Cyber risk, information security, privacy and compliance services to business thought leaders.
17 May 2019

Managing Third-Party IoT Cybersecurity Risks

Adam Stone, CPO, VP Consulting Services
May 16th, 2019

Managing Third-Party IoT Cybersecurity Risks

Lessons-Learned from Shared Assessments/Ponemon Institute’s Survey Results

The Ponemon Institute recently published the results of its Third Annual Study on Third Party IoT Risks(sponsored by Shared Assessments) and the results will surprise few security leaders already grappling with the explosion of third-party Internet-connected devices on their networks. As the cost of deploying IoT (Internet-of-Things) drops and fresh ideas for monetizing these Internet-connected devices emerge in the marketplace, businesses of all sizes are reaching out to third-party specialists for solutions. Business executives are drawn to the promise of IoTas the answer to business problems ranging from manufacturing efficienciesand improved logistics, to attracting new audiences and providing more personalization for consumers.

Naturally, there are downsides to this apparent panacea. Most profoundly, cybersecurity experts are having a difficult time keeping up with the chaotic pace of change and the new risks IoT introduces to organizations. Exacerbating the challenge is a persistent culture – among IoT vendors – that prioritizes speed-to-market over reliability and sustainability. This is merely the latest iteration of a technology development attitude that treats security as too costly and a hinderance to innovation and convenience.

Customers of IoT (both businesses and individuals) also contribute to the insecurity of these internet-connected devices. Users expect these nascent technologies to have reliable cybersecurity built-in but are unwilling to pay the premium necessary to encourage semiconductor (and related) manufacturers to do so. Thus, with few market or regulatory incentives to adopt cybersecurity-by-design into IoT solutions, manufacturers appear to accept certain security risksassociated with IoT. This in turn puts the onus on customers to mitigate against the security risks of IoT devices in their networks.

The 2019 Ponemon study emphasizes the fact that organizations suffer from significant blind spots when addressing IoT-related risks. According to the survey data, firms struggle to understand:

  • the extent of IoT-related cyberattacks, data breaches and service disruptions;
  • whether their existing safeguards address IoT-specific threats and vulnerabilities;
  • who is accountable for IoT risks and security failures;
  • how to conduct an effective IoT-focused risk assessment;
  • how to improve third-party service provider risk management policies and processes;
  • how to train the workforce on IoT-related security risks; and
  • what sorts of in-house expertise is required to mitigate IoT-related risks.

The results of this latest research validate what many security leaders already know: IoT is the latest challenge in the never-ending race to manage the pace of change in the business environment. There are no easy solutions to the cybersecurity risks that emerge from increased reliance on third-party vendors to develop and maintain IoT technologies on behalf of corporate clients. As with any major disruptive event, security leaders need to forcefully communicate the strategic importance of managing third-party risks to obtain executive support and budget for new security initiatives focused on controlling the runaway expansion of IoT in the business environment.


About the Author

Adam Stone is Vice President of Consulting Services and Chief Privacy Officer for Minneapolis-based Secure Digital Solutions, Inc.(SDS). Our firm helps firms of all sizes efficiently navigate the complexities of today’s security and privacy challenges. Our seasoned professionals provide the leadership, support and guidance necessary to develop sustainable cybersecurity programs aligned to your business mission and objectives. For information about how your organization can develop a winning strategy for managing third-party security risks, contact us at (952) 544-0234 or

02 Aug 2018

Is Your Business in Scope for the California Consumer Privacy Act?

                                                                                                                                                                                                                          Image Courtesy of

August 1st, 2018
Adam Stone, Principal and Chief Privacy Officer

Just as business leaders started acclimating to the data privacy requirements in the EU’s General Data Protection Regulation (GDPR), along comes a new and equally robust privacy law from the Golden State. Passed with impressive velocity and approved by Governor Jerry Brown on June 28, the California Consumer Privacy Act of 2018 (CaCPA, or “kak-pah“) raises the data privacy bar for businesses that profit from or otherwise collect, use and share personal data about California residents. In a borderless digital economy, where a business is domiciled no longer matters. The extrajurisdictional reach of CaCPA means that businesses of all sizes may fall under the statute if they provide goods or services to Californians. And who doesn’t nowadays?

Long the policy vanguard for data privacy, California generally sets the tone for the rest of the country. Once effective, many privacy experts believe that CaCPA will move organizations (especially tech-focused firms) towards a data protection regime similar to GDPR. Operating from the constitutional position that Californians enjoy an inalienable right to privacy, CaCPA enshrines many of the same rights that GDPR does for those in the EU. These include a right to be informed; to block the sale of personal information; to access, rectify and request erasure of personal information; and a right to exercise these privileges without prejudice.

If history is a guide, the state will take an aggressive stance on enforcement after the law’s January 1, 2020 effective date.

