AccessIT Group's Brett Price on Governance-Driven Cybersecurity

Many cybersecurity programs fail because they prioritize tools over understanding what they're protecting. Brett Price, Lead Cybersecurity Consultant & vCISO at AccessIT Group, brings decades of experience to explain why data discovery and governance create more security value than any technology purchase. His approach starts with mapping critical data to business functions before implementing solutions — a methodology that has helped organizations discover everything from unsecured credit card data in S3 buckets to massive compliance gaps that traditional scanners missed entirely.

Drawing from his experience as a reformed QSA and virtual CISO across multiple industries, Brett tells Casey how successful security leaders build programs around culture and relationships rather than technical controls. His framework transforms overwhelming vulnerability backlogs into focused remediation strategies by prioritizing currently exploited vulnerabilities over theoretical risks, enabling resource-constrained organizations to eliminate real attack vectors first.

Topics discussed:

• The evolution of cybersecurity leadership from Steve Katz's appointment as Citigroup's first CSO in 1995 to today's business-aligned security executives.
• Why organizations fail by throwing tools at security problems without first understanding their critical data locations and business functions.
• Building incident response plans that include communication trees, out-of-band protocols, and muscle memory development through tabletop exercises.
• DSPM strategies for discovering, classifying, and protecting crown jewel data across cloud and on-premises environments.
• Vulnerability prioritization methodologies that focus on currently exploited vulnerabilities rather than overwhelming teams with thousands of theoretical risks.
• Creating security cultures through trust-building and gradual implementation rather than forcing dramatic changes that trigger organizational resistance.
• The limitations of compliance frameworks like PCI DSS and HIPAA that create false security by protecting only specific data types while missing broader organizational risks.
• Essential security metrics for boardroom reporting, including mean time to detect, mean time to resolve, and vulnerability burn-down rates.
• How healthcare and manufacturing industries struggle with cybersecurity implementation due to budget constraints and rapidly expanding attack surfaces.
• Building holistic security programs using frameworks like NIST CSF and CIS Controls that address governance, technical controls, and business alignment simultaneously.

Get in touch with Brett:

brettp@accessitgroup.com

Listen to more episodes: 

Apple 

Spotify 

YouTube

Website