Author: Sharon Smith

You are a successful CEO, passionate about the continued growth and health of your organization.

Because you are responsible for the strategy and success of your organization you are losing sleep over the continual reports of security breaches, stolen data, and ransomware. It appears that no one is safe anymore.

But all the terminology and acronyms (i.e., cloud, IoT, BOD, APT, IAM, IDS, Pen Test, malware, ransomware, identity access management, patch management, change management...not to mention all the compliance regulations) is overwhelming. And that makes sense because security is not in your wheelhouse, but it’s in mine! And I can help you!

WHAT I DO
As a 12-year veteran of the information security, audit, and compliance industry, I understand the technology your organization works with and the challenges you face.

I translate cyber security into business terms for executives who want to implement security but don’t know how. I help create the proper internal messaging, education, and shape the organizational culture needed for sustainable success in security.

Too many people believe that security is an IT problem and and that simply throwing budget at the IT department equals security. Instead, I help you paint a full picture of your security posture, the risks associated with it, and the most effective strategy to help close the gaps.

Security is not insurance - it is force protection (think of the armed guards in front of a military base). Isn’t it time for you to put the proper protection in place for the long term health of your organization?

WHAT MAKES ME DIFFERENT
It is rare to find someone with a background that includes in-depth information security knowledge and hands-on experience who has a business degree, and is a Certified Coach. This mix of education and experience equips me to best serve you in creating a long term sustainable security culture.

NEXT STEPS
Email me at sharon@c-suiteresults.com or message me via LinkedIn https://www.linkedin.com/in/smithsharonj/|You are a successful CEO, passionate about the continued growth and health of your organization.

WHAT I DO
As a 12-year veteran of the information security, audit, and compliance industry, I understand the technology your organization works with and the challenges you face.

NEXT STEPS
Email me at sharon@c-suiteresults.com or message me via LinkedIn https://www.linkedin.com/in/smithsharonj/

Using the Golden Rule to be a Better Leader

Post author By Sharon Smith
Post date July 2, 2018
No Comments on Using the Golden Rule to be a Better Leader

In a recent C-Suite Success Radio interview, my guest Don Barden and I were discussing Servant Leadership. In that discussion the golden rule came up and Don told me that we have translated it incorrectly all these years. What he told me is a real game changer for becoming a better leader.

When we are young we learn that the golden rule says to do unto others as you would have them do unto you. Don explained that the correct translation, and the one that you must use if you are to be a servant leader is to do unto others as they would want you to do unto them.

That means you treat them how they want to be treated, not how you want to be treated. I thought that was brilliant, especially in the context of work because it lines up with one of my strong beliefs that people do best and are the most engaged when given the opportunity to do the work that means the most to them, and when empowered to do it in the way that they want to do it.

For example, I love public speaking and cherish the opportunities, which means if I did unto others as I want done onto me I would offer a speaking opportunity to someone else under the original understanding of the golden rule. But if they hate public speaking I am not actually giving them something they want, I am giving them something I want. I have to know what is important to them so I can give them what they want.

I have a friend who loves spreadsheets and would be less motivated if I asked her to do something creative like write an article, which is what I would want someone to ask me to do. If she asked me to do the spreadsheet work because that is what she likes I would be miserable pretty fast.

This translates into how we treat our friends, family, and, in the context of business, our co-workers and employees. True servant leadership – or in all actuality, true leadership – means finding out what the people on your team like the most, what role suits them best, and do everything you can to provide that to them. It’s not always possible for everyone to love every minute and every aspect of their job, but the more you can honor them, the more you can serve their needs, the better the results and engagement will be.

Your assignment, if you choose to take it, is to learn one new thing about each member of your team or your family that will allow you to serve them better. Start giving to them in the way they want rather than based on what you would want them to give to you.

If you do this from a place of true curiosity you will see amazing results very quickly. I would love to hear about your experiment, and you can connect with me on LinkedIn or email me at sharon@c-suiteresults.com.

Tags employee engagement, golden rule, leadership, servant leadership, teams

Best Practices Growth Management Personal Development Technology

Arming the Cyber Defender – Your Employees

Post author By Sharon Smith
Post date May 8, 2018
No Comments on Arming the Cyber Defender – Your Employees

Too often cybersecurity professionals talk about people being the weakest link in security, but I would much rather look at these individuals, your employees, as your first line of defense rather than the weakest link. That is because they are your first line of defense in the cyberwar waged against us.

You may think I’m being melodramatic when I use the term cyberwar, but this is exactly where we are. Our biggest adversaries are foreign governments who use their immense resources to gain access to our personal information and our intellectual property in order to gain advancements and a competitive edge over our country, our companies and our technologies. This is happening every day and China is leading this war against us while we do very little to respond.

You may think that you can’t do much against the Chinese Communist Party, but that is where you need to think differently, there is a lot you can do and it will take you and many more organizations being armed and ready to take action. We are mistaken if we have the attitude that someone else will take care of the problem. That is because we are not fighting this war on the traditional battlefield, the fighters are not the military, they are you and me and we all have a part to play.

For your organization, the defenders in this war are you and your employees, the people sitting in front of a computer all day or connecting a device to your network. They are your first line of defense, but they have not been weaponized, as in, they don’t know how important their role is in this fight; actually they don’t even know the fight exists.

Here is a checklist you can use to help ensure you have your bases covered in arming your employees in this war and protecting your organization and our countries assets.

Provide security awareness training that connects the user to their responsibility for security – teach them how to behave, what to do, what not to do, and how to respond then reinforce the training on a regular basis. Make sure they understand their role and how important it is. The more interactive and real the training the more they will connect with it and remember what they have learned.

Do not allow users to have administrative rights to their computers, talk to your IT department about this because this right gives attackers more access and a much better chance of installing malicious software on your network.

Do not allow users to disable end-point security like host-based firewalls or anti-virus software and keep the software current and working properly.

Provide users with clear instructions that are easy to find and follow for how to report suspicious or anomalous activity – make sure they know what it means – test them. Then ensure the response team knows what to do in various situations and test them too. Testing reinforces what people have learned, make it part of the process and not something for them to be afraid of.

Provide specialized security training for your business leaders and empower them to discuss security with their employees. Engage your security teams or security consultants to help. This is specialized knowledge that you have to teach everyone in your business, you can’t leave it up to the small group of security experts when all your users are your first line of defense.

Provide users with secure methods for transmitting sensitive data and teach them how to use it. They need to know that email is not secure unless you have given them a secure method for using it.

Provide users with secure methods for storing sensitive data and make sure they know where those locations are and how to ask for access. Users need to understand that storing sensitive data on their computers or unprotected network file shares opens the risk to losing that data to an attacker.

Keep the conversation in front of everyone at all times, don’t become complacent or allow your people to become complacent. This is on-going and ever changing topic and so must be the conversation.

When I said test them there are many ways you can do this. You can use products that simulate phishing attacks that users will learn from if they click on the email. You can use a penetration test to simulate an attack and test your response capabilities. You can use consultants who can perform social engineering tests to see if users provide sensitive data like passwords or customer information. Testing helps ensure the training you provide is working. It is not to punish those who don’t respond correctly. The only way to know where you stand and correct behavior is through testing, training, and re-testing.

What I like about all of this is that not only are you protecting your organization, but you are empowering your employees to go home and protect their home computers through what they have learned. They can teach their friends and families what to look for. Our attackers are not just after our organizations they are after anyone who can give them the edge they are looking for and that includes you, your children, your parents, and your friends. The more you can teach your employees and the more other leaders do the same, the more we are arming our people at home and at work to be our best line of defense.

This is a high-level list that will help you get the conversation started with your IT, security, and executive team. If you want to dive deeper email sharon@c-suiteresults.com and we can discuss your individual situation. For more articles on this topic visit my C-Suite Advisors Page.

Tags cybersecurity, cyberwar, security awareness

Growth Management Personal Development Technology

The Secret to Hiring Cybersecurity Professionals

Post author By Sharon Smith
Post date May 3, 2018
No Comments on The Secret to Hiring Cybersecurity Professionals

I have had a successful career in Cybersecurity since 2005 when we called it Information Security. Ironically, my background should never have landed me the job, but it revealed an important hiring secret: Sometimes the best person for a cybersecurity position is not a cybersecurity professional.

