Categories
ComTech

Towards a Cyber-Secure Future with Jenna Waters


 
Jenna Water’s time in the US Navy equipped her with sophisticated skills she now finds invaluable in her work as Cybersecurity Consultant at True Digital Security. She joins Tom Fox and Valerie Charles on this episode of ComTech to talk about how the cybersecurity industry is evolving, her vision to end security breaches, and what she thinks about President Biden’s executive order on cybersecurity.
 

 
Putting Corporate America on Notice
“I think businesses – particularly those that work in industries regarded as critical infrastructure, obviously because of the Colonial Pipeline hack – …a lot of them know now that they’re on notice,” Jenna tells Tom and Valerie. Recent cybersecurity attacks as well as the rise in ransomware, have driven home the need for good cybersecurity. These attacks not only impact businesses but are now tangibly affecting the lives of everyday citizens. Jenna believes this is sparking change in the industry, as the government, companies, and even the general public are taking cybersecurity more seriously. 
 
End Security Breaches
Tom comments that his clients are now asking about their information security program, something they weren’t concerned about before. He asks Jenna how she would advise a company to start thinking about this issue. She outlines the steps her company takes to help their clients create a customized cybersecurity program. “…By prioritizing your risk, that’s how you can develop a more tailored cybersecurity program,” she points out. She and Tom discuss her vision of ending security breaches overall. She remarks, “For me, ending security breaches is a vision of the future in which a security breach can be detected, identified, and contained effectively… It’s not allowing a security incident to go to the point of a security breach… and it doesn’t affect or impact the organization or public in any significant way other than maybe the time it takes to contain it.”
 
Improving Cybersecurity with Data
“When you’re trying to combat this kind of breach, how do you use data?” Valerie asks Jenna. “Cybersecurity is actually one of the best areas in technology where it can be very data-driven,” Jenna responds. Data can help you build a threat profile and come up with an action plan to combat threats. Analyzing recent and past data can help you establish an operational baseline, and in turn recognize deviations from the norm. It can also help you identify gaps and vulnerabilities in your organization. There’s also the global perspective: gathering and analyzing data on threat groups helps you recognize their patterns before they attack. However, don’t focus only on data and ignore basic psychology. Hackers are still just human beings and are “subservient to human behaviors and motivation,” Jenna reminds listeners. 
 
Cyber Risk Assessment is for Everyone
“I think everybody could benefit from a risk assessment in terms of cybersecurity,” Jenna tells Valerie; businesses in critical industries should prioritize it. Generally, she recommends an annual assessment. However, it should also be done when there is a significant change in operations or in the direction of the business. She argues that leadership buy-in is imperative: “Leadership buy-in for an organization is paramount to the success of the cybersecurity team.” 
 
Thoughts on Biden’s Executive Order
“Do you have any urgent or immediate thoughts on President Biden’s executive order on cybersecurity?” Valerie asks. Jenna responds that she is excited and on board with the order. “As cybersecurity professionals, we like to take advantage of every emergency,” she quips. It’s a positive step signaling that cybersecurity is seen as important at the highest levels of government. On the other hand, however, the executive order may not last after Biden’s term of office as it can be revoked by the next President. Additionally, only certain federal bodies are bound by the order.
 
Resources
Jenna Waters on LinkedIn 
True Digital Security 
 
 

Categories
Compliance Kitchen

Biden Adminstration Executive Order on Cybersecurity


The Kitchen looks into the recent Executive Order that aims to strengthen cybersecurity in the US government and private sectors.

Categories
Compliance Into the Weeds

Biden Administration Executive Order on Cybersecurity


Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. This week Matt and Tom take a deep dive into the Biden Administration’s recently released Executive Order on cybersecurity for both the federal government but also contractors who do work for the US government and their subcontractors.
Some of the issues we consider are:

  • How will there be more and better sharing of threat information?
  • How will we achieve stronger cybersecurity within the government?
  • Why will contractors will need to have stronger oversight of their SW supply chain?
  • What will be the role of compliance?
  • What will be the role of internal audit? 

Resources
Matt’s blog post on Radical Compliance: 
Parsing Biden’s Cybersecurity Order

Categories
Coffee and Regs

Managing Cyber Insurance Risk

Managing Cyber Insurance Risk
 

In this episode, CSS’s Director of Cyber IT Services E.J Yerzak sits down with AVP, Program Executive at Varney Agency and cyber insurance expert Nick Weiner to discuss the recent NYDFS guidance for insurers that underwrite cyber insurance policies. The guidance includes a Cyber Insurance Risk Framework that provides best practices for managing cyber insurance risk amid concerns of systemic and “silent” risks to the financial sector.

 

 

About Our Guest Speakers:

 

E.J. Yerzak CISA®, CISM®, CRISC™ assists firms in assessing and managing their cybersecurity risk – from network vulnerability scanning and penetration testing to onsite cybersecurity assessments and assistance in implementing the NIST cybersecurity framework. E.J. has authored articles and alerts on emerging regulatory and technology issues, and is regularly requested to speak as a cybersecurity expert at industry conferences.

