Tactical Business Continuity During a Global Pandemic.

Dear Leaders: 

Thank you for your interest in this white paper and allowing InfoSec Advisory to provide guidance and recommendations regarding business resilience during a worldwide pandemic. I trust this document will guide business leaders when developing a much needed tactical business resilience program. The goal is to help ensure the health and safety of all personnel while preserving revenue integrity. Please be advised this brief white paper is a sub-set of a business-wide contingency plan. 

It’s impossible to pre-plan for all possibilities of human, natural and technically created business interruption events. However, within each business the leadership can provide “realistic” guidance to help ensure the integrity and continuity of people, process, and technology. During an unplanned business crisis focus must be given to people, process, and technology – preferably in this order. 

People Actions Now

The current COVID-19 viral pandemic has created massive amounts of Fear, Uncertainty and Doubt (FUD) across many people and business sectors. The health and welfare of people are the heartbeat of each business and must be given leadership focus. As leaders, maintaining engagement with a Positive Mental Attitude (PMA) is vital when supporting business integrity. With a few edits, here is information taken from a current Harvard Business Review article:

“We are dealing with two contagions — the virus itself and the emotions it generates. Negative emotions are every bit as contagious as the virus, and they’re also toxic. Fatigue, fear, and panic undermine human’s ability to think clearly and creatively, manage our relationships effectively, focus attention on the right priorities, and make smart, informed choices.”

On top of the prevalent COVID-19 FUD throughout the United States, consider these January, 2020 data points:

  • 71% of executives say that employee engagement is critical to their company’s success
  • 63.3% of companies say retaining employees is actually harder than hiring them
  • 69% of employees say they’d work harder if they were better appreciated

 People Actions Now

Executive teams and their leadership must ensure the health and safety of themselves. This does not constitute being narcissistic in behavior. If leaders don’t take care of themselves first, they significantly diminish their ability to effectively lead and care for their employees and adjoining third party individuals. Do not assume employees, contractors, vendors, customers and investors are receiving or have knowledge of the same information throughout a pandemic crisis. Mitigate this problem and minimize the FUD by doing the following:

When providing pandemic guidance to employees, contractors, vendors, customers and investors ensure the content comes from trusted and pre-validated sources. Such as https://www.CDC.gov.

  • Provide on-going business management updates to people whenever there are well-defined changes in work flows, job retention’s, leadership changes, or risk mitigation requirements.
  • Use whatever multi-media technologies available to communicate updates. There are no set rules which technology is used as all businesses are different.
  • Updates must be given by an individual on the executive team who is accountable and responsible to the position. Preference should be given to an executive who has wide operational knowledge of the business.
  • When presenting company updates via video, audio, or both, the leader giving the update should have a well written script and pre-practiced prior to “go time.”
  • The scripted update is a “live document” and will always change. Be prepared to make changes accordingly.
  • Keep content open, honest and trusting. This will be appreciated by all stakeholders.
  • On a regional and/or local basis, identify those healthcare providers that support mental and physical services. Call on them as needed.
  • Note* It costs more money to hire new employees than retaining existing employees. Be a hero to your people, make the tough decisions and keep the needle moving forward!

 Business Actions Now

  • Assume 80% of revenues come from 20% of customers. Identify who these customers are and maintain focus with communications as sated above.
  • Identify all Key Decision Makers (KDM’s) in the business. Ensure each KDM has a backup person that can assume the role with full accountability and responsibility.
  • Identify the most vital business processes that maintain customer service integrity.
  • Identify and ensure there are adequate human and technical resources (KDM’s) to support vital business processes.
  • Identify the most vital business technologies that support the top 20% of customers.
  • Identify and ensure there are adequate human and technical resources (KDM’s) to support these technologies.
  • Today’s gold rush is the theft of business data and Intellectual Property (IP). Identify where the business’s most vital data and/or intellectual property resides within your business’s infrastructure.
  • Identify and ensure the businesses “gold mine of data” is securely accessed and managed by an assigned KDM.
  • Review all customer focused third party contracts and Service Level Agreements (SLA’s) for possible legal ramifications.

All businesses provide a product, a service, or both to key customers. When these products and/or services become unavailable to the customer base, they can have an immediate and direct impact on customers’ financials. If the product/service company has done very little or nothing to prepare for a business impacting event, customers may leverage existing contracts and/or SLA agreements to re-coup financial losses. This business interaction increases out of pocket legal expenses including any and all possible financial reparations back to the customer base.

Review and identify all products and services from third party vendors that are vital to maintaining day-to-day operations. Ensure these vendors can supply the business with needed products and services for up to a minimum of sixty (60) business days.

