How to Build a Winning Cybersecurity Program

How to Build a Winning Cybersecurity Program

By: Cliff Neve, COO, MAD Security As a consultant I have had the opportunity to evaluate hundreds of organizations’ cybersecurity programs, which span the gamut from nearly non-existent to robust. The successful programs generally have very similar characteristics, which are addressed in an actionable step-by-step manner below.   Step 1: Gain Executive Buy-In and Assign Responsibility Winning organizations have top-level support from senior leaders that understand the importance of cybersecurity, integrate cybersecurity risks with other business risks, and empower an individual in writing – and in reality – with the authority, responsibility, and resources to manage the cybersecurity program. Every successful cybersecurity program I have seen has a strong champion clearly designated and empowered to lead the program. Unsuccessful programs, on the other hand, typically possess fragmented or unclear lines of authority represented by fiefdoms resulting in destructive power struggles and ad hoc, chaotic behavior.   Step 2: Conduct a Business Impact Analysis and Establish a Data Classification Guide The reason for investing in cybersecurity is to enable the organizational mission and protect organizational assets, so it is imperative to begin with documenting business functions and their requirements for system availability and data protection. For instance, an organization may have high availability system requirements for medical systems, 911 call centers, or bridge controllers where availability trumps confidentiality and integrity. In an HR system, on the other hand, confidentiality might overshadow the need for availability and thus if there was potential compromise, it would likely be a better decision to disconnect access from the network rather than risking data exfiltration. By assessing all requirements for information and information systems in...
Hot Button Cybersecurity Issues 2018

Hot Button Cybersecurity Issues 2018

By: Cliff Neve, COO & Managing Partner, MAD Security and Ellen McCarthy, Managing Director and Chief Compliance & Risk Officer, VMS, LLC. This article highlights the criticality of effective cybersecurity programs in light of recent incidents and regulatory scrutiny by such entities as the Office of Compliance Inspections and Examinations (OCIE) of the U.S. Securities and Exchange Commission (SEC), the Financial Industry Regulatory Authority (FINRA), and the New York State Department of Financial Services (NYDFS), among others. In a very recent incident, between August 21, 2018 and September 5, 2018, a data breach occurred at British Airways. Cybercriminal hackers were able to gain access to British Airways systems, stealing names, email addresses, and credit card information (including credit card numbers, expiration dates, and card verification codes) relating to approximately 380,000 transactions in which British airways customers made or changed bookings on the British Airways website. To combat such cybersecurity incidents, the SEC, FINRA, the NYDFS, and other regulators have undertaken the challenge of evaluating the readiness of regulated entities such as investment advisors, investment companies, broker-dealers, banks, insurance companies, trust companies, and transfer agents to prevent cyberattacks and mitigate cyber risk. The regulators have issued guidelines designed to help transfer agents and other companies guard against attack, mitigate financial and reputational risk, and avoid enforcement action and regulatory fines. For the last several years, the SEC and FINRA have included cybersecurity among their top five examination priorities. Further, the NYDFS enacted 23 NYCRR 500 – Cybersecurity Requirements for Financial Services Companies, noting specifically: “Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards...