Secure Digital Solutions, LLC
18 Oct 2017

Creating a Health and Fitness Plan for Cyber Security

October 18th, 2017
Ed Snodgrass, CISO, Secure Digital Solutions
This article was originally posted on Forbes .

Virtually everyone wants to be healthier. Good health and fitness provide a multitude of benefits. Better quality of life, increased energy, sharper mental focus and lower risk of malady are but a few. But it takes work to enjoy the benefits. A four-hour marathoner won’t suddenly become a three-hour marathoner simply by acquiring the newest running shoe. It takes planning, discipline and execution, and there are countless obstacles lurking to derail you in your attainment of your goal — both known and unknown.

Ironically, this scenario also applies to an organization’s information security program. A mature and effective program empowers staff, allows for more effective enablement of the business, increases threat awareness and response, and lowers the risk of negative front-page exposure. However, like the marathoner example, simply purchasing the latest security technology won’t guarantee good security health and fitness. It takes the same planning, discipline and execution, as well as the same willingness and ability to overcome obstacles.

Here are eight steps to create an effective information security protocol in the form of a health and fitness plan:

Take inventory. Regardless of where you want to be, a good fitness plan starts with where you are today and an honest assessment of current capabilities. Perhaps it’s a body fat measurement or a VO2 test. A mile time or a max bench press. An evaluation of eating and sleeping habits. Whatever the assessment type, diligence and candor are critical. The same goes for the state of a security program. What are the program’s current capabilities, its level of expertise, the usable technologies available today? Honesty is the key. If a security program’s third-party management capability may not be where it should be, then it’s a baseline of current capability.

Set goals. This could be anything from dropping a few pounds to completing a full Ironman. Goals should be multifaceted. Along with determining the desired outcome brings the analysis of what it will take to get there based on the results of the initial inventory. Shaving an hour off a marathon time, for instance, will require a training plan with a schedule and a certain level of effort. So too will reducing vulnerabilities in a company’s critical infrastructure, lowering the time to respond to a security incident and complying with the newest data privacy regulations. Determining what an organization needs to accomplish from a security perspective should be the focus.

Execute. The fitness plan may call for a 1,000-meter swim on Monday, but there’s an errand to run, a call to make or it’s simply been a long day. There are countless roadblocks that could derail a detailed plan, and some truly can’t be avoided. However, most can. It’s oftentimes an attractive proposition to get security “quick wins” by acquiring a new tool or by making a short-term change in direction. In some cases, these actions are mandatory. But not in most. Plan the work and, more importantly, work the plan. It’s consistency that produces results.

Monitor progress. This is straightforward. As the work on a plan progresses, health and fitness increase as demonstrated by the metrics. Mile times get better, pounds come off and performance improves. Similarly, success on the security front will bring progress, too. The clusters on the risk heat map transition from red to yellow to green, malware infections decrease, code quality gets better, significant compliance deficiencies are remediated, etc.

Adjust. At this point, there should be enough data to track alignment to goals. For a triathlete, it may be time to adjust the cycling schedule because that appears to be the weakest area — more hill training or longer distances. Some areas in the security plan may need adjustment as well. Perhaps risk management is improving and with it, security’s visibility of an enterprise. Because of this, more focus may be required on data loss prevention, for example, to reach security performance milestones.

Accomplish the first goal. Run the first 10k, shoot the first sub-90 round of golf, drop the first five pounds. For a security program, it may be achieving compliance, reduction of significant risk in an area or reducing online fraud by a certain percentage.  Whatever the first goal is — accomplish it.

Celebrate. Enjoy the fruits of labor and appreciate all who contributed.

Repeat.

22 Aug 2017

Cybersecurity Maturity is Growing Up

originally featured on CSO Online

August 23rd, 2017
Ed Snodgrass, CISO

 

Maturity is an interesting word. We’ve heard it throughout our lives and it’s had different meanings in different contexts.  As a child, we heard it from our parents regarding “growing up” or “being more mature”.  We may not have entirely understood it then, but our parents knew that developing maturity would be important for friends, colleagues and peers to take us seriously.

As we grew older, we began to understand the concept of maturity and that it could be compared closely to wisdom.  We began using what we learned through experience and started applying that knowledge to our decision-making process.

Today we hear the word maturity frequently in the workplace.  We see it used in processes, methodologies, rating scales, etc., and from a technology and process standpoint, maturity can be applied to cybersecurity as well, although its applicability and benefit isn’t always readily apparent.

Case in point.  Recently, over lunch, I was attempting to explain the purpose and benefit of cybersecurity maturity to a business colleague.  Based on his skeptical expression, it was clear to me that I wasn’t succeeding.  He fully understood compliance and the implications of non-compliance, but wasn’t grasping the value of maturity and how it was relevant in the security space.

I thought about what was personally important for me to secure, and the answer was easy – my family.  I then thought about an area where compliance comes into play and how it is typically used to determine effectiveness – home fire safety.  Using that as an example, I asked him to rate his family’s level of home fire safety on a scale of 1-5.  “4-5,” was his response. “I have the best smoke alarms money can buy.  I have one on each floor and in each bedroom, as I’m required to by code.  In addition, I have a fire extinguisher in the house and one in the garage.”

From a compliance standpoint, we both agreed that his score of 4-5 was likely accurate, and one could say that he had gone above and beyond the minimum standard.  I then challenged him to look at it from a maturity perspective, using a series of ad-hoc questions as a baseline:

  • Do you test your smoke alarms?
  • Do you have a regular schedule for replacing the batteries or do you replace them only when the alarm tells you to?
  • Do you have a family communication and logistics plan that you can put into action if an alarm sounds in the middle of the night?
  • Do you practice the plan?
  • Does everyone in your family know where the fire extinguishers are?
  • Does everyone in your family know how to use the fire extinguishers?
  • Is there a pre-determined family assembly area outside?

As he considered each question, I then asked, now that he’d added a maturity measurement to compliance, what would he rate his family’s level of fire safety?  “Probably a 1-2,” was his concerned reply.

While this may be a simple example, it begs a question.  Traditional compliance and operational data is important, but does it provide adequate context to truly evaluate capability?  Using the fire safety example above, it doesn’t appear to.  My colleague had all the required detection mechanisms in place, including some additional preventative measures, but any significant capability for his family to respond effectively to a fire simply wasn’t there.

The same question can be asked of a cybersecurity organization, and a growing number of security leaders are adopting maturity as a metric to analyze and determine their team’s strategic capabilities because the hundreds of individual controls, while critical, only represent a point in time.

Cybersecurity maturity, used as a performance metric, offers additional insight into how the security organization is operating.  It can be used to analyze compliance and operational data at the process or function level.  Trends can be discovered, monitored and adjusted for.  An enterprise security training program may have all the right features in place, for instance, but the open rate of phishing emails by employees isn’t decreasing over time.  Do the components of the training program need to be adjusted or does the content?  Or, does the challenge lie within another function or process outside of the training program?   The use of maturity to analyze the capabilities of those processes can likely answer those questions.

In today’s evolving threat landscape, effective metrics are critical to security success.  Controls and operational data are required to run the organization today.  Strategic KPIs, such as maturity, are also required to measure, profile and plan the security organization’s capabilities for both today and tomorrow.  Performing a cybersecurity maturity assessment on the security organization will likely yield valuable insights.  There are excellent sources available that show where to begin and how to demonstrate the value of measuring cybersecurity capabilities and effectiveness.  (An example can be found here).

Ultimately, the best smoke alarms money can buy are powerful tools in the event of a fire, but only if everyone has the capability and maturity to respond effectively.

Interested in learning more about security program performance and leveraging the value of cybersecurity maturity? Download the white paper titled “Roadmap to Success

11 Aug 2017

Ransomware Makes News But Is Not New

This article was originally posted on CSO Online

August 11th, 2017
By Ed Snodgrass, CISO

Photo Credit: Michael Kan

Chances are you’ve seen a similar image over the past several months.  Either on internal systems (hopefully not) or within the countless blogs, news stories and industry journals that bombard us every day with ominous warnings and dire consequences.  It is, of course, ransomware. And while it (and media coverage of it) has dominated the cybersecurity world for the last several years, it’s not new.  Also, not new are the fundamental security building-blocks necessary to mitigate its impact or the fact that it represents a cyber risk.

What does seem new is the incredible amount of singular focus on these incidents around the ‘cyber watercooler’ that drowned out the broader discussion of the underlying principles comprising a solid cyber security program.  In addition, the tenor of the cyber risk discussion has seemingly changed as well, from an enterprise-level conversation to a single-point conversation.  Neither of these trends are positive.

The first significant ransomware instance occurred in 1989.  It was coined the AIDS trojan and was released on 5.25” floppy disk.  Similar to today’s modus operandi, it attempted to extort currency from victims by encrypting their hard drive and demanding payment for decryption.  It was ultimately unsuccessful due to several factors, despite the lack of security in place at the time, but set a precedent with regard to criminal motivation and intent.  As most companies had yet to adopt personal computing and the internet was still in its infancy – used primarily by academia and scientists – the risk and potential of malware wasn’t well understood or communicated.

Throughout the 90’s the use of personal computing and the internet grew exponentially along with the creation of standardized operating systems and associated applications.  The adoption of personal computers and enterprise-level functionality increased within corporations as well, becoming the table stakes necessary to keep up with an increasingly connected marketplace.

It was during this time that a need emerged for organizations to create processes to manage and maintain their technology stack along with the need to hire internal [or external] experts to manage and refine those processes.  Building blocks emerged that formed the basis for how IT and cybersecurity is run today.  Identity and access management, anti-virus, firewalls, enterprise email, instant messaging, VPN, cryptography – all were developed rapidly during the technology boom of the 1990s.  While security was becoming more relevant and the notion of IT security risk was beginning to emerge, the major focus from an IT risk perspective centered primarily on availability and emerging IT processes reflected the focus on that aspect.

The late 1990s (and early 2000s) brought with them a new development in cybercrime.  The first significant uses of malware for financial gain began to manifest themselves within online banking applications. As waves of consumers adopted the convenience of managing their money without having to leave home or work, the criminal acquisition of credentials became both highly sought-after and increasingly more profitable.  The ability to transfer funds internationally had also advanced significantly, allowing cybercriminals to exploit this threat vector quickly and without a high likelihood of being apprehended.  As a result, the concept of cyber risk truly began to take shape.  Losses could now be measured in hard numbers that directly affected an organization’s bottom line and the realization emerged that steps had to be taken to address these new threats.

Financial institutions and regulators responded to this realization by producing several significant requirements designed to directly address IT security and cyber risk.  GLBA, SOX, NIST and BASEL, to name a few, all intended to provide some semblance of best practice requirements while allowing institutions flexibility to implement the requirements in alignment with business goals.  While this didn’t specifically address the malware threat, it did begin to form the basic building blocks of a sound security program, complete with increasing consequences for not adopting some form of security process.

The mid-2000s and early 2010s brought the first ‘modern’ ransomware and the precursors to today’s crypto-ransomware.  Gpcoder, Winlock and so-called Police ransomware utilized a ‘locker’ approach, requiring victims to pay a fee to unlock files or perform some money-generating action to remove malicious functionality.  Police ransomware (locking the peripherals and displaying a warning screen from a supposed law enforcement agency) began to show the emerging effectiveness of social engineering.  In many cases, the user’s IP address was displayed, the screens were generated in a victim’s native language and a local or regional law enforcement logo was used, adding perceived legitimacy to the attack.  While these early variants were impactful, they were easily mitigated (compared to today’s efforts) due to their weak encryption and relatively basic infection methods.

Standards continued to emerge and evolve simultaneously to address these threats.   In 2004, for example, the 5 largest payment card brands combined their individual security requirements into the PCI DSS, establishing 12 standards sections for accomplishing 6 objectives.  While opinions vary on the effectiveness and necessity of the PCI DSS, many of the key requirements and processes in the standard outlined ways to address the threats.  Encryption standards, network segmentation, vulnerability management, file integrity monitoring, training and awareness, perimeter security, etc., all could be applied in varying degrees of strength and effectiveness throughout the corporate infrastructure (not only within the cardholder data environment) to make organizations more secure.

Today’s modern ransomware emerged in 2013 and has been dominant since.  Crypto-ransomware and its progressively more automated infection methods are straightforward and effective, encrypting the victim’s files using strong encryption and demanding payment using various means – most frequently today, cyber currency.  Recovery from these outbreaks is much more difficult and some organizations have had to resort to reformatting their entire hard drive population to remove the infection.

This standard and threat progression has produced two additional trends.  First, it made security more challenging to design and implement.  Transforming enterprise architecture, for example, from a flat network to a segmented network and creating processes to deploy, manage and maintain encryption keys, were not small efforts.  They required focus on people, process and technology to be effective.

Secondly, as security became more complex, effective enterprise implementation required knowledge, awareness and support from the business units within the organization.   Security leaders who recognized this, and could demonstrate and communicate the necessity of security being a critical part of doing business, typically received the funding and support required to build world-class programs.