 
 


Nick Weiner is a commercial insurance agent, with ten years of experience focused on cyber, professional & management liability insurance for financial institutions. Nick firmly believes every professional organization deserves access to a specialist who can design, administer and implement a custom insurance solution. Working with an independent insurance agency gives Nick the opportunity to use his experience, knowledge, and understanding of the marketplace to assist his clients in finding the insurance solutions that meets their needs. At twenty-two, Nick started his own national insurance agency focused solely with the goal of servicing entrepreneurs in the financial services industry. Seven years later, Nick’s business was purchased, and he joined forces with Varney Agency (Portland, ME) to assist in the continued growth of their financial institution’s division. Nick often participates in thought leader groups for the industry and works closely with some advisory focused publications to provide input on insurance related topics.

 
 

Categories
Compliance Into the Weeds

Cybersecurity, ERP and Compliance


Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. This week Matt and Tom take a deep dive into the type of cybersecurity risk where ERP software is compromised due to a bug or other vulnerability. Some of the issues we consider are:

  • What are two types of cybersecurity risk?
  • How does this second type of risk impact ERP systems?
  • What are the compliance implications? Internal Audit? Crop Governance?
  • What steps can a CISO take?
  • What does this mean for compliance officers?

 Resources
Matt’s blog post on Radical Compliance: 
More on Cybersecurity, Compliance Risk

Categories
Innovation in Compliance

Comprehensive Cybersecurity Management with Jenna Waters


Jenna Waters is a Cybersecurity Consultant at True Digital Security where she specializes in information security program development, industry compliance assessments, threat intelligence, and cloud security controls. She helps clients through the challenges of cybersecurity program development and holistic security consulting, and also consults companies across varying industries. Tom Fox welcomes her to this week’s show as they discuss technological safety within industries, and what her company is doing to curb cyber attacks.
The Micro/Macro Focus
Jenna is a USN veteran, and during her time in the Navy, she worked on highly sophisticated computer information systems and with a lot of other sophisticated technologies as well. Tom asks her to elaborate on the Navy’s approach to cybersecurity as opposed to the public and private sector. Jenna iterates that the Navy, as well as any other military, federal, or law enforcement agency, is focused on a very global, or what she calls a “macro threat” environment. They are focused on protecting the country as a whole from cyber and information warfare attacks. On the other hand, the private and public sectors have a microfocus: in industries or specific business types and the risks and threats those industries or business types may face. 
“To End Security Breaches”
Tom remarks that True Digital Security strives to bring an end-to-end solution, and makes mention of the company’s statement “To end security breaches.” Jenna explains that it’s the company’s goal and that True Digital strives to be at the forefront of cybersecurity. Doing this means preventing breaches from occurring in the first place. However, in the event that breaches do happen, ensuring that attackers don’t acquire vital information is important. “Even if you suffer a minor breach, they’re just stuck because we want our clients to have a very layered defense, an in-depth approach that prevents them [attackers] from getting something valuable,” Jenna says.
Software Inventory Management
“It’s the process of keeping an updated inventory of all your software and your applications from even the smallest minutia of an application used within your IT environment,” Jenna says in response to Tom’s question about software inventory management. She adds that it’s one core aspect of overall IT asset management. It enables the recording of vital information such as software update cycles, as well as ensuring that all the critical security patches are applied. Software Inventory Management keeps records of the quantity of applications software that exist within an organization. It helps detect if there’s been a breach as the bit size of applications changes when a breach occurs. 
The Impact of COVID-19
The pandemic has not changed True Digital’s approach very much, Jenna remarks. What the company has been doing is helping clients pivot without the notice of attackers. Remote working comes with its own challenges and insecurities, and so assisting clients and pivoting in a way that helps them continue to achieve their cybersecurity compliance program and development goals is important. The rise in attacks emphasizes the need for structural and legal practices and precedents. Jenna stresses that governments of the world, as well as public and private sectors, need to come together to denounce cyber attacks and enforce actual consequences for these actions. 
Resources
Jenna Waters | LinkedIn
TrueDigitalSecurity.com
 

Categories
Compliance Into the Weeds

DFS First Cyber Case-First American Title


Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. In this episode Matt and Tom go into the weeds to look at the first Cybersecurity breach case brought by the state of New York’s Department of Financial Services. Some of the highlights include:

  • What is the DFS?
  • What is Reg 500, Cyber Rules?
  • What were the First American comedy of errors?
  • CISO disavowed ownership of the issue, stating, among other reasons, that such controls were not the responsibility of respondent’s information security department.
  • No training for new employee charged with remediation.
  • First American said it did nothing wrong.

 Resources
See Matt’s blog post, Parsing DFS’ First Cybersecurity Case on Radical Compliance.

Categories
Daily Compliance News

Daily Compliance News: March 28, 2019-the SFO sued edition

MARCH 28, 2019 BY TOM FOX


In today’s edition of Daily Compliance News: