation guidance and services regarding logical, administrative and/or physical security controls that can be implemented to meet the intent of any given compliance requirement. Oftentimes, a client will choose to implement the recommended solutions in their broader network where compliance mandates may not apply.

MG: What do you see as the greatest business risks facing companies today?

JS: Contrary to what many believe, security and compliance are business issues. If a company is the victim of a data breach or violates a regulation, it risks a damaged reputation, a loss of customers and, in the case of compliance, major financial penalties – all of which impact the bottom line. Despite this, CCOs and CISOs have always had a difficult time gaining a “seat at the table” in the executive suite and boardroom. One of the main reasons for this is that, historically, it has been difficult for them to effectively measure and report on the impact security and compliance operations have on corporate business goals.

While this has been an issue for years, it’s still an area of immaturity for many companies. To effectively mitigate risk in today’s sophisticated threat landscape, security, compliance and business teams must work together. And the best way for them to do this is by balancing business requirements with enterprise risk and using this balance as the foundation of a strong security and compliance program. From there, security and compliance pros can implement metrics and key performance indicators (KPIs) that allow them to budget and evaluate security operations in a way that is consistent with other business units. In other words, they can demonstrate how security and compliance investments are impacting the risk profile in a way their business colleagues can understand.

MG: What do you see as the greatest regulatory risks facing companies today?

JS: Many organizations take what we, at Optiv, call an “outside-in” approach to security and compliance: They focus first on identifying specific cyber threats and compliance requirements, and then they react with technology procurement. This approach has failed. It has resulted in massively complex and costly security infrastructures consisting of endless point solutions that are impossible to manage, measure and  maintain. It has created an operations environment in which there are never enough resources to manage the cacophony of tools and services – a problem inflamed by the cybersecurity skills shortage. And these infrastructure and operations problems escalate enterprise risk by creating security vulnerabilities and compliance gaps caused by human error and technology misuse.

While new regulations emerge all the time, the biggest regulatory risks are posed by these complex environments and antiquated approaches to security and compliance. Because of this, organizations need to move from an “outside-in” to an “inside-out” approach to security and compliance, where technology and processes are organized and optimized around enterprise-specific risk rather than the latest external threat.

MG: How does your company help its clients mitigate risk?

JS: Optiv helps its clients take an “inside-out” approach to security and compliance. Unlike the “outside-in” model, where the threat landscape dictates security spend, strategy and operations, the “inside-out” approach focuses first on the core requirement of every business: reducing enterprise risk. Clients define the specific enterprise risk model appropriate to their business and then build out from there across security strategy, infrastructure rationalization, operations optimization and ongoing measurement.

Building an enterprise risk model suitable to each unique business is important because it maps to the enterprise business model. This means that business objectives – not the threat landscape – drives security strategy. This strategy then dictates how to rationalize infrastructure so it is manageable and effective and how to optimize operations to ensure proper infrastructure management and long-term risk mitigation.

With a risk-centric foundation in place, enterprises can close vulnerability gaps and respond to new threats and regulations in a proactive, systematic way. And, once the entire security and compliance program is constructed around a coherent strategy, it becomes possible to measure that program with KPIs that ensure long-term adherence to the desired state of security while also giving CCOs and CISOs easy-to-understand metrics to report to other executives and board members, allowing them to finally gain a seat at the business table.

MG: What new service offerings do you have in the queue?

JS: Optiv has a number of new service offerings in the pipeline, but I’d like to talk about one we recently announced – SecurePayment@Optiv – because it’s a great example of an “inside-out” approach to security and compliance. SecurePayment@Optiv is an integrated portfolio of services and technologies that enables organizations to move beyond basic Payment Card Industry Data Security Standard (PCI DSS) compliance so they can implement comprehensive, risk-centric security across the entire payment life cycle.

Many merchants (i.e., anyone accepting a credit card) use the PCI standard as their security framework, which is a disastrous mistake, because PCI is not a security framework at all. By using PCI as the blueprint for security, organizations leave themselves open to tremendous security and compliance gaps in other areas of the business. SecurePayment@Optiv provides a complete reference architecture of services and technologies across application security, network segmentation, encryption, identity and access management, threat intelligence and incident response to help clients lock down their entire payment network so it is truly secure, while still remaining PCI compliant. Rather than allowing an external regulation to dictate security strategy and spend, SecurePayment@Optiv evaluates each organization’s specific risk profile and then applies the right reference architecture to deliver the optimal combination of technology and operational processes.

This risk-centric approach results in a holistic payment security program that reduces the risk of payment fraud, data breaches and compliance gaps and delivers comprehensive security across the entire payment life cycle.


Justin Sulhoff is Practice Manager, PCI Services at Optiv Security, where he is responsible for all post-sales Information Assurance project operations. He’s involved in team hiring and management, practice methodology development and oversight of client-facing pre-sales activities. Previously, Sulhoff served in various security consultant roles at FishNet Security before the company’s merged with Accuvant to become Optiv Security.


Tags: Data BreachPayment Card Industry Data Security Standard (PCI DSS)
Previous Post

Compliance and Legal Teams: It’s Time to Get Smart About Machine Learning

Next Post

Thomson Reuters Completes Acquisition of Integration Point

Corporate Compliance Insights

Corporate Compliance Insights

Corporate Compliance Insights

Related Posts

new york and us flags

New York Tightens the Breach Clock: 30 Days to Notify

by Melissa Crespo and Reiley Porter
May 12, 2025

State joins growing national trend toward broader personal information definitions and stricter notification timelines for data compromises

group looking at data breach details digital art collage

Navigating Data Breach Compliance & Communication

by Salim Gheewalla
October 28, 2024

Compliant response starts well before an incident occurs

sec building

News Roundup: SEC Finalizes New Cybersecurity Rules for Broker-Dealers, Others

by Staff and Wire Reports
May 16, 2024

OFAC launches public-facing sanctions database

characters breaking into padlock

Navigating Personal Liability: Post–Data Breach Recommendations for Officers

by Daniel B. Garrie and Richard A. Kramer
April 16, 2024

Executives may be on the hook if info is compromised

Next Post
Thomson Reuters Completes Acquisition of Integration Point

Thomson Reuters Completes Acquisition of Integration Point

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights