SRG Advisory Group LLC 

Scope  •  Risk  •  Gap

 

 

CYBERSECURITY PROGRAM 
MEASUREMENT & SOLUTIONS
 

Steps 1, 2 & 3

What is Your Cybersecurity Program Readiness Index Score?

 

Contact us today to learn more 

(862) 227-1002

Home Icon

Home

Information Icon

About Us

Security Icon

Services

Building Icon

Industries

Engagement Options

Engagement Options

Phone Icon

Contact Us

Blogs and Articles

Blogs & Articles

SRG Cybersecurity Blogs

Cybersecurity Program Readiness
by Chris Banta, CISSP, ITIL, ACSA, ACSE - Senior Partner SRG

I have several meetings each week with security professionals across many different industry verticals each asking my opinion as to “where and what should we be focusing our efforts and budgets on?” Of course there is no perfect answer for this question, and often times I find myself making the shift from consultant to lawyer as I offer up my “it depends” answer. If you really want to know where to focus your efforts and where you can get the biggest return on your Cybersecurity Security spend, let’s talk! At SRG we have designed our Cybersecurity Program Readiness (CPR) assessment to give you the answer to those questions and give you a complete 360 degree view of how your organization stacks up against industry recognized best practices. Take the guess work out of your 2019 strategic information security plan and turn to SRG’s team of experienced advisors to help you build a custom tailored strategic roadmap that will keep your program moving in the right direction for years to come!


Secure vs. Compliant
by Chris Banta, CISSP, ITIL, ACSA, ACSE - Senior Partner SRG

I often hear the word Compliant being used synonymously with Secure. So to demystify this for myself I looked them both up. Webster defines Compliance as “conformity in fulfilling official requirements”. Sounds pretty good to me, so what about Security then, what does it mean and how does it differ? Again I turn to my good friends at Webster who tell me it means “free from danger, risk, or loss”. Obviously these are not synonymous terms here... Both areas are important to your business however Compliance in and of itself although important does not ensure for your long term security. To be successful in the fight against the continuously evolving threat landscape, there are three foundational security elements that you will need to focus on in order to start developing your plan - Scope, Risk & Gap. Scope - What is it that you are protecting? Risk - What are your organizational, operational, industrial and geographical threat vectors? Gap - Do you have your bases covered, what policies, processes, procedures, controls do you have in place, what is missing? In summary it’s all about SRG, so why not reach out to us and take that first step towards building a robust cybersecurity program.


Is the CIA Triad in Need of an Update?
by Chris Banta, CISSP, ITIL, ACSA, ACSE - Senior Partner SRG

For many of my close friends and associates, you know my family and I spent the better part of the first few months of this year dealing with a critical illness impacting my Father. As we would spend time at the hospital, I observed the plethora of life sustaining equipment that makes up an ICU ward. For those of you lucky enough to never have found yourself in an ICU, this might come as a shock, but many of the very devices we depend on to save lives are WI-FI connected for management and update purposes from the manufacturers. I was shocked to see that virtually all of this equipment was internet connected, then I got to thinking about all the other aspects of my daily life that are also “on the net” and reality sets in. Think about your commute for instance, if the traffic lights were to be hijacked, or the mass transit system in your town was taken over in a cyber-attack, not only would it be inconvenient for the morning commute, but what about the potential for collisions leading to loss of life? IoT has a lot to offer and has made modern life convenient, but I ask you, are we really doing enough to secure those often over looked yet critical aspects?