I know that sounds paradoxical and confusing so let me explain. With the proliferation of job titles and educational programs with the word cybersecurity in them, it might make hiring managers think they need to hire someone with cybersecurity experience, and that is understandable. However, as we keep hearing that there are more jobs than qualified employees, the gap is going to continue and grow, and there is not enough diversity in the field, alternatives become necessary.

Therefore, instead of searching for the perfect cybersecurity employee with a very specific skill set, technical background, knowledge of one particular tool, set of certifications, degree, and many years of experience, look to the less obvious source to hire your next cybersecurity employee – the artist, the accountant, the liberal arts major, the writer, the veteran, or the gamer (to name a few). Here’s why.

Cybersecurity professionals are creative problem solvers, enjoy tinkering with new tools, and like connecting the dots or solving puzzles. They need to be strong leaders and proficient writers. Depending on the role, they may need to enjoy solitude or thrive in chaos. They are good communicators, team players, and dreamers.

My success in this field is because someone gave me a chance when I had no relevant experience. They needed my skill set as an auditor and gave me the opportunity to learn on the job, which I did with their help. The guys I worked with started me off slowly and then started to give me more and more responsibility. They saw that I would ask questions and that I could take what I was learning and use it. Before long I was on client sites alone, traveling internationally and given a lot of responsibility. If it were not for these guys who took a chance on me 13 years ago I don’t know what my career would look like today. I am forever grateful to them and why I have some recommendations for hiring your next cybersecurity employee.

My Top 5 Recommendations for Hiring Your Next Cybersecurity Employee

1. Know the underlying skills needed for the position. Many cybersecurity positions require lots of writing and documentation, sometimes for non-technical audiences. You may find an excellent candidate with a journalism degree or background in technical writing. You may just find that it is easier to teach a good writer about security than teach an IT or security expert how to write and it may offer more qualified candidates for the position.

2. Determine if the role require lots of solitary work like looking at monitors or analyzing log files. You want someone who enjoys the solitude of this type of work and also enjoys puzzles. People who can spend hours alone working on puzzles, crosswords, games, or other brain teasers are well suited for this type of work because they enjoy solving problems and thrive working alone. You will teach them what puzzle they are trying to solve and they will get busy solving them. This may be more challenging to identify in a traditional resume, make it part of the hiring questions or job description where applicable.

3. Know if chaos at the heart of the position. Depending on the role it may involve a lot of chaos like lots of moving parts, threats, cyber attackers, high visibility, high expectations, and competing priorities amongst the business executives and board of directors. Working well or even thriving in chaos takes a special individual; it’s not for everyone and you can’t teach it. Look at military veterans, former police officers, and people who have held positions where chaos was their daily norm, even if outside of IT and security.

4. Understand the amount of technical knowledge necessary. Many roles today are for compliance and a strong auditor could be a great fit, even if they don’t have a strong technical background. Auditors are skilled at learning new topics very quickly and analyzing information to determine deficiencies and gaps. When you give a strong auditor the information they need and the tests to perform they will pick the rest up quickly and learn on the job.

5. Consider on the job training. This will allow you to bring in more entry level employees with less cybersecurity or technical experience at a lower cost and train them with the tools and information that is important to your organization. With the right training and mentorship these entry level employees will thrive and grow into your next generation of leaders.

The traits I’ve listed above are those you need to consider whether you are bringing in someone with previous experience or whether you are looking to diversify and bring in raw talent. There are many qualified employees who will make excellent cybersecurity professionals if given the opportunity and they are hungry to learn and be part of this exciting field. All they need is the chance, a mentor, some training, and the opportunity to learn and grow in the field.

My Top 5 Don’ts for Hiring Your Next Cybersecurity Employee

1. Don’t assume someone with a long list of certifications is a good at security or good in the role you are looking to place them in. Many people can pass a certification, but that does not automatically mean they are right for the job. Does the job require skills that someone who passed the exam would have over someone without the certification? Plus you don’t know how many times they took the test before they passed. The person who finishes last in medical school is still called Doctor. Don’t assume a certification means they are a good fit for the job or that the job needs someone certified, be specific as to why the certification matters before making it a requirement.

2. Don’t dismiss candidates because they don’t have certifications. Yes, this is the opposite of number one, but just as important. I did not have any certifications when I was introduced to this industry. Some certifications require years of experience to get and you will miss out on some great employees if you set the bar for entry unnecessarily high with certification requirements.

