Guest: Steve Winterfeld (LinkedIn)
Company: Akamai
Show Name: Secure By Design
Topic: Security

Security compliance has a branding problem. For most enterprise leaders, regulations like GDPR, standards like NIST 800, and frameworks like MITRE ATT&CK feel like paperwork—checklists designed to satisfy auditors, not accelerate strategy.

Steve Winterfeld, Advisory CISO at Akamai, sees it differently. “I’m a huge fan of plagiarism,” he says. “Somebody smarter than me has done most of what I’ll do in my career, so I can go leverage this.” In a recent conversation with TFiR, Winterfeld outlined how security leaders can use compliance frameworks not as bureaucratic obligations, but as pre-built blueprints written by regulators and researchers who have already solved the hardest problems.

Regulations as Strategic Shortcuts

Winterfeld’s first example is the EU AI Act—a regulation often dismissed as European overreach. But for security leaders writing their first AI governance policy, it’s a ready-made framework with risk categories ranging from “unacceptable” to “negligible.” Instead of starting with a blank document and months of internal debate, you can adopt a structure already validated by regulators and legal experts.

The same logic applies to privacy regulations like GDPR. Even if your organization isn’t in a compliance-driven industry, GDPR offers a tested approach to data protection that aligns with customer expectations and reduces legal exposure. “I want to do what’s right for my customer, even if I’m not in a compliance-driven industry,” Winterfeld explains.

State-level regulations offer similar value. Colorado’s AI law, one of the first in the United States, focuses on AI systems that impact critical customer decisions—healthcare diagnoses, loan approvals, financial risk assessments. For CISOs building AI risk frameworks, that’s a ready-made prioritization model.

Attestation Frameworks That Prove Maturity

Beyond regulations, Winterfeld highlights industry standards that offer third-party attestation—proof that your security program meets verified benchmarks. For energy sector organizations, it’s NERC CIP. For payment processing, PCI DSS. For companies with investors, SOC 2 is often the baseline expectation.

“You can use ISO 27001 for certification. The Cloud Security Alliance provides the Cloud Controls Matrix (CCM) and STAR. FedRAMP applies to cloud environments, specifically for U.S. government systems,” Winterfeld notes.

These frameworks aren’t just compliance boxes to check—they’re trust signals. When you’re in a class action lawsuit or facing an auditor, pointing to SOC 2 or ISO 27001 demonstrates that you followed industry-recognized best practices, not homegrown security theater.

NIST as the Security Leader’s Library

In the United States, the dominant framework is NIST’s SP 800 series. “By far, the NIST 800 security framework is a great place to start,” Winterfeld says. Most federal regulations—and many industry-specific requirements in banking and healthcare—are derived from NIST standards.

Need to build a zero trust architecture? NIST 800-207 is the definitive guide. Looking for broader security controls? The NIST Cybersecurity Framework offers a maturity model that scales from startups to Global 2000 enterprises.

Tactical Frameworks for Day-to-Day Operations

Winterfeld also points to operational frameworks that move beyond policy into execution. The MITRE ATT&CK framework catalogs 14 tactics and over 200 adversary techniques across enterprise, industrial control systems, and mobile environments. For SOC teams, it’s a shared language for threat intelligence and incident response.

For smaller companies without dedicated security teams, the CIS Controls provide a streamlined starting point. “It just gives you a set of 20 controls to start with—that’s essentially your security portfolio in a bag,” Winterfeld explains.

Standing on the Shoulders of Experts

The recurring theme in Winterfeld’s approach is leverage. Regulations aren’t obstacles—they’re research documents written by legal experts who’ve studied breach patterns, regulatory enforcement, and customer expectations. Standards like NIST and MITRE aren’t bureaucratic checklists—they’re distilled wisdom from thousands of security practitioners.

For CISOs facing board pressure, talent shortages, and accelerating threat landscapes, Winterfeld’s message is clear: Don’t reinvent the wheel. Plagiarize the frameworks built by people smarter than you, adapt them to your context, and move faster than competitors still writing policies from scratch.

Why Security Leaders Should Plagiarize Compliance Frameworks | Steve Winterfeld, Akamai | TFiR

Open source is the key to Europe’s digital sovereignty – if Europe participates

Your Observability Bills Are Exposing an Architecture Problem | Eric Tschetter, Imply | TFiR

Open source is the key to Europe’s digital sovereignty – if Europe participates

Your Observability Bills Are Exposing an Architecture Problem | Eric Tschetter, Imply | TFiR

You may also like

Argo CD Hit 60% Adoption—But Single-Environment Deployment Wasn’t Enough | Hong Wang, Akuity

Why Is the Vector API in Its 11th Iteration and When Will Project Valhalla Finally Unlock It | TFiR

Beyond ATT&CK: The Full MITRE Security Framework Library Every CISO Should Know | Steve Winterfeld, Akamai | TFiR

AI Infrastructure Self-Inflicted Wounds: Why Enterprise Pilots Stall | Rob Hirschfeld, RackN | TFiR

What Is Sovereign Cloud? Deployment Flexibility Without Vendor Lock-In | TFiR

Klutch and a9s Hub: How anynines Is Solving Kubernetes Data Service Governance at Scale | TFiR