SRG Cybersecurity Blog
Security Program Maturity Workshop and the "Breach of the Day"
by Chris Banta, CISSP, ITIL, ACSA, ACSE - Senior Partner SRG
Cybersecurity Program Readiness
I have several meetings each week with security professionals across many different industry verticals each asking my opinion as to “where and what should we be focusing our efforts and budgets on”? Of course there is no perfect answer for this question, and often times I find myself making the shift from consultant to lawyer as I offer up my “ it depends” answer. If you really want to know where to focus your efforts and where you can get the biggest return on your Information Security spend, let’s talk! At SRG we have designed our Security Program Maturity Workshop to give you the answer to those questions and give you a complete 360 degree view of how your organization stacks up against industry recognized best practices. Take the guess work out of your 2019 strategic information security plan and turn to SRG’s team of experienced advisors to help you build a custom tailored strategic roadmap that will keep your program moving in the right direction for years to come!
Secure vs. Compliant
I often hear the word Compliant being used synonymously with Secure. So to demystify this for myself I looked them both up. Webster defines Compliance as “conformity in fulfilling official requirements”. Sounds pretty good to me, so what about Security then, what does it mean and how does it differ? Again I turn to my good friends at Webster who tell me it means “free from danger, risk, or loss”. Obviously these are not synonymous terms here... Both areas are important to your business however Compliance in and of itself although important does not ensure for your long term security. To be successful in the fight against the continuously evolving threat landscape, there are three foundational security elements that you will need to focus on in order to start developing your plan - Scope, Risk & Gap. Scope - What is it that you are protecting? Risk - What are your organizational, operational, industrial and geographical threat vectors? Gap - Do you have your bases covered, what policies, processes, procedures, controls do you have in place, what is missing? In summary it’s all about SRG, so why not reach out to us and take that first step towards building a robust security program.
Is the CIA Triad in Need of an Update?
For many of my close friends and associates, you know my family and I spent the better part of the first few months of this year dealing with a critical illness impacting my Father. As we would spend time at the hospital, I observed the plethora of life sustaining equipment that makes up an ICU ward. For those of you lucky enough to never have found yourself in an ICU, this might come as a shock, but many of the very devices we depend on to save lives are WI-FI connected for management and update purposes from the manufacturers. I was shocked to see that virtually all of this equipment was internet connected, then I got to thinking about all the other aspects of my daily life that are also “on the net” and reality sets in. Think about your commute for instance, if the traffic lights were to be hijacked, or the mass transit system in your town was taken over in a cyber-attack, not only would it be inconvenient for the morning commute, but what about the potential for collisions leading to loss of life? IoT has a lot to offer and has made modern life convenient, but I ask you, are we really doing enough to secure those often over looked yet critical aspects?
Each morning as I sip my cup of coffee, I like to read about the breach of the day. Some unfortunate organization has been hacked, data has been lost (sometimes to the tune of millions of records). I have had my personal data stolen, my credit card data exposed, my dear friends at the VA have given away my records not once, not twice, but thrice - my morning cup has become a morning carafe! When we think about breaches and how they occur, most of us think about hard core hackers, organized crime, or some form of clandestine operation that has targeted a well-known company or brand. In reality these type of attacks are not generally behind these breaches. The hard truth is that the real cause is a lack of good security hygiene and maturity. So today I am spearheading a new campaign to help organizations rethink their approach to information security. Over the next several weeks I will be publishing a series of educational posts that will provide some tips and techniques to help mature your security program and help you to be better prepared for the breach du’jour. Join me in my fight and together let’s get back to a single cup morning