3. Don’t assume that people with strong IT backgrounds make good security professionals. IT professionals may not know security just like security professionals may not be technically proficient. While most of what a cybersecurity employee does has to do with technology, it is not all about technology. Make sure that an IT professionals is being considered because they are a good match for the underlying needs of the position and not just because they have IT skills. If they fit into the category of being well suited for the needs of the position and can learn security on the job like the auditor, journalist, or artist we’ve mentioned before than of course they make a great candidate too.

4. Don’t write the job description so specifically or narrowly that only a few people in the world could match it. This is especially true if you are looking for more of a junior role. When you combine a desire for lots of experience with knowledge on very specific tools, and think that someone in your geographic area is going to be a fit, it could take a long time to fill the position. Go to #1 on the Do list instead.

5. Don’t dismiss the importance of soft skills. The best cybersecurity professionals have strong soft skills like communication, writing, and diplomacy. These positions are often in front of executives and other business leaders and require the ability to communicate in language that everyone will understand and in a way that will build relationships, not be adversarial.

Candidates with cybersecurity experience are great and you should definitely consider them as long as they fit the specific needs of the position, not just because of their general experience, education, or credentials. If you are hiring for a senior position or a consultant who will be out advising clients on topics of security, of course you need and want experienced employees; just make sure they are the right employee so that you and they have a long and happy working relationship together.

If you want to discuss hiring for cybersecurity, building teams, or cybersecurity strategy, email sharon@c-suiteresults.com.

Sharon is an information/cyber security veteran who has been helping clients navigate security and compliance challenges since 2005. She currently works as a Virtual Chief Information Security Officer (vCISO) for small to medium sized clients who don’t have their own CISO or security department. Sharon received her Masters in Forensic Science, High Technology Crimes Investigations from The George Washington University and currently is a Certified Information Systems Security Professional (CISSP).

Tags cybersecurity, employee engagement, hiring

Best Practices Growth Management Personal Development Technology

What Cybersecurity Professionals Forget to Tell You

Post author By Sharon Smith
Post date April 18, 2018
No Comments on What Cybersecurity Professionals Forget to Tell You

As a cybersecurity consultant and advisor, I often forget that my clients and those of you who are out there running your businesses don’t think about cybersecurity the way I do and that’s fair I don’t think about your industry the way you probably do. We all have our “thing” that we do really well and we forget that others don’t see our “thing” the same way.

Often cybersecurity professionals use FUD….Fear, Uncertainty, and Doubt to explain why cybersecurity is important and tactics such as listing lots of statistics on all the breaches, after which they will conclude, “It’s not ifyou’re breached, but when”, and make you wonder whether you’ve done enough.

What we have forgotten to tell you is that cybersecurity is actually a strategy you can use as a competitive advantage within your industry. It is part of running a successful and influential business. By implementing cybersecurity in a strategic way, you can reduce risks that can cost you more later, become more competitive, and improve your bottom line.

Brand loyalty is not what it used to be (unless your Apple or Android where there’s a fight to watch between loyalists). Consumers want to do business with those who want what is best for them and they will leave very quickly if they feel you don’t care about them. They want you to protect them and be willing and able to protect their information. In the case of many new products consumers need you to protect their physical well-being and in some cases their lives. Whether your product can track their location, their information, their privacy, or physically harm them if not developed correctly, your customers need your help. The more you can show you are doing the right things the more loyal your customers will be.

Maybe you don’t sell to consumers and are not concerned about brand loyalty from that perspective. If instead you sell a service to other businesses or to the government, cybersecurity may be the competitive advantage you are looking for. Many industries and any government contract will require their business partners, vendors, and service providers have a cybersecurity program to protect connections and data. If a potential business customer comes to you with a contract that would be great for your bottom line and says “we can do business with you if you can provide information and attestation regarding these 200 security questions”, I guarantee it will be much more fun if you can easily say yes and get that business. I constantly recommend to my clients when they are on the search for new business partners and vendors to have a due diligence process and only contract with those who can show they have implemented compliance and/or security programs. It is much easier to put the program in place before the contract shows up.