The moral of the story is that, while there’s no such thing as 100 percent secure, the processes, tools and expertise to combat the threat has been around almost as long as the threat itself.  The two most recent outbreaks – WannaCry and Petya, for instance, likely could have been greatly minimized or potentially avoided altogether by focusing on the fundamentals.  The fixes were there well in advance of the outbreaks.  It simply took awareness and execution to address them before something bad happened.

No one can predict the future.  There will be bona fide threats that emerge without warning that the industry will have to collaborate on to address.  In the meantime, let’s cut through the ‘noise’, recognize today’s (ransomware) threats for what they are and how they compromise the organizations we’re responsible for protecting.  Let’s focus on ensuring the foundational building blocks are in place (patching, backups, vulnerability management, etc.) and be as ready as we can be to respond to future security news that’s new.

12 Jul 2017

Security Leader’s Primer to GDPR

Understanding GDPR: The Security Leader’s (Really Concise) Primer

July 11th, 2017
Adam Stone, Chief Privacy Officer and Principal

 

As the effective date for the GDPR nears, the team at Secure Digital Solutions (SDS) are experiencing a significant uptick in calls from information security leaders seeking guidance about this new regulation. Though there’s much to discuss when it comes to GDPR compliance, we would like to provide a short primer to answer some of your most basic questions.

 

 

1. What is GDPR?

The GDPR (General Data Protection Regulation) is a regulation enacted by the European Union (EU) in 2016. This new rule serves many purposes, though in short, GDPR:

  • Repeals the 1995 Data Protection Directive, and addresses certain hurdles impeding economic growth for the EU by harmonizing and simplifying compliance and enforcement across EU member countries;
  • Focuses on balancing fundamental human rights and freedoms with the EU’s Digital Single Market strategy;
  • Strengthens protections for individuals via enhanced requirements for data privacy risk assessments, notice, choice, consent, data portability, right-to-be-forgotten and breach notification, among others;
  • Adapts to technological developments that emerged in years past the enactment of the Data Protection Directive;
  • Clarifies obligations for both data controllers and data processors; and
  • Enacts a new penalty structure that includes administrative fines of up to 4% worldwide revenue for certain violators.

2. Why is everyone talking about GDPR now?

The effective date for GDPR is 25 May 2018, less than a year away. Many organizations recognize that implementation activities must begin today to be compliance with GDPR mandates.

3. Isn’t GDPR a legal thing? Why can’t the lawyers handle this?

Legal professionals play a critical role by helping interpret GDPR compliance obligations, establishing policy and defending our organizations in the event of GDPR-related enforcement actions. Attorneys may not however, be called upon to assist organizations with the implementation of controls and processes in support of GDPR compliance. Many key functions have a role to play in deploying GDPR controls and processes, including of course, information security.

4. Who typically leads GDPR readiness efforts?

For organizations that have a Data Privacy Officer (DPO) in place, this person will often be tapped to lead GDPR readiness efforts. Otherwise, organizations choose a leader that reflects the culture of the organization. Firms that view GDPR as chiefly a legal liability are likely to appoint General Counsel or the Chief Compliance Officer (CCO) to lead GDPR implementation efforts. For those who see GDPR as material factor in marketing and sales initiatives, the Chief Operating Officer (COO) or Chief Marketing Officer (CMO) will lead. Some firms see GDPR as an issue closely aligned to IT, and thus will appoint the Chief Information Officer (CIO) or Chief Information Security Officer (CISO) to lead readiness efforts. Since GDPR crosses many organizational functions, whoever leads GDPR readiness efforts must have the authority to affect change throughout the firm.

5. Does GDPR define specific things that security leaders need to do?

Like most laws and regulations, the GDPR does not go into many specifics about the types of information security solutions required for compliance. Luckily for organizations with a security leader in place, there is a strong possibility that the firm already has many of the basic information security controls requirements in place. In these scenarios, security leaders should, at a minimum, conduct a gap assessment to ensure that existing controls meet GDPR standards.

It may be helpful to parse the sections of GDPR into logical chunks to identify potential areas where information security is involved. For the benefit of our readers, we provide a worksheet to get you started.

6. Where should I start in my GDPR preparations?

First and foremost, organizations should seek an understanding of whether GDPR applies to their business operations. For most, this is when a lawyer comes in handy. S/he can provide the legal advice needed to decide whether to move forward on GDPR readiness.

Assuming that GDPR does apply, we suggest that organizations begin by identifying the scope of GDPR within their operations. Doing so should minimize the disruptions created when implementing new controls and processes. Part of this scoping work includes identification of the personal data and sensitive personal data that fall into regulatory purview. Following this stage, the firm should conduct a comprehensive gap or risk assessment, aligned with the requirements of GDPR. Only after completing these first two stages should an organization develop a strategy for addressing potential gaps in GDPR compliance.

SDS’ experienced professionals stand ready to assist your organization as you prepare for GDPR. Choosing a knowledgeable advisor will help ensure that your efforts have maximum impact, even limited budgets and resources. Contact Secure Digital Solutions today to learn more!

29 Jun 2017

Trends in Data Breach

June 29, 2017
Ed Snodgrass, CISO, Secure Digital Solutions

On Friday, June 23, Anthem Healthcare agreed to settle a series of lawsuits related to the company’s 2015 data breach, which impacted 78.8 million individuals. The settlement includes a payment of $115 million and three years of additional security protections. This represents the largest amount thus far in a steadily growing list of big-dollar, security incidents.

On the surface, this trend has the appearance of a growing regulator intolerance backed up by similarly increasing penalties. But, there’s more to this story than meets the eye.

Every major data breach has resulted in settling the case without a single admittance of liability. Settlements are negotiated between the respective legal teams and various payments between parties are agreed to.

The results of these cases, without admission of liability, leaves us wondering where the accountability lies and why such breaches, and the settlements that follow, continue to happen, even though security is now viewed as a critical component of doing business. The accountability aspect is complex and likely a topic for another day. This post will focus on some reasons breaches continue to occur.

Secure Digital Solutions has been privileged to be involved in some of the largest data breach cases over the last decade. This challenging and sensitive work gives us a unique perspective on the process, the causes and the results. While I’m not able to talk specifics, I can provide some of the following insights into the high-level, recurring patterns that we see in almost every case related to these breach incidents:

  • Lack of visibility – The identified critical, core systems are known and generally well- protected. Other systems that are known, but may not have been assessed and designated as critical, are not well-protected.
  • Lack of ownership – Taking direct responsibility for company-owned and managed systems isn’t enough. Identification and ownership of the connectivity to those systems, (vendors and suppliers, for example), is mandatory as well. Reliance on 3rd party attestation doesn’t cut it.
  • Having it but not doing it – It’s one thing to have policies and standards written and communicated. They’re nothing but ‘shelf-ware’ unless they’re monitored and enforced.
  • Lack of basic blocking and tackling – The technical requirements of a solid, secure enterprise are known as are the processes to support the requirements. Implementation of those requirements is hard, but it must be done.

The key takeaway is that nothing on the above list is new or unforeseen. No undiscovered symptom exists that leads to compromise. Nor is there a silver bullet that prevents compromise. Knowing your enterprise and getting back to security basics in terms of objectives, requirements, process and appropriate supporting technology – is the most effective means of preventing a significant incident. And when an incident does occur, having the above components addressed allows for rapid and effective detection, containment and response that should minimize the long and complex process that follows a breach.

11 Apr 2017

Quest for Excellence in Cybersecurity Management

April 10th, 2017
Adam Stone, Principal, Secure Digital Solutions

Baldrige’s recently-published framework raises the bar for information security leaders by tying cybersecurity program management to performance excellence.

The Baldrige Performance Excellence Program, the venerable organization behind the national award for Performance Excellence® and quality for U.S. firms, released the final version of the Baldrige Cybersecurity Excellence Builder v1.0 (BCEB) self-assessment tool following their annual summit last week in Baltimore. Initiated in response to Executive Order 13636, the BCEB blends two NIST products (the Cybersecurity Framework and the Baldrige Excellence Framework) into a single assessment methodology. The goal of the BCEB is to help security leaders assess the effectiveness of their approach to cybersecurity, as determined by the unique needs, goals, and capabilities of their firm. Organized by seven categories (leadership, strategy, customers, measurement, operations, customers, and results), the BCEB uses process maturity as the key metric for communicating the strengths and weaknesses of an organization’s cybersecurity program.

Process Maturity: The New Standard for Cybersecurity Performance Excellence

The maturity-focused cybersecurity management approach is a paradigm shift that threatens the deeply-entrenched risk- and compliance-focused assessments familiar to most in the industry. We have observed disagreement among security professionals about the what the word maturity actually represents. Some use the word to describe the effectiveness of security controls, while others use maturity to understand their firms’ ability to minimize cyber risk. Authoritative bodies, such as the Federal Financial Institutions Examination Council (FFIEC), appear to be adding to the confusion by blending the notion of process maturity with risk preparedness in the Cybersecurity Assessment Tool. In the end however, the FFIEC approach, along with similar assessment tools, still focus on more traditional controls-based risk management instead of performance excellence and quality.

