How to Build a Winning Cybersecurity Program

How to Build a Winning Cybersecurity Program

By: Cliff Neve, COO, MAD Security As a consultant I have had the opportunity to evaluate hundreds of organizations’ cybersecurity programs, which span the gamut from nearly non-existent to robust. The successful programs generally have very similar characteristics, which are addressed in an actionable step-by-step manner below.   Step 1: Gain Executive Buy-In and Assign Responsibility Winning organizations have top-level support from senior leaders that understand the importance of cybersecurity, integrate cybersecurity risks with other business risks, and empower an individual in writing – and in reality – with the authority, responsibility, and resources to manage the cybersecurity program. Every successful cybersecurity program I have seen has a strong champion clearly designated and empowered to lead the program. Unsuccessful programs, on the other hand, typically possess fragmented or unclear lines of authority represented by fiefdoms resulting in destructive power struggles and ad hoc, chaotic behavior.   Step 2: Conduct a Business Impact Analysis and Establish a Data Classification Guide The reason for investing in cybersecurity is to enable the organizational mission and protect organizational assets, so it is imperative to begin with documenting business functions and their requirements for system availability and data protection. For instance, an organization may have high availability system requirements for medical systems, 911 call centers, or bridge controllers where availability trumps confidentiality and integrity. In an HR system, on the other hand, confidentiality might overshadow the need for availability and thus if there was potential compromise, it would likely be a better decision to disconnect access from the network rather than risking data exfiltration. By assessing all requirements for information and information systems in...
Hot Button Cybersecurity Issues 2018

Hot Button Cybersecurity Issues 2018

By: Cliff Neve, COO & Managing Partner, MAD Security and Ellen McCarthy, Managing Director and Chief Compliance & Risk Officer, VMS, LLC. This article highlights the criticality of effective cybersecurity programs in light of recent incidents and regulatory scrutiny by such entities as the Office of Compliance Inspections and Examinations (OCIE) of the U.S. Securities and Exchange Commission (SEC), the Financial Industry Regulatory Authority (FINRA), and the New York State Department of Financial Services (NYDFS), among others. In a very recent incident, between August 21, 2018 and September 5, 2018, a data breach occurred at British Airways. Cybercriminal hackers were able to gain access to British Airways systems, stealing names, email addresses, and credit card information (including credit card numbers, expiration dates, and card verification codes) relating to approximately 380,000 transactions in which British airways customers made or changed bookings on the British Airways website. To combat such cybersecurity incidents, the SEC, FINRA, the NYDFS, and other regulators have undertaken the challenge of evaluating the readiness of regulated entities such as investment advisors, investment companies, broker-dealers, banks, insurance companies, trust companies, and transfer agents to prevent cyberattacks and mitigate cyber risk. The regulators have issued guidelines designed to help transfer agents and other companies guard against attack, mitigate financial and reputational risk, and avoid enforcement action and regulatory fines. For the last several years, the SEC and FINRA have included cybersecurity among their top five examination priorities. Further, the NYDFS enacted 23 NYCRR 500 – Cybersecurity Requirements for Financial Services Companies, noting specifically: “Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards...
NIST 800-171: Leveraging an MSSP for Compliance Frameworks

NIST 800-171: Leveraging an MSSP for Compliance Frameworks

For many businesses, compliance is becoming a way of life.  As cyber-attacks and data breaches are revealed and reported on a regular basis, new compliance requirements will continue to be implemented.  A couple of recent examples are the NIST 800-171 (Defense Federal Acquisition Regulation Supplement or DFARS) requirements for Controlled Unclassified Information (CUI) and GDPR regulations for protecting personal data of EU citizens.  In this post, we’ll focus on NIST 800-171, what we can expect from it this year, and how to maintain compliance throughout 2018 and beyond. NIST 800-171 and its Implications for 2018 Since the December 31st deadline has come and gone, many defense contractors and subcontractors may be curious as to how it will affect them. If a defense contractor currently has an existing defense contract that includes the DFARS clause, then they must already be on the road to compliance with their System Security Plan (SSP) and Plan of Actions and Milestones (POA&M) in place. Also, if a contractor plans to bid on a similar contract in the future, they must also have begun this process. However, just creating a POA&M and an SSP is not a “set it and forget it” thing.  A contractor must show continual improvement.  This is where a Continuous Monitoring Strategy (CMS) comes into play.  A contractor should be working to close the gaps identified in their initial Gap Assessment by completing tasks and fulfilling obligations on schedule within the POA&M, updating their SSP, as well as continuing to monitor their environment. DFARS consists of 14  families of controls totaling 110 controls, which can be found in the NIST Special Publication...