Secure Digital Solutions, LLC
13 May 2017

Hiring a Security Rockstar

May 13th, 2017

Secure Digital Solutions CISO, Ed Snodgrass,recently had the privilege of writing for Forbes Technology Council. The title of the piece is “Looking To Sign A Security Rock Star? Money Isn’t Everything“. A summary of the article is given here with the full article located on Forbes.

What follows is a high-level summary of original article posted on Forbes.com May 3rd, 2017:

There’s a cybersecurity talent war going on. Skilled resources are in high demand, and the competition for them is fierce. Big companies pay big money to attract and retain talent, potentially leaving small to mid-size organizations in a tough spot to compete on those grounds alone. In summary

Give them a path forward:. You brought them in for what you need today. Work with them to build a plan for what you’ll need tomorrow. Discuss career aspirations, help them build an individual roadmap based on goals and milestones, and support it. Your people will know they have a challenging and rewarding future ahead. It’s mutually beneficial.

Share the company’s mission and strategy: Knowing how security and their specific role supports the company’s overall mission provides context and creates ownership in the organization’s success. The role they’re currently in may not be glamorous, but it’s critical and they know that.

Support continuing education and networking: Give them time to get that new security certification. The knowledge they’re gaining will make them smarter, and your company will be better off for it. Security conferences are important, too. Security pros need to stay up to date with the latest threats and the latest countermeasures showcased at these events. Yes, they go to network, too, but that’s not necessarily a terrible thing. After all, if they’re happy working for your company and others see that, perhaps a respected and talented colleague will want to be happy working for your company as well.

Respect and acknowledge their expertise: Security professionals are paranoid — and that’s a good thing. When they come in with a discovery or a suggestion (read: “We absolutely have to do this”), make sure you listen. Discuss it.  Weigh pros and cons, and ultimately, if your decision isn’t the course of action recommended, they’ll know why. They’ll know their council was valid and they’ll respect it.

Be real: Engaging in candid discussions about professional development is critical. The pros will take your constructive feedback as a personal challenge to better themselves rather than petty criticism — but only if you’re open to their constructive feedback as well. At the end of the day, they know you call the plays and they respect that.

Recognize their achievements: Security can be a thankless job because “no news is good news.” Much of the demanding work it takes to protect a company goes on behind the scenes and in windowless rooms. Appreciate what they do, and they’ll appreciate it, too.

If they want to leave, help them leave: That doesn’t mean push them out the door; it means set them up for success in their next role. Know what their new opportunity is offering them and why. Talk about the things they’ve learned and their professional growth as a member of your organization and thank them for being a part of the team. Despite the substantial number of security practitioners out there, it’s a small community. With so many open positions available, security pros can pick and choose where they go, and security culture is just as important as compensation. Build a great culture, and you’ll be amazed by the results.

09 Sep 2016

FFIEC Issues Updated Information Security Handbook

By Adam Stone, Principal Consultant
September 9th, 2016

The Federal Financial Institution Examinations Council (FFIEC) today announced a revision to their venerable Information Security booklet. As a part of the FFIEC Information Technology Examination Handbook, the updated Information Security booklet addresses “the factors necessary to assess the level of security risks to a financial institution’s information systems.”

For U.S. financial institutions and others responsible for complying with section 501(b) of the Gramm-Leach-Bliley Act of 1999, the updated booklet provides greater clarity on the role of risk management as an integral part of a robust information security program. It is likely that examiners will begin referencing the updated booklet immediately.

For more on how you can effectively integrate these new guidelines into your information security program, contact Secure Digital Solutions at 952-544-0234.

02 May 2016

Process Maturity Assessments for Information Security

Adam Stone, CISSP, CIPP, HCISPP, CHPS
May 2, 2016

Over the past few weeks, SDS received lots of positive feedback from a recent post, Elevate Cybersecurity Communication to Improve Executive Understanding. What we took away from responses to this and a related post is that there is great interest in unifying and elevating the security discussion by shifting the focus to business processes. It is important to note that process maturity assessments for information security are unique in outcome and value. Not surprisingly, there is still confusion about the differences between an information security process maturity assessment and the other types of security assessments traditionally employed (namely, risk-, controls- and compliance-focused assessments). We can empathize. Measuring and communicating process maturity is a relatively new approach that is picking up steam across business sectors. It will take some time to see the industry understand, adopt and operationalize. That said, business leaders should understand that each information security assessment type has its own unique objectives, goals and benefits. The simple table below to highlight these differences:

 

Assessment Type Objectives Goals Benefits
Audit Comply with prevailing reporting requirements. Seek evidence that an organization implements and adheres to its internal policies and controls. Provide assurances by aligning business practices with internal policies and controls requirements.
Compliance Assessment Comply with prevailing legal and regulatory obligations. Seek evidence that an organization implements and adheres to its legal and regulatory obligations. Reduce exposure by aligning business practices with compliance requirements.
Risk Assessment Manage risk to an acceptable level. Identify and prioritize risks based on an analysis of threats, vulnerabilities and mitigating controls factored against the likelihood that a threat actor will exploit a given vulnerability. Enable organizations to predict and prepare security defenses for future loss events.
Maturity Assessment Manage organizational culture to improve effectiveness. Measure the capacity to effectively and efficiently manage an information security program. Enable organizations to improve security-related business processes by motivating a culture of security throughout.

 

assessment_relationshipOf these four assessment approaches, only the process maturity approach explicitly aims to elevate the language of information security by recognizing that organizational culture (enabled by people, processes and tools) plays a significant role in the lasting success of an information security program. Through the lens of culture, the maturity assessment identifies, quantifies and recommends strategies to raise the organization’s capacity to “get security done” in a manner that emphasizes process efficiency and effectiveness. Unlike the other assessment types (which sometimes view security in a vacuum), the maturity assessment emphasizes the fact that security is a critical business function that exists to help companies grow revenue and minimize costs.

Now before you risk and compliance assessment purists pick up your pitchforks, let’s be clear: we are not suggesting that maturity assessments replace commonly-employed information security assessments. In fact, we believe that the results of maturity assessments complement and inform audits, compliance and risk assessments…and vice versa. At the end of the day, the assessment approach you use depends on the folks who will consume the results and recommendations. If you anticipate that this audience will be senior executives and the board, using the language of process maturity will improve the force and clarity of your message.

Secure Digital Solutions’ TrustMAPP™ platform, powered by our MAPP™ methodology, uses a process maturity assessments for information security approach to enable organizations with clear understanding of security posture. This security posture is based on maturity levels, including trending analysis, planning (resources hours) and budgeting (capital costs), with built-in support for multiple security frameworks and regulations. With Accliviti’s SaaS delivery model, scoring, tracking improvements and communicating performance of a cybersecurity program happens in weeks, instead of months, using built-in analytics. Accliviti helps security leaders create and communicate a strategic roadmap to guide the organization’s security activities.

By leveraging the best-practice MAPP model (Maturity Assessment, Profile, and Plan) using an automated tool like TrustMAPP, security leaders can now focus more time and interactions towards security strategy and advisor roles for the business.