What is often missed in traditional risk and compliance assessments is a clear understanding of the value that cybersecurity provides to the business. When security leaders communicate in the language of compliance or risk (two inherently negative topics), they miss the opportunity to demonstrate to executives the ways in which mature cybersecurity processes can help enable business growth and sustainability. An emphasis on business enablement – expressed as a function of performance excellence and quality – is what sets the BCEB apart from the traditional cybersecurity assessment tools.

Cybersecurity risk traditionalists will be pleased to know that we do not suggest that process maturity metrics replace established risk formulations. Quite the opposite! We need to understand risk in order to set clear goals and effectively respond to the ever-changing threat landscape for their firms. When communicating the value of cybersecurity to executives however, security leaders will likely find that the BCEB tool kit provides a better picture of the organization’s capacity to identify opportunities and leverage the benefits of effective cybersecurity management.

For Secure Digital Solutions (SDS), the emergence of the Baldrige Cybersecurity Excellence Builder validates the power of the cybersecurity assessment methodology embedded in our TrustMAPP® platform. Both the BCEB and TrustMAPP use process maturity to express the degree to which an organization achieves consistent quality and performance excellence. With clear alignment to the firm’s mission, values and objectives, TrustMAPP helps security leaders bridge the gap between security operations (risk focused) and process maturity (business focused).

To learn more on how cloud-based TrustMAPP® can help you maximize the benefits of the Baldrige Cybersecurity Excellence Builder, ask for your free trial today.

TrustMAPP® is a registered trademark of Secure Digital Solutions, LLC. All rights reserved.

BALDRIGE EXCELLENCE FRAMEWORK™ is a trademark, and BALDRIGE PERFORMANCE EXCELLENCE PROGRAM and Design®, MALCOLM BALDRIGE NATIONAL QUALITY AWARD®, and PERFORMANCE EXCELLENCE® are federally registered trademarks, of the U.S. Department of Commerce, National Institute of Standards and Technology.

19 Oct 2016

Cyber Security Services Catalog Enables Strategy

October 19th, 2016
Mike Edlund, Solutions Manager

Cyber Security Service Catalog Enables Strategy

Creating a Security Services Catalog for a larger security team begins to drive value across the business. A security service catalog enables strategy by clearly articulating to the business customer the type of services the security team provides and the level of service and responsible parties for each area identified.

Customer Request

A customer requested Secure Digital Solutions (SDS) to develop security plans and procedures to consistently manage their information security program. SDS collaborated with the security team to document and improve the current and desired security activities and plans. Our security consulting client had two challenges:

  • Procedures and plans to deliver the security program activities were not formally documented, leading to poorly-defined program actions and responsibilities.
  • Roles and responsibilities defined in newly minted procedures and plans were not aligned with the team set up to do these activities.

The customer engaged SDS to conduct in a collaborative environment development of cyber security plans and procedures for the cyber security program and supporting team members. Along the way, SDS discovered a gap in roles and responsibilities that led to a further surprise benefit to assist the security program.

SDS Solution

Over a period of months, SDS partnered with customer security leadership to define desired security program procedures and plans. The documents included a number of areas such as threat and vulnerability management, training and awareness, risk management as well as policy and standards management.

servicescatalogSDS began creating a number of documents that laid out areas within the security program. Plans to define how these areas would be strategically delivered were designed and offered for further feedback, input and iteration from the security team and leadership to reach a final draft status. The SDS team developed the content leveraging both industry best practice and
actual approach by the customer’s security team.

Plans and procedures included sections to define roles and responsibilities as to who is responsible to deliver the security program processes and related service levels. SDS also noted that missing formal responsibilities for the security team were leading to more firefighting and less strategic, planned activities. This conversation and discovery identified the need to coalesce security team processes into a centralized service catalog.

Consulting with customer’s security team lead to the creation of a services catalog that defined the required activities and assigned team personnel requirements to these activities.  As a result not only did the security team have a clear understanding of priorities and responsibilities, the business customers also understood the scope of the internal security services team.  Business teams now understand how to engage and who to speak with regarding various projects and customer engagements.

Impact on the Client’s Business

Along the way, leadership of the security team changed. The security catalog took on a whole new meaning with a surprising additional benefit. With the catalog’s estimates for FTEs required for duties to properly cover the entire security program, the new security leadership leveraged the security service catalog as the means to forecast and request additional resources to executive stakeholders.

