SRG Advisory Group LLC 

Scope  •  Risk  •  Gap

 

 

 

"Cybersecurity solutions as unique as your business"

Steps 1, 2 & 3

Do you know your Cybersecurity Program Readiness Index Score?

 

Contact us today to learn more 

(862) 227-1002

Home Icon

Home

Information Icon

About

Security Icon

Services

Building Icon

Industries

Engagement Options

Engagement Options

Phone Icon

Contact Us

SRG CYBERSECURITY BLOGS

Cybersecurity Program Readiness
by Chris Banta, CISSP, ITIL, ACSA, ACSE - Senior Partner SRG

I have several meetings each week with security professionals across many different industry verticals each asking my opinion as to “where and what should we be focusing our efforts and budgets on”? Of course there is no perfect answer for this question, and often times I find myself making the shift from consultant to lawyer as I offer up my “ it depends” answer. If you really want to know where to focus your efforts and where you can get the biggest return on your Information Security spend, let’s talk! At SRG we have designed our Security Program Maturity Workshop to give you the answer to those questions and give you a complete 360 degree view of how your organization stacks up against industry recognized best practices. Take the guess work out of your 2019 strategic information security plan and turn to SRG’s team of experienced advisors to help you build a custom tailored strategic roadmap that will keep your program moving in the right direction for years to come!


Secure vs. Compliant
by Chris Banta, CISSP, ITIL, ACSA, ACSE - Senior Partner SRG

I often hear the word Compliant being used synonymously with Secure. So to demystify this for myself I looked them both up. Webster defines Compliance as “conformity in fulfilling official requirements”. Sounds pretty good to me, so what about Security then, what does it mean and how does it differ? Again I turn to my good friends at Webster who tell me it means “free from danger, risk, or loss”. Obviously these are not synonymous terms here... Both areas are important to your business however Compliance in and of itself although important does not ensure for your long term security. To be successful in the fight against the continuously evolving threat landscape, there are three foundational security elements that you will need to focus on in order to start developing your plan - Scope, Risk & Gap. Scope - What is it that you are protecting? Risk - What are your organizational, operational, industrial and geographical threat vectors? Gap - Do you have your bases covered, what policies, processes, procedures, controls do you have in place, what is missing? In summary it’s all about SRG, so why not reach out to us and take that first step towards building a robust security program.


Is the CIA Triad in Need of an Update?
by Chris Banta, CISSP, ITIL, ACSA, ACSE - Senior Partner SRG

For many of my close friends and associates, you know my family and I spent the better part of the first few months of this year dealing with a critical illness impacting my Father. As we would spend time at the hospital, I observed the plethora of life sustaining equipment that makes up an ICU ward. For those of you lucky enough to never have found yourself in an ICU, this might come as a shock, but many of the very devices we depend on to save lives are WI-FI connected for management and update purposes from the manufacturers. I was shocked to see that virtually all of this equipment was internet connected, then I got to thinking about all the other aspects of my daily life that are also “on the net” and reality sets in. Think about your commute for instance, if the traffic lights were to be hijacked, or the mass transit system in your town was taken over in a cyber-attack, not only would it be inconvenient for the morning commute, but what about the potential for collisions leading to loss of life? IoT has a lot to offer and has made modern life convenient, but I ask you, are we really doing enough to secure those often over looked yet critical aspects?


Breach du’jour
by Chris Banta, CISSP, ITIL, ACSA, ACSE - Senior Partner SRG

Each morning as I sip my cup of coffee, I like to read about the breach of the day. Some unfortunate organization has been hacked, data has been lost (sometimes to the tune of millions of records). I have had my personal data stolen, my credit card data exposed, my dear friends at the VA have given away my records not once, not twice, but thrice - my morning cup has become a morning carafe! When we think about breaches and how they occur, most of us think about hard core hackers, organized crime, or some form of clandestine operation that has targeted a well-known company or brand. In reality these type of attacks are not generally behind these breaches. The hard truth is that the real cause is a lack of good security hygiene and maturity. So today I am spearheading a new campaign to help organizations rethink their approach to information security. Over the next several weeks I will be publishing a series of educational posts that will provide some tips and techniques to help mature your security program and help you to be better prepared for the breach du’jour. Join me in my fight and together let’s get back to a single cup morning


SRG CYBERSECURITY ARTICLES

A Good Defense wins over a Good Offence ALWAYS!
by Chris Banta, CISSP, ITIL, ACSA, ACSE - Senior Partner SRG

Cyber Defensive Strategy

With all of the attention in the US being turned to Atlanta and "Super Bowl Sunday", I felt it was apropos to draw a parallel and discuss the similarities between managing an effective cybersecurity program and coaching an effective football program (NFL or NCAA). The game play and the strategy involved or probably more closely aligned that you think!


 To begin lets discuss the topic of offensive and defensive cybersecurity. Everyone has heard it said "the best offense is a good defense" and this is true 99.9% of the time, we saw this demonstrated in yesterdays 13-3 record setting championship game. The defensive game on both sides definitely made the difference in keeping both teams from getting the ball down the field and into the end zone. We saw this in its polar opposite during the 1985 Super Bowl where our now 6-time world champions went down in a crushing 46-10 defeat against the "Monsters of the Midway". 

So how does NFL defensive strategy have in common with a cybersecurity?  Today we are dealing with a threat landscape that is constantly evolving, you cannot rule out any attack vector or potential risk to your business, you have to read the field and react with the tide of the game.


Understanding your environment

You have to start with the basics and that means that you must first understand what you are protecting. That may sound rudimentary and simple, but for most organizations this is a difficult question to answer. When you think about all of the data points, systems, applications and resources both physical and logical that your organization relies on the question of what are we protecting becomes much larger than just "we process credit card data", or "we process patient PHI/PII".


Supporting Technologies

This topic quickly becomes an almost theological debate for most organizations. While having the right technologies in place to augment and supplement your program is a must, this process is often done in reverse, with the "tail wagging the dog" whereas the technology is selected prior to a program being developed so that the program is built around the solutions/tools and not on the needs of the organization itself. Programs should drive technology requirements, help automate your predefined processes and augment your cybersecurity program. All too often cybersecurity is sold as a one size fits all easy to implement solution.


Focus & Priorities

Priorities and focus change as do the needs of the business. This is the harsh truth behind any cybersecurity program, what is important today may not be important tomorrow and those risks that were at the top of the priority list have been subjugated as the new round of ransomware was in the news as having disabled one of your nearest peer industry competitors. You can never be 100% prepared for a new attack, but you can lessen the impact potential by making sure your ability to detect and respond to potential or newly announced threats stands at the ready. You cant thwart every attack, but you can detect it and ensure a quick, decisive response which can help you save your data form lengthy data exposure and potential loss.


Summary

While you cannot prevent all cybersecurity threats from occurring and there is no way to be 100% prepared for what the future will bring, you can focus on building a program that will enable the business and provide a foundation for further advancement and development. I encourage all of you reading this article to ask yourself, "do we have the defenses in place to protect our business, and are they the right defenses for our business".


"You need to understand what you are protecting in order to build your defensive strategy"