About Internal Business Risk

From a business risk mitigation perspective, three are three (3) types of business risk. They are:

  1. Inherent
  2. Residual
  3. Transferred
  • Inherent risk is risk that resides within the business from existing business processes, implementation of various technologies, or a combination of the two that supports operations. Inherent risk can also be incurred through a Merger & Acquisition (M&A) process. This type of risk could be known or unknown to individuals.  The ability to alter or mitigate inherent risk begins with an enterprise-wide business risk assessment.
  • Residual risk is risk that is known within the business post an enterprise-wide business risk assessment. Depending upon the risk culture within the business, plus the financial cost to mitigate the known risk, residual risk is the type and amount risk accepted within business operations.
  • Transferred risk is risk that is transferred to a third party outside the operational boundaries of the business. This risk is usually created through third party contracts. An example of transferred risk is cyber security insurance, or business liability insurance.

Businesses normally have a mixed risk combination. How this is managed internally depends upon the level and acceptance of risk and if the company culture is more or less risk averse or risk diverse.

Cyber Security Actions Now

First and foremost, a cyber security program in today’s business environment must be accepted as a strategic business deliverable. Developing the business’s cyber security program from a top-down approach is highly recommended. 

Business owners today are quickly realizing that COVID-19 has no boundaries and affects all people and markets on a global scale. Just as COVID-19 gains traction through community spread, so does digital information transmitted around the global Internet through interconnected societies.

People have become connected through digital devices on a per Internet address basis. Today there are at least 4.3 billion internet addresses being used to connect people and businesses. Expect this number to become ten-fold with the acceptance of Internet of Things (IoT). These technical connections allow multi-media communications to take place anywhere, any place, at any time. For every assigned Internet address, assume a hacker has interest with attacking these addresses to gain access into key company systems. Meaning, increasing the number of internet addresses to the business also increases the chances of getting hacked from the outside/in.

The COVID-19 pandemic is prime time for hackers to catch business owners and their employees off guard. With significant focus on financially surviving the pandemic, hackers know business resources are being diminished while security takes a back seat to “other” pressing issues. Now is the time for business owners to not let their cybersecurity guard down!

At a minimum each business must perform the identification work effort to support cyber security initiatives. Specific personnel must have internal knowledge about the following:

  1. Who are the most vital people required to support vital products and/or services for customers?
  2. Who are the most vital people required to secure the enterprise-wide infrastructure?
  3. What are the most vital business processes that support key revenues?
  4. What are the most vital products and/or services that drive key revenues?
  5. What are the most vital technologies that support key revenues?

 A primary objective with securing the business is to not allow hackers to penetrate vital systems and processes through phishing attacks, Spam email, cross site injections, brute force methods, or social engineering. All individuals associated with the business including physical and virtual internet addresses are considered a target. Once the business has performed the work to identify everything listed above, then it’s time to learn the following:

  1. Who has full accountability and responsibility to the “keys to the kingdom?” Meaning, who inside the business has direct access to vital business data and IP?
  2. How are vital business data and IP accessed?
  3. How often is this data and IP accessed and why?

Line items 1 through 3 above focuses around Identify Access Management (IAM). Managing IAM is absolutely necessary when securing the business’s “digital gold.”

 Closing Statements

Business resilience and cyber security are no longer “solely” based upon the financial costs and technical capabilities of the IT department. Becoming a business resilient and cyber secure company requires a top/down business driven strategy touching all departments in the company.

As a business resilient and cyber secure company there is significant intrinsic financial value to business. Company leadership must begin viewing enterprise risk management as an investment, not a cost.

This white paper will guide those businesses searching for help and direction during and post the COVID-19 global pandemic. When the light appears at the end of this COVID-19 pandemic tunnel, we as humans can look back and think “wow, look what we have learned.” Though this document is not all inclusive, each business leadership team can leverage this information and determine for themselves the work required to become a business resilient and cyber secure enterprise. 

Thank you,

James M. Myers

Investing in Enterprise-Wide Security

Investing in Enterprise-wide Security
By
James M. Myers B.S., MS., CCISO, CISSP

Does your organization view spending money on information systems security (cybersecurity) as an investment, a financial burden, or an unjustified cost of doing business? Is your security budget directed primarily to the Information Technology (IT) department? Realizing that business operations security is a business issue and not just an IT “thing” has become the new cybersecurity paradigm. This new operating paradigm requires business executives to seriously think about how they’re going to secure the entire enterprise. A new “holistic” approach is needed. This holistic approach requires an enterprise-wide security investment in people, process, and technology.