With the change in security program leadership, the plans and procedures also offered insights and a standard approach from which the new leadership could understand how the program is managed.

18 Jul 2016

Steps to Take Following Approval of EU Privacy Shield

Adam Stone, Privacy Officer
July 17th, 2016

 

Image Courtesy US Department of Commerce
Image Courtesy US Department of Commerce

After political wrangling and delays, the US Department of Commerce announced the adoption the EU-US Privacy Shield framework on July 12, 2016. For data privacy professionals serving organizations that conduct business in the European Economic Area (EEA), this announcement is an important one. The Safe Harbor inadequacy decision handed down by the European Court of Justice in late 2015 sent many US organizations – reliant on the venerable Safe Harbor self-certification program to attest adequate protections for cross-border data flows – into a mild panic. Privacy leaders were left with few attractive options to fill the vacuum left by the inadequacy decision.

Now that the Privacy Shield program is active, many are eager to assess their privacy programs in preparation for the August 1 registration opening. Though the process for Privacy Shield self-certification is similar to Safe Harbor, registrants will find a more robust set of requirements to meet based on a slightly revised set of guiding principles:

Privacy Shield (New Framework) Safe Harbor (Old Framework)
Notice Notice
Choice Choice
Accountability for Onward Transfer Onward Transfer
Security Security
Data Integrity and Purpose Limitation Data Integrity
Access Access
Recourse, Enforcement and Liability Enforcement

How can Secure Digital Solutions (SDS) help you?

Organizations planning to self-certify to the Privacy Shield framework (and take advantage of the grace period for early registrants) can benefit from an objective, third-party review of their data privacy programs. Secure Digital Solutions offers seasoned, IAPP-certified privacy professionals ready to provide effective and cost-efficient program assessments. SDS’ professionals guide privacy leaders with the data needed to make strategic decisions and operationalize privacy controls and processes.

Short on in-house data privacy experts? Contact SDS today to learn about our CPO-for-hire program. We provide executive-level data privacy resources at a fraction of the cost of retaining a large consulting or law firm.

09 Jun 2016

Breaking Down Barriers to Effective Information Security

June 9, 2016
Mike-Edlund-Large
By Mike Edlund, CISM

A recent survey* was conducted by PricewaterhouseCoopers (PwC) and asked 9600 C-level leaders about obstacles to effective cybersecurity. The barriers identified in PwC’s study include:

  • Insufficient funding for capital expenditures
  • Lack of or ineffective CEO leadership
  • Absence or shortage of in-house technical expertise
  • Insufficient funding for operating expenditures
  • Lack of an effective information security strategy
  • Lack of an actionable cybersecurity vision or understanding
  • Lack of or ineffective CIO leadership
  • Poorly integrated or overly complex information/IT systems
  • Lack of or ineffective Security Chief (CISO or others) leadership

PwC found that sometimes different C-levels have diverging views on how strong a barrier is. For example, one item, Absence or shortage of in-house technical expertise, was viewed more strongly as an obstacle by CEOs and CIOs, but the CFO did not view as strongly.

Let’s look at breaking down these barriers – we’ll group some to address collectively.

  • Lack of an effective information security strategy
  • Lack of an actionable cybersecurity vision or understanding

We’ve found that having a common language to discuss and create strategy and vision for cybersecurity or information security at the company’s executive levels breaks down these barriers. For all C-level and senior leadership, conduct strategy sessions that revolve around the information security processes and use the process lens just like the rest of the business looks at its operations. Looking at how well processes are running (as-is) and how they can be improved (to-be) will let all parties assist with and provide input on good strategy and goal setting, just like the rest of the business. Looking at information security processes from this perspective lets information security become and be understood as a business enabler, not the classic department of “No!” from the past.

  • Lack of or ineffective CEO leadership
  • Lack of or ineffective CIO leadership
  • Lack of or ineffective Security Chief (CISO or others) leadership

Using the above common language approach (viewing cybersecurity through the process lens) should provide all three leaders with language and understanding that can help them have an equal understanding. When each has common understanding about and a language through which to view information security and its strategy, leadership easily begins speaking the same language and addressing the most important decisions collectively.

  • Insufficient funding for capital expenditures
  • Insufficient funding for operating expenditures

Conducting a risk assessment, compliance assessment and capability assessment by competent internal or external parties helps to provide this supporting information for investments. Regardless of whether results and gaps are viewed through a risk, compliance or capability lens, gaps or findings with priorities for improvements should include funding for new technology, new staff efforts or ongoing efforts appropriately captured assists C-level leadership understand needs for information security investments. A strong review during an assessment, whether conducted internally or by a third-party, should include findings that include costs for addressing information security program gaps.