Though CaCPA covers the activities of a significant number of organizations across the US, some businesses can count themselves out of the statute’s scope. To do this, business leaders should conduct a scoping test based on the carve-outs defined in CaCPA. Here is a helpful decision-flow chart for this purpose.

In plain language, the decision flow above points to businesses that collect, process, use, share, and retain personal information about California consumers. To fall within scope, the business must meet certain thresholds for annual revenue and the breadth of processing of personal information. If the answer to one of the three questions below are “yes,” organizational leaders may assume that the business is in scope of CaCPA.

  • Do we have annual gross revenues in excess of $25 million dollars?
  • Do we alone or in combination, annually buy or receive, for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices?
  • Do we derive ≥50% of our annual revenues from selling consumers’ personal information?

With an affirmative answer to the decision flow above, business leaders should begin reviewing their business processes to ensure compliance with CaCPA on or before the effective date. As the date draws near, expect to find numerous articles and resources for deciphering CaCPA and implementing its requirements. For business leaders seeking an early edge on the competition, hire an outside expert who can help efficiently operationalize a CaCPA-compliant data privacy program.

Adam Stone is Principal Consultant and Chief Privacy Officer for Minneapolis,MN based Secure Digital Solutions (SDS). With a focus in data protection, SDS provides expert guidance in building and maintaining programs that align with the needs of the business. Our team of seasoned professionals offers a rigorous approach to improving privacy and security management processes. We seek opportunities to improve performance and demonstrate meaningful results. Contact our professionals today at (952) 544-0234 or

11 Aug 2017

Ransomware Makes News But Is Not New

This article was originally posted on CSO Online

August 11th, 2017
By Ed Snodgrass, CISO

Photo Credit: Michael Kan

Chances are you’ve seen a similar image over the past several months.  Either on internal systems (hopefully not) or within the countless blogs, news stories and industry journals that bombard us every day with ominous warnings and dire consequences.  It is, of course, ransomware. And while it (and media coverage of it) has dominated the cybersecurity world for the last several years, it’s not new.  Also, not new are the fundamental security building-blocks necessary to mitigate its impact or the fact that it represents a cyber risk.

What does seem new is the incredible amount of singular focus on these incidents around the ‘cyber watercooler’ that drowned out the broader discussion of the underlying principles comprising a solid cyber security program.  In addition, the tenor of the cyber risk discussion has seemingly changed as well, from an enterprise-level conversation to a single-point conversation.  Neither of these trends are positive.

The first significant ransomware instance occurred in 1989.  It was coined the AIDS trojan and was released on 5.25” floppy disk.  Similar to today’s modus operandi, it attempted to extort currency from victims by encrypting their hard drive and demanding payment for decryption.  It was ultimately unsuccessful due to several factors, despite the lack of security in place at the time, but set a precedent with regard to criminal motivation and intent.  As most companies had yet to adopt personal computing and the internet was still in its infancy – used primarily by academia and scientists – the risk and potential of malware wasn’t well understood or communicated.

Throughout the 90’s the use of personal computing and the internet grew exponentially along with the creation of standardized operating systems and associated applications.  The adoption of personal computers and enterprise-level functionality increased within corporations as well, becoming the table stakes necessary to keep up with an increasingly connected marketplace.

It was during this time that a need emerged for organizations to create processes to manage and maintain their technology stack along with the need to hire internal [or external] experts to manage and refine those processes.  Building blocks emerged that formed the basis for how IT and cybersecurity is run today.  Identity and access management, anti-virus, firewalls, enterprise email, instant messaging, VPN, cryptography – all were developed rapidly during the technology boom of the 1990s.  While security was becoming more relevant and the notion of IT security risk was beginning to emerge, the major focus from an IT risk perspective centered primarily on availability and emerging IT processes reflected the focus on that aspect.

The late 1990s (and early 2000s) brought with them a new development in cybercrime.  The first significant uses of malware for financial gain began to manifest themselves within online banking applications. As waves of consumers adopted the convenience of managing their money without having to leave home or work, the criminal acquisition of credentials became both highly sought-after and increasingly more profitable.  The ability to transfer funds internationally had also advanced significantly, allowing cybercriminals to exploit this threat vector quickly and without a high likelihood of being apprehended.  As a result, the concept of cyber risk truly began to take shape.  Losses could now be measured in hard numbers that directly affected an organization’s bottom line and the realization emerged that steps had to be taken to address these new threats.

Financial institutions and regulators responded to this realization by producing several significant requirements designed to directly address IT security and cyber risk.  GLBA, SOX, NIST and BASEL, to name a few, all intended to provide some semblance of best practice requirements while allowing institutions flexibility to implement the requirements in alignment with business goals.  While this didn’t specifically address the malware threat, it did begin to form the basic building blocks of a sound security program, complete with increasing consequences for not adopting some form of security process.

The mid-2000s and early 2010s brought the first ‘modern’ ransomware and the precursors to today’s crypto-ransomware.  Gpcoder, Winlock and so-called Police ransomware utilized a ‘locker’ approach, requiring victims to pay a fee to unlock files or perform some money-generating action to remove malicious functionality.  Police ransomware (locking the peripherals and displaying a warning screen from a supposed law enforcement agency) began to show the emerging effectiveness of social engineering.  In many cases, the user’s IP address was displayed, the screens were generated in a victim’s native language and a local or regional law enforcement logo was used, adding perceived legitimacy to the attack.  While these early variants were impactful, they were easily mitigated (compared to today’s efforts) due to their weak encryption and relatively basic infection methods.

Standards continued to emerge and evolve simultaneously to address these threats.   In 2004, for example, the 5 largest payment card brands combined their individual security requirements into the PCI DSS, establishing 12 standards sections for accomplishing 6 objectives.  While opinions vary on the effectiveness and necessity of the PCI DSS, many of the key requirements and processes in the standard outlined ways to address the threats.  Encryption standards, network segmentation, vulnerability management, file integrity monitoring, training and awareness, perimeter security, etc., all could be applied in varying degrees of strength and effectiveness throughout the corporate infrastructure (not only within the cardholder data environment) to make organizations more secure.

Today’s modern ransomware emerged in 2013 and has been dominant since.  Crypto-ransomware and its progressively more automated infection methods are straightforward and effective, encrypting the victim’s files using strong encryption and demanding payment using various means – most frequently today, cyber currency.  Recovery from these outbreaks is much more difficult and some organizations have had to resort to reformatting their entire hard drive population to remove the infection.

This standard and threat progression has produced two additional trends.  First, it made security more challenging to design and implement.  Transforming enterprise architecture, for example, from a flat network to a segmented network and creating processes to deploy, manage and maintain encryption keys, were not small efforts.  They required focus on people, process and technology to be effective.

Secondly, as security became more complex, effective enterprise implementation required knowledge, awareness and support from the business units within the organization.   Security leaders who recognized this, and could demonstrate and communicate the necessity of security being a critical part of doing business, typically received the funding and support required to build world-class programs.

The moral of the story is that, while there’s no such thing as 100 percent secure, the processes, tools and expertise to combat the threat has been around almost as long as the threat itself.  The two most recent outbreaks – WannaCry and Petya, for instance, likely could have been greatly minimized or potentially avoided altogether by focusing on the fundamentals.  The fixes were there well in advance of the outbreaks.  It simply took awareness and execution to address them before something bad happened.

No one can predict the future.  There will be bona fide threats that emerge without warning that the industry will have to collaborate on to address.  In the meantime, let’s cut through the ‘noise’, recognize today’s (ransomware) threats for what they are and how they compromise the organizations we’re responsible for protecting.  Let’s focus on ensuring the foundational building blocks are in place (patching, backups, vulnerability management, etc.) and be as ready as we can be to respond to future security news that’s new.

26 Apr 2016

Is Your Risk Leadership Asking the Right Questions?

By Christophe Veltsos, PhD
April 25th, 2016

A recent report by Deloitte entitled 10 Questions You Should Be Asking to Embrace Risk and Lead Confidently in a Volatile World contains key recommendations for business executives to ensure their organization’s survival in the face of uncertainty. The main themes of the report include the need for executives and directors to be aware of their own biases, to value differing opinions, to protect the organization’s reputation, to prepare for the next crisis, and to ensure lessons are drawn from every crisis. However, the last two questions stand out as they relate strongly to the cybersecurity field:

Question 9 – “Is my risk team giving me the confidence I need to make high-stakes decisions?“

The report cautions business leaders about the danger of looking at the risk function as a mere exercise in compliance. It also warns about the use of language and terminology that can feel foreign to these leaders. So, how should an organization report on its cybersecurity efforts to enable leaders to make confident decisions? How can the CISO elevate the conversation, to provide expertise and consultation to the business leaders on matters related to cyber risks?

Question 10 – “Am I engaging our board’s expertise to navigate uncertainty?”

Here Deloitte reminds executives to fully leverage the expertise the board can provide. However, to fully leverage the board’s help, the business has to ensure that information is presented in a way that is clear, consistent, and easy to understand by people with various levels of expertise in the particular domain presented. This is especially true for the cybersecurity domain. How can the business present cybersecurity-related information in a clear, consistent manner that is easy to understand by executives and directors?

To bridge the gap between the CISO, the executives, and the board, one can look at the MAPP approach: Maturity Assessment, Profile, and Plan. This approach works by first assessing the maturity of the organization’s security processes. This assessment can then be translated into diagrams and visuals in support of high-level presentations and discussions with executives and directors about the organization’s current cybersecurity profile, and how to best direct future investments to balance cyber risks while supporting the business’ ability to grow. The MAPP approach enables the information security and risk leaders to become a strategic partner of senior management.