Breach du’jour
by Chris Banta, CISSP, ITIL, ACSA, ACSE - Senior Partner SRG

Each morning as I sip my cup of coffee, I like to read about the breach of the day. Some unfortunate organization has been hacked, data has been lost (sometimes to the tune of millions of records). I have had my personal data stolen, my credit card data exposed, my dear friends at the VA have given away my records not once, not twice, but thrice - my morning cup has become a morning carafe! When we think about breaches and how they occur, most of us think about hard core hackers, organized crime, or some form of clandestine operation that has targeted a well-known company or brand. In reality these type of attacks are not generally behind these breaches. The hard truth is that the real cause is a lack of good security hygiene and maturity. So today I am spearheading a new campaign to help organizations rethink their approach to information security. Over the next several weeks I will be publishing a series of educational posts that will provide some tips and techniques to help mature your security program and help you to be better prepared for the breach du’jour. Join me in my fight and together let’s get back to a single cup morning


SRG Cybersecurity Articles

A Good Defense wins over a Good Offense ALWAYS!
by Chris Banta, CISSP, ITIL, ACSA, ACSE - Senior Partner SRG

Cyber Defensive Strategy

With all of the attention in the US being turned to Atlanta and "Super Bowl Sunday", I felt it was apropos to draw a parallel and discuss the similarities between managing an effective cybersecurity program and coaching an effective football program (NFL or NCAA). The game play and the strategy involved or probably more closely aligned that you think!

 To begin lets discuss the topic of offensive and defensive cybersecurity. Everyone has heard it said "the best offense is a good defense" and this is true 99.9% of the time, we saw this demonstrated in yesterdays 13-3 record setting championship game. The defensive game on both sides definitely made the difference in keeping both teams from getting the ball down the field and into the end zone. We saw this in its polar opposite during the 1985 Super Bowl where our now 6-time world champions went down in a crushing 46-10 defeat against the "Monsters of the Midway". 

So what does an NFL defensive strategy and a Cybersecurity Risk Management Program have in common?  In today's cyber war we are dealing with a completely unpredictable opponent and threat landscape one that is calculated, prepared and agile who can adjust and evolve instantly to match and try to outsmart our every move.  Every vulnerability and attack vector leaves your defenses at risk amd puts your business at risk.  You have to build a defensive strategy, be able to accurately read the offense and respond effectively and quickly as the tide of the game changes direction.


Understanding your environment

In order to build an effective defensive strategy, you have to start with the basics and that means that you must first understand what you are protecting. That may sound rudimentary and simple, but for many organizations this is quite a difficult question to answer. When you think about all of the data points, systems, applications and resources both physical and logical that your organization relies on the question of what are we protecting becomes much larger than just "we process credit card data", or "we process patient PHI/PII".  You must evaluate and understand your enviroment and the data you are trying to protect to start building your defense.


Cybersecurity Preventative Technology

This is where we start to get philosophical maybe even theological...

While having the right technologies in place to augment and supplement your program is a must, this process is often done in reverse, with the "tail wagging the dog".  All too often I see organizations where the technology is selected prior to a program being developed in essence the techologies are driving the cybersecurity program, planning and roadmap/strategy.  Your program should always drive technology requirements, it should be used to augment your cybersecurity program and automate your predefined processes.  All too often cybersecurity technologies are being sold as a one size fits all easy to implement solution, this is never the case and in reality only leads to organizations becoming increasingly dependant on products and the vendors for their cybersecurity program.


Focus & Priorities

Priorities and focus change as do the needs of the business. This is the harsh truth behind any cybersecurity program, what is important today may not be important tomorrow and those risks that were at the top of the priority list have been subjugated as the new round of ransomware is announced on the 6:00 news as having impacted one of your nearest competitors.  You can never be 100% prepared for a new attack, but you can lessen the potential impacts of one by investing in not your preventative measures, but in your ability to detect and respond to potential or newly announced threats. You cant thwart every attack, but you can detect it and ensure a quick, decisive response which can help you save you from lengthy data exposure and potential losses.


Summary

While its not possible to be 100% secure, you simply cannot prevent all cybersecurity threats from occurring and there is no way to be 100% prepared for what the future will bring, you can build a resilient cybersecurity program that will enable your business and provide a foundation for further advancement and development.  I encourage all of you reading this article to ask yourself two simple questions, "do we have the defenses in place to protect our business, and are they the right defenses for our business".


"You need to understand what you are protecting in order to build your defensive strategy"