In this interview with Truvantis CEO Andy Cottrell, Jenny Hill discusses the challenges and evolution of security programs she sees across industries.  

In theory, cybersecurity should be easy. Why is it so hard? 

“It never stays stagnant. Every minute of every day, something's changing, whether it's your vulnerabilities or the hackers. You're reviewing something that's growing and evolving on a minute-by-minute basis.” 

“A lot of times the higher up you are, the less likely those with the hands in the dirt are going to come to you. It's about starting with creating a culture of transparency and communication. If you don't know what's bleeding, how could you ever fix it?” 

What are the big mistakes that you see? 

A lot of times, especially in I.T., it's just constant patching up these holes and the actual problem never gets fixed.” 

“Since we're not internal, we don't know where all the skeletons are. You need to be able to quickly have your client trust you so they can divulge some of the skeletons and not be afraid to do it. Because we're not here to judge. We're here to help. And if we don't know where the bodies are buried, how can we help you dig them up?” 

How do you see your client base adapting to change and responding to dynamic changes going on around them? 

“I think they're kind of being forced to evolve. One, for cybersecurity insurance requirements that seem to be changing every year. And I think it, too, it depends on the industry that you're in.” 

“It's literally impossible to be 100% secure. That's where you have to bring in the whole risk analysis. What amount of risk are we willing to accept?” 

“We're kind of at a shift in how business is operating when it comes to IT. You're kind of pushing it more to the forefront because if you don't have IT security in place and you're not actually doing what you say you're doing, and you do get breached, you're really screwed.” 

Jennifer Hill 

CISA, PCIP

Jenny Hill is a security consultant with Truvantis who helps organizations increase their security posture by improving their controls and processes. 

She worked as an internal auditor in the gaming industry before transitioning to cross-industry security consulting. Her audit and IT compliance experience provides a unique understanding of how auditors think and the level of detail that is expected.  

Jennifer has performed gap assessments for clients looking to obtain CIS, SOC2 Type I and Type II certification, IT access reviews, SOX 404 GITC control audits and PCI DSS v4 preparation. 

As a member of your Truvantis project team, Jenny will meticulously identify gaps within your security program and assist you through the certification process with your external CPA firm. 

Listen to the Full Interview  

For the full interview please visit The Truvantis Risk Radar YouTube channel or listen to the podcast. 

About Truvantis 

Truvantis is a security, privacy and compliance consulting firm providing best-in-class services to secure your organization's infrastructure, data, operations and products. 

At Truvantis, we've built security and privacy programs for organizations, large and small. We specialize in helping our clients improve their business resilience and manage their business risk by implementing testing, auditing and operating information security programs. 

Our world-class services include security testing and a wide range of flexible compliance and vCISO programs. Truvantis is also an authorized PCI DSS Qualified Security Assessor (QSA) Company.