“MAPP helps CISOs create and communicate an information security roadmap to guide the organization’s security activities.” — MAPP White Paper

09 Jun 2015

Demonstrating Value: The ISO’s Dilemma

Security Takes People and Processes, as Much as Technology

By Chris Cathers, Director of Business Development, SDS

Value. This is the quintessential problem for information security leaders. How does one effectively measure and communicate value for a business function filled with known unknowns?

In corporate culture, functions such as accounting, sales, finance, and manufacturing have the benefit of practical, structured and deeply ingrained value propositions. Business executives are fluent in the language of these organizational functions, and understand their view and objectives. In short, these corporate divisions have little problem making their current and future contributions clear to the organization as a whole, in terms of money earned and saved.

Information security leaders get few such luxuries. Historically, business leaders do not understand what is done by IT or the controls they put in place. Demonstrating real, substantive value to executive management is often difficult, if not impossible. Part of this difficulty is our own doing, as information security professionals, So many of us are just throwing point solutions at problems.

Point solutions are not enough.People, process, and technology: We need all three to achieve anything more than mediocrity.

Threats, breaches, and board involvement require organizations to take a broader look at information security beyond point solutions. For example, a recent client I was serving was asked to put in an Intrusion Detection System as part of their vendor management requirements.. Putting an IDS in place without understanding the bigger picture is a recipe for failure. I understand you can “check a box” with that installation, but does it also lull you into a false sense of security? If you haven’t considered what you aim to protect, what you are going to monitor, who is going to monitor, what the reporting structure looks like, and what comprises the best escalation process, you are missing the important pieces of “people and process.”

Speaking to business decision-makers in terms they understand requires first establishing metrics and measuring your processes and solutions against the following:

  • Automation – Does the tool do what we need it to do and speed up the process?
  • Accountability – Are process owners enabled and is a clear path of escalation defined?
  • Awareness – Are the requirements fully understood and is communication defined?
  • Policy/Procedure – Does the tool integrate with other standard tool sets and enable detection?
  • Expertise – Do we have the right skillset in place?
  • Measurability – Are we tracking the appropriate metrics?

Documenting metrics around these six critical dimensions of information security maturity—and speaking in terms of impact to the business—will not only help communicate and show value; it will help protect the assets of the company more effectively through alignment. It has been said for years, “If it can’t be measured, it can’t be managed”.

Secure Digital Solutions, along with our robust assessment platform, TrustMAPP, assists you in taking this holistic view of information security. Our blueprint shows gaps not just in point solutions, but in the people, processes, and technology that make those solutions effective. In fact, you might call our approach “front-end solutions” versus “endpoint solutions.” Tied to business values like return on investment and business impact, this is the language decision-makers need to hear if our security profession is to ever achieve the credibility we need to do our jobs.

25 Mar 2015

Are You Speaking Risk?

Clearing Up Garbled InfoSecurity Communication

By Corey Tower, GRC Consultant

“There is a Threat that can Exploit our Vulnerability – we should address this Risk.”

That sentence alone can be written interchangeably about nine times, causing confusion on what in the information security world we are actually talking about. In my tenure, I’ve seen these risk management terms misused more than not.

What I would like to accomplish in this blog is address what risk management terms actually mean and how to use them correctly. Risk Management TermsOtherwise, we take the risk of creating confusion amongst our team which can exploit…oh, never mind, let’s get to it.

The following definitions are from Shon Harris’ All-in-1-CISSP:

Threat Agent: This is the entity that is responsible for creating a threat. This is your hacker.

Threat: Threat is a danger that can exploit a known or unknown vulnerability in your security.

Vulnerability: This is the lack of having a countermeasure or a weakness in an already existing countermeasure

Risk: Risk is your likelihood and business impact if a threat were to indeed exploit a vulnerability.

Exposure: An instance to being exposed to loses.

So how do these risk management terms interlink? Shon gives another great example of how to show this in her infinite loop:

“Threat Agents, give rise to Threats, that exploit Vulnerabilities, which lead to Risk, that can damage Assets, and cause an Exposure, which can be countermeasured by a Control, which affect Threat Agents.”

Another translation issue can come about when discussing what classification a control is. When it comes to kicking in your home’s front door, did that lock serve as a Physical Preventative control or a Physical Detective? The lock didn’t keep the intruder out, though your busted door frame told you loud and clear what happened. So which is it? Keep it simple – locks are meant to keep unwanted people out. That makes this a Physical Preventative Control. An example of a Physical Detective would be a motion detector.

As you can see, it’s no surprise these terms are interchanged. Within your security team, make it a point to use correct terminology to help bolster a more mature InfoSec program.