  • TrustMAPP-ExecutivePlanningAbsence or shortage of in-house technical expertise

A solid team capability assessment will review cybersecurity team member responsibilities and roles for any of the assessments mentioned previously (risk, compliance or process-based). Findings will lead to leadership understanding where there are gaps in addressing the cybersecurity program’s needs through its people. As mentioned above, solid assessment results should provide funding estimates for additional training or personnel to meet developing or ongoing requirements of the security program. As mentioned above, review of cybersecurity expertise, whether conducted internally or by a third-party, should include findings that include costs for addressing cybersecurity program personnel gaps.

  • Poorly integrated or overly complex information/IT systems

This one may require review from various perspectives to reduce complexity or improve integration. Integration may be improved through the above approach using process as a common language between cybersecurity and the C-level. Understanding what is needed between information security and the business should improve through this common language approach. Further review through risk, compliance or process-based assessment should tease out issues around this barrier. Risk may find that poorly integrate systems show frequent downtime or failures, increasing risks due to unavailability of systems. Compliance may find that poor sharing of compliance-specific information between systems or high costs related to complying with a regulation due to system complexity show where improvements will be needed.

To break down these barriers for your information security program, look at what SDS’ Maturity Assessment, Profile, and Plan (MAPP) approach can provide for you.

*Survey: http://www.pwc.com/us/en/view/issue-15/cybersecurity-business-priority.html

16 May 2016

How much information security is enough?

By Chad Boeckmann & Adam Stone
May 16th, 2016

Let’s talk about benchmarking. It’s a question our team receives from clients both large and small. When discussing our information security-focused MAPP methodology and our TrustMAPP (formerly, Accliviti) platform, our clients (and their board members) want to know how they stack up, maturity-wise, to their peers. The common belief among this audience is that benchmarking data will help answer the question “how much information security is enough?”

This approach makes sense at a certain level; knowing how mature your organization’s security program is relative to your peers seems, on its face, to suggest that you are meeting (or not meeting) the standard defined by your industry. Like many statistics however, context plays an important role in deciphering benchmarking data. And it probably wouldn’t surprise the reader that without the benefit of context, the value of benchmark data diminishes. This is especially true for a topic such as information security program maturity.iStock_000019293901_Small

How much information security is enough? When do we find confidence that the organization has invested the right amount of time and resources to reasonably safeguard our information assets? Fair questions. Based on our experience over the last ten years, knowing your maturity benchmark provides an incomplete answer. The reason is simple: each organization is different. The diversity of organizational cultures and risk appetites within a given industry – even in highly-regulated sectors – virtually guarantees that the results of a maturity assessment will yield an interpretation unique to the organization under review.

Looking at this from a practical view, consider Bank A and Bank B (organization size doesn’t matter in this case). Let’s say that Bank A conducted an assessment that yielded an average information security program maturity score of 3 (out of a scale of 1 Low – 5 High). Bank B underwent a similar assessment that returned a score of 3.75. Benchmarking one against the other, it appears that Bank B is more mature than Bank A. Does this mean that Bank A needs to invest into security more to catch up to Bank B?

Not necessarily. Though these two scores provide some information about the effectiveness of each organization’s information security program, the scores provide little insight into the culture and capacity that drives process maturity. This leads us to the core question: does knowing the maturity of your peers provide meaningful, actionable information with which a security leader can leverage? Our answer is a resounding “maybe.”

We recommend that companies look inward versus outward. Instead of focusing on the comparison of your security maturity to your peers, consider a more introspective approach. What is your company’s security program maturity goals? What drives these goals? How does our organization’s culture impact our ability to achieve these goals? What does it mean to score a maturity level of 3 versus 4 or 2?

Since many organizations have yet to conduct an information security program maturity assessment, we suggest that you use the results of your first assessment to set a baseline for your organization. Communicate the baseline to your executives and board members. Ask this audience to draw a line in the sand based on, of course, an understanding of organizational culture and capacity. Work to improve information security program maturity based on the goals defined by these key stakeholders. Doing so, security leaders will find that, despite the constantly shifting business priorities, focusing on your own maturity goals will produce far greater dividends than worrying about your peer’s security maturity.

To learn more about information security program maturity, you can request a copy of our popular white paper on MAPP (Maturity Assessment, Profile and Plan).