The MOST Important Cybersecurity Principle

Asset management is most commonly associated with cybersecurity hygiene, which is associated with patching, anti-virus, access control, and other asset-specific protections. However, there are three NIST CSF sub-categories that I want to bring to your attention and how they align with a mission-based cybersecurity risk program.

ID.AM-1: Physical devices and systems within the organization are inventoried.
ID.AM-2: Software platforms and applications within the organization are inventoried.
ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value.

These three sub-categories are the foundation of your organization's cybersecurity program, specifically, your cybersecurity risk program.
Some factors to keep in mind when developing a priority methodology:

  • The role the asset plays in generating revenue
  • The asset's importance to ongoing operations
  • The asset's cost to replace or protect
  • ...
Continue Reading...

5 Focus Areas - Third-Party Risk Measurements

There are two types of third-party risk: product vendors and service providers. Product vendors outsource software, platform, and infrastructure, known as SaaS, PaaS, and IaaS. According to some estimates, only 40% of applications are hosted on-premises.

The service providers are consulting third-party vendors, such as management consultants, IT consultants, Cybersecurity consultants, and managed service consultants. However, regardless of the type of third-party vendor, these are the five focus areas your third-party risk management program should focus on:

  1. Data access: who has access to your data? What kind of data is it? How is it stored? This is a confidentiality issue. Reviewing and discussing your providers' policy, procedures, and contractual language is essential. This is an area you should involve your legal team.
  2. Security program transparency: where is the data center? What are physical controls in place? Make sure these questions are asked and, if possible, validated to...
Continue Reading...

Chasing Perfection

Pursuing perfection takes a lot of resources, financially and people. In Cybersecurity risk management, there are two key questions: 

  • When will enough be enough? 
  • What is the correct amount of time and effort should your organization spend to achieve a reasonable level of cybersecurity against an attacker?

The answer to these questions will be your risk tolerance. Chasing perfection has challenges and may not get you where you want to be. Chasing perfection may also risk missing the big picture, leaving security gaps in other areas of your organization, and burning out your staff.

A holistic and mission-driven approach to cybersecurity, with reasonable and measurable goals, will help secure your organization. To get you started, keep in mind three questions:

  1. What are your organization’s cybersecurity risks?
  2. How are you managing the organization’s cybersecurity risks?
  3. How are you measuring your cybersecurity risk reduction?


Continue Reading...

Cybersecurity Report - Board of Directors

There is a three-point framework to keep in mind when preparing a report to the Board, especially if you are a small to medium-size business with annual revenue between $100M to $700M with [potentially] no CISO in your organization.

  1. What are key risks the Board should be aware of at a high level? What should they be offered a deeper understanding of?
  2. How do these risks align with the organization's strategic initiatives?
  3. What is your opinion? What do you recommend? - A solution.

One key factor to remember is to be prepared to answer how your organization compares to others in the industry. I suggest discussing with other organizations in the same industry and of similar size.


Author: Dr. Bill Souza | Jul 8,...

Continue Reading...

Small and Midsize Business 4 Risk Management Pillars

NIST has developed a cybersecurity risk management framework that addresses the issue as a comprehensive process that requires organizations to:

  1. Frame risk
  2. Assess the vulnerabilities
  3. Respond to risk once determined
  4. Monitor risk on an ongoing basis

These four pillars must be addressed by all small and midsize businesses. A small and midsize business (SMB) is a business that, due to its size, has different IT requirements — and often faces different IT challenges — than do large enterprises, and whose IT resources (usually budget and staff) are often highly constrained.


Author: Dr. Bill Souza | Jul 6, 2022 



Continue Reading...

50% Complete

Two Step

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.