Cyber risk, information security, privacy and compliance services to business thought leaders.
13 May 2017

Hiring a Security Rockstar

May 13th, 2017

Secure Digital Solutions CISO, Ed Snodgrass,recently had the privilege of writing for Forbes Technology Council. The title of the piece is “Looking To Sign A Security Rock Star? Money Isn’t Everything“. A summary of the article is given here with the full article located on Forbes.

What follows is a high-level summary of original article posted on May 3rd, 2017:

There’s a cybersecurity talent war going on. Skilled resources are in high demand, and the competition for them is fierce. Big companies pay big money to attract and retain talent, potentially leaving small to mid-size organizations in a tough spot to compete on those grounds alone. In summary

Give them a path forward:. You brought them in for what you need today. Work with them to build a plan for what you’ll need tomorrow. Discuss career aspirations, help them build an individual roadmap based on goals and milestones, and support it. Your people will know they have a challenging and rewarding future ahead. It’s mutually beneficial.

Share the company’s mission and strategy: Knowing how security and their specific role supports the company’s overall mission provides context and creates ownership in the organization’s success. The role they’re currently in may not be glamorous, but it’s critical and they know that.

Support continuing education and networking: Give them time to get that new security certification. The knowledge they’re gaining will make them smarter, and your company will be better off for it. Security conferences are important, too. Security pros need to stay up to date with the latest threats and the latest countermeasures showcased at these events. Yes, they go to network, too, but that’s not necessarily a terrible thing. After all, if they’re happy working for your company and others see that, perhaps a respected and talented colleague will want to be happy working for your company as well.

Respect and acknowledge their expertise: Security professionals are paranoid — and that’s a good thing. When they come in with a discovery or a suggestion (read: “We absolutely have to do this”), make sure you listen. Discuss it.  Weigh pros and cons, and ultimately, if your decision isn’t the course of action recommended, they’ll know why. They’ll know their council was valid and they’ll respect it.

Be real: Engaging in candid discussions about professional development is critical. The pros will take your constructive feedback as a personal challenge to better themselves rather than petty criticism — but only if you’re open to their constructive feedback as well. At the end of the day, they know you call the plays and they respect that.

Recognize their achievements: Security can be a thankless job because “no news is good news.” Much of the demanding work it takes to protect a company goes on behind the scenes and in windowless rooms. Appreciate what they do, and they’ll appreciate it, too.

If they want to leave, help them leave: That doesn’t mean push them out the door; it means set them up for success in their next role. Know what their new opportunity is offering them and why. Talk about the things they’ve learned and their professional growth as a member of your organization and thank them for being a part of the team. Despite the substantial number of security practitioners out there, it’s a small community. With so many open positions available, security pros can pick and choose where they go, and security culture is just as important as compensation. Build a great culture, and you’ll be amazed by the results.

01 Nov 2015

Ten Years of Information Security

This November marks ten years since Secure Digital Solutions (SDS) began as a company delivering thought leadership to clients in a way that accomplishes business objectives. In those ten years there has been a lot of change.

In 2005, companies defined information security as policy, procedures, firewalls and vulnerability assessments. A lot has changed in ten years, and still a lot has not. Today in 2015 we are still focused on policy, procedures, vulnerability assessments but also on securing mobile devices, personal devices in the workplace, health information is now online in a big way, credit cards are stolen at an enormous rate and we are suppose to believe that technology is making our lives easier.

The average employee spends roughly 28% of their workweek reading and responding to email according to a McKinsey study conducted in 2012. Taking a look at data for a moment in 2005, 136 data breaches were made public impacting 52,815,610 records. Contrast that to 2015 where 155 breaches were reported to the public and that has impacted a staggering 153,021,381 records. This information is reported by the Privacy Rights Clearing House chronology of data breaches. Comparing 2005 to 2015 there are only 19 more data breaches reported today versus ten years ago. However, it is clear the amount of information compromised is a much higher multiple with over 100M more records compromised in 2015 compared to 2005. This clearly tells us that larger breaches are occurring but also in general businesses are storing more sensitive information online than ever before.

As a digital society we still have not solved information security. We continue to bring digital revolutions to consumers and deliver automation for our businesses with security being a bolt-on feature in many instances. Ten years later our firm is still writing new security policies, emphasizing the importance of procedures and we frequently are called upon to help clients conduct vulnerability assessments and penetration tests. These activities are important and intentions are sound however it also means we as digital society still have not “solved” some of the fundamentals of information security. In 2015, CISO’s are working to solve the approach and information to report to the Board of Directors the state of their information security programs and progress. This is a reaction to the Target breach and Home Depot data breaches. Whenever an executive is called upon to report to Congress the state of security, ladies and gentlemen, we as an information security industry have arrived. But yet, I’m not impressed at the attention information security is receiving. Why have Board of Directors not demanded reports from the CISO prior to 2014? The industry is still very reactive in nature but I do see hope as we are learning from our mistakes.

Circling back to our ten-year anniversary for a moment. In 2014 our team embarked on a journey to automate the measurement, analysis and communication of information security programs. Our business rule for doing so was to ensure we were not going to create another audit tool or GRC tool. Indeed we have accomplished this goal. We have solved what CISO’s are struggling with in 2015 and beyond; reporting to the Board of Directors and executive stakeholders in a meaningful and consistent manner. We do this by measuring the processes that form your information security program based on maturity levels of six criteria from COBIT 4.1 (Awareness, Policy & Procedure, Accountability, Expertise, Automation and Measurability). Each of these criteria is measured based on its’ maturity level for each individual process so you know what aspects of a process actually needs improving and how well other criteria of the process are actually performing.

For the month of November we are offering qualified clients an opportunity to try Accliviti for thirty-days with no further obligation. To understand more about how we measure information security programs using Accliviti refer to the blog titled “Processes are for Managers”. Accliviti is all about elevating the conversation around information security programs.

As CISO’s and information security programs in general have dramatically shifted and matured over ten years so has our practice at Secure Digital Solutions. We plan to continue to develop exciting new features in the Accliviti platform, as it quickly becomes the go-to CISO platform. Supporting the CISO to become successful with the business for the business. Cheers to the next ten years!