How to Think About Cybersecurity Investments

The most critical thought about securing the entire enterprise is acknowledging that technology is not the panacea to solving all security issues. Imagine how many companies worldwide had implemented security solutions through their IT department only to realize their network systems had been breached by a criminal element? A higher level of thinking in cybersecurity leadership is needed to effectively thwart future financial losses. Below are some questions to promote critical thinking prior to investing in cybersecurity solutions:

  1. Is my cybersecurity investment supporting the business’ strategy, goals, and objectives?
  2. How much inherent and residual risk is the business willing to accept?
  3. How much annual security budget do I need to address the level of risk and why?
  4. What are the people skill sets, business processes, and technologies that need funding?
  5. What are the most to least critical people, business processes, and systems that make up daily operations inside the business?

People Component of Cybersecurity Investing

The new reality in today’s business environment is that everything is electronically connected. The plethora of wired and wireless connections has created a fast moving and ever changing security landscape (posture). This new posture requires critical thinking that challenges the status quo of existing security solutions. The increased complexity of enterprise technologies requires a village of people to secure it. In other words, there is no single individual that has all the answers nor can they solve all the security problems. The new business enabled security leader must be able to guide, direct, and help enrich everyone across the enterprise with a security investment mindset. This is the holistic human capital approach to mitigating the constant threat of network systems breaches or loss of critical Intellectual Property (IP).

Process Component to Cybersecurity Investing

The move to cloud computing and storage has changed how business processes support daily operations. Businesses IP is now being stored and managed by third party companies. This creates new business processes that reside outside the core boundaries of brick and mortar companies. These processes must be analyzed and assessed for their level of criticality to support daily operations. Cloud enabled processes may require High Availability (HA) data links with strong security such as Multi-Factor Authentication (MFA) and encryption techniques. Investing in cloud services is a security paradigm that requires a serious look at business processes and how to secure them. This includes all data links to/from vendors, customers, contractors, and remotely connected employees.

Technology Component to Cybersecurity Investing

The cybersecurity vendor community has exploded in numbers since 2012. Worldwide spending on cybersecurity products and services is predicted to eclipse $1 trillion for the five-year period from 2017 to 2021. There will be plenty of security technologies for security executives to analyze and assess. There is enhanced opportunity to purchase and implement tomorrow’s security technologies into today’s operating environments. Out with the static and signature based solutions and in with the new Artificial Intelligence (AI), Machine Learning (ML), and User Behavior Analytic (UBA)/User Entity Behavior Analytic (UEBA) solutions. Each of these solutions requires advanced mathematical algorithms to effectively assimilate multi-vectors of input data. The intent is for machines to assist with analyzing real-time security incidents, thereby decreasing security investments while increasing information systems data reliability with an effective security posture.

Holistic Approach Value

There are minimum requirements for protecting company IP and critical data. This is the technology-only approach to solving the complex task of effectively securing the entire enterprise. Given the number of successful security breaches over the past five years, it’s safe to say that change is needed. The holistic approach to cybersecurity will:

  • Provide a stronger defensive security posture across the company’s information systems
  • Encompass a greater knowledge of security practices across the entire employee body
  • Allow executives to make well informed security enabled decisions
  • Help to protect the company’s brand, image, financials, and intellectual property

Taking a holistic approach to invest in people, process, and technology can provide the needed foundation for securing the enterprise today and in the future.

Leadership In Cybersecurity

Leadership in Cybersecurity
By
James M. Myers B.S., MS., CCISO, CISSP, ITIL

A challenging and sometimes confusing task is defining the leadership in cybersecurity for an enterprise. There are various job titles such as; Chief Security Officer (CSO), Chief Risk Officer, Chief Information Security Officer (CISO), V.P., IT Security, V.P., or Director of Information Security. Regardless of titles or functional position, the lead role in a security organization is expected to wear many hats and solve a myriad of strategic, operational and tactical problems.
Today’s security leader must keep their pulse on a plethora of security initiatives. Below is a list of security initiatives that a security leader would either manage or have parallel impact upon within a business:

Data security Vendor management Budgeting & forecasting Network systems security Disaster Recovery (DR)
Application security Identity & Access Management (IAM) Vulnerability Management (VM) Data storage Business Continuity (BC)
Cloud enabled solutions – SaaS, IaaS, PaaS Policy & controls development with implementation Managing enterprise risk tolerance Communicating to executives and board members Human resource leadership
Incident Response Planning (IRP) Multi-year security architecture planning Audit management & support Breach mitigation Keep current with leading edge security solutions

Couple the above list of security initiatives with the below statements and you quickly realize a practical yet manageable shift is needed. Today’s information security leaders are faced with:

  • Multi-vendor proprietary point solutions. This creates financially inefficient security architectures with increased vulnerabilities
  • Technology aligned reporting structure. Security leaders are primarily reporting to the CIO. Security initiatives viewed primarily as technology solutions create misalignment with business requirements. This increases security spending costs
  • Obtaining an effective security budget is a constant battle. If the security budget is measured against a percentage of the IT budget, this creates an ineffective security posture for the business
  • Black hats (criminals) don’t care. Meaning, the bad hackers don’t care if you are required to comply with a policy or law, nor do they care about your budget or resources. Time is on the side of the black hats – they only have to get lucky once
  • Historically, security teams have been built in vertical silos. This enhances miscommunications and weakens trust across lines of business

The new leader in information security must be envisioned as a leader integrator. This person accepts the responsibilities and accountabilities of the position but leads and manages with a higher order of thinking. The position requires an individual that can zoom in on technical discussion to solve tactical problems while comfortably collaborating and communicating with top executives. Security leaders today should be viewed as change agents, culture builders, transformers, visionaries yet able to keep their fingers on the tactical pulse of the enterprises security posture. Their position relative to the enterprise should have transparency to the executive team. The ability to present security information to direct reports or during a board meeting at a level understood by the audience is of vital importance to the overall risk management to the business. The new leader integrator for operational security is proactive with the following:

  1. Envisions security value horizontally – reaches out to other departments such as operations, finance, HR, sales and legal.
  2. Is a bridge builder across disciplines, departments and stakeholders
  3. Enhances collaboration through communication while building trust inside and outside the security organization
  4. Invests in security technologies that supports business objectives
  5. Actively listens while proactively accepting critique from subordinates, executives and board members
  6. Has a business and technology background and thinks as a strategic “holistic” thinker
  7. Constantly learns and stays abreast of emerging security trends, while transcending learning to the employees, organization or partners
  8. Is a persistent servant leader to others and helping individuals become leaders in their own right

The new information security leader understands that security transcends technology. Technology is the enabler to business yet security is the overarching business operations protection program. Tomorrow’s security leaders will be required to effectively and efficiently integrate people, process and leading edge technologies to ensure a consistently relevant security posture for the business. This requires business acumen and the ability to think critically to solve complex problems. The time is now for security leaders of tomorrow to approach security as a business problem first, followed by the supportive skill sets, business processes and technologies required for securing the enterprise.

The Cybersecurity Human Resources War

The Cybersecurity Human Resources War

By

James M. Myers B.S., MS, CCISO, CISSP, ITIL

Does your company, organization or enterprise have a difficult time keeping security leaders and practitioners? Does your security team have a reputation as a revolving door of talent? If so, then your business security paradigm must change to meet the prolific demand of talented security professionals. Gone are the days where the new employee expects and/or believes he/she will be working 10, 20, or 30 years for the same company. The new employee does not expect to work for the same company no more than two to three years. Employees are the most valuable asset to the business, and they are the most expensive. The demand for security professionals is extremely high!

Market demand for security professionals is the highest in history. There are approximately 1.2M non-filled cybersecurity positions across the world, with approximately 220,000 of them inside the United States. From a basic LinkedIn search, there are 8,106 open CISO jobs in the United States. These current numbers are growing on a monthly basis with consistent annual increases. The demand for skilled security leaders and practitioners is here to stay for at least the next 5 years.

Unfortunately for senior management, there are large proportions of dismayed/disgruntled employees. Consider the following content taken from a Bloomberg news article dated April 15, 2015:

“Half of all U.S. employees have at some point in their career quit their jobs to get away from their boss, according to a new Gallup study of 7,272 adults. If workers loathe their higher-ups, the feeling may be mutual. Gallup also found that managers weren’t thrilled with their work situation, either. Just 35 percent of U.S. managers said they felt engaged on the job. Fifty-one percent said they weren’t engaged, and 14 percent confessed that they actively tune out at work.” For the more senior employees earning annual salaries of $125,000 or above, the numbers listed above are less.

Couple the shortage of skilled cybersecurity workers with a large percentage of dismayed/ disgruntled employees, the business of effectively securing your business is under duress. What does a CISO have to do to keep his/her valued security practitioners?

Today’s new security employees are looking for security leaders who can instill dynamic and creative change to grow the business. They want the opportunity to cross pollinate their skill sets across the enterprise. They want to be treated with respect and dignity. They want a defined and achievable career path to growth within the company. And they want to be paid according to market demands.

Keeping skilled cybersecurity practitioners requires strong leadership at the CISO position. The new CISO leader must have strong business acumen, know how to collaborate with people vertically and horizontally within the enterprise, and be an outstanding critical thinking technologist. The requirements of today’s CISO are as critical as any other C-Suite professional. For the business to realize an effective security posture through proactive employee engagement, it’s time to present an open seat at the corporate table for the new CISO leader.