Other benefits include teaching your employees good security practices at work, which not only protects your organization, but also helps them stay safe at home too. When you care about your employees and teach them how to protect themselves you can add a level of employee loyalty. Not to mention it’s also being a great corporate citizen for your community.

If customer loyalty, new contracts, and being a great corporate citizen doesn’t resonate with you, then maybe improved stakeholder confidence is what you’re looking for. I’m not a stock market wiz, but last time I checked stock price valuation has a lot to do with confidence and when your customers and employees are confident in your organization and product, your stock price should reflect this.

That was the short discussion I wanted to have when I realized that we have forgotten to share all the good reasons to implement cybersecurity.

If you want to continue the conversation or have specific cybersecurity questions reach out via email to sharon@c-suiteresults.com. I’m happy to discuss stagey and options for improving your cybersecurity posture.

Tags competitive advantage, cybersecurity, strategy

Culture Growth Management Personal Development Technology

Hackers are Your Friend

I get a lot of inspiration from reading articles, posts and conversations on LinkedIn about my field, Cybersecurity. Recently, a fellow security professional and friend posted an important correction regarding the use of the term “hackers” and how he is tired of the term being used negatively, since he considers himself a hacker and is by no means a bad guy. That made me realize that the term hacker gets thrown around in a way that paints all hackers with the same brush stroke.

Thanks to the media, news, television, and movies, a hacker is typically depicted as a young man in a hoodie sitting in his basement (or his parents basement) or some dark corner of the globe punching away at a keyboard and effortlessly doing nefarious things like stealing identities, credit cards, intellectual property, and basically wreaking havoc.

The PSA I’m sharing today is that, in reality, that is the picture of a cyber-criminal. Hackers, like my friend and many security professionals I know, are the good guys and gals that walk amongst us every day with no intent to do harm.

These “good” hackers are security professionals hired to secure organizations and government networks by legally and with permission attempting to break in and identify their weaknesses so they can be fixed before an attacker or criminal does the same. These professionals are often known as penetration testers, and in some organizations, especially the government, they are known as the Red Team. They are trained and skilled at doing what is shown on television as something evil. There is even a certification called Certified Ethical Hacker.

On the other hand, people who break into networks and systems without permission, gain unauthorized access, steal information, and in some cases make the data unusable to the organization are criminals. You can call them criminals, cyber-criminals, attackers, or cyber attackers if you want to be accurate but calling them a hacker makes it sound like all hackers are evil when in reality there are so many hackers who are security professionals trying to help protect organizations through their skills of hacking.

The criminal and the security professional use the same techniques, same tools, and same knowledge, but they have different agendas. The intent behind their action is completely different.

The next time you post or talk about hackers, be clear who you are talking about. Are you referring to criminals and if so be clear about that and differentiate between those who are nefarious and out to do harm from those who are there to serve and protect.

If you want to learn a lot from a good hacker that I admire greatly, follow Chris Roberts on LinkedIn.

If you want to talk about having a Certified Ethical Hacker or cybersecurity professional help you ensure you are doing what it takes to keep the cyber attackers out email me at sharon@c-suiteresults.com.

Tags cybersecurity, hacker, penetration testing

Best Practices Entrepreneurship Management Skills

Back on the Horse

I had writers block during the month of March. I typically write about cybersecurity or about leadership, both passions of mine and areas I work in but I was not sure what to write about that would be useful, educational, and interesting.

The reason I’m writing about not writing is to talk a about goals and getting back on the horse when things don’t go as planned. One of my goals or intentions for Q1 this year was to write and publish 12 articles. I was on track up through the first week of March; however, I hit the wall and by the end of the quarter I had written nine instead of 12 articles. Missed the goal by three, which may not sound like much, but for someone who is not great at completing what they start, it was a big blow for me.

When I sit down and set goals I tend to start off with a bang, but over time, when the rubber meets the road things often fall apart or I lose steam before I ever cross the finish line.

Why am I telling you this dirty little secret of mine, why would someone who helps others reach goals tell you that they have difficulty in reaching their own goals? Because I want you to know that if this is an area of challenge for you, that you are not alone. Whether they are work goals, organizational goals, family goals, or personal goals it can be isolating and we feel alone in our “failures.” I put the word failure in quotes because we often say to ourselves that we have failed when we have missed the goal, but we only fail when we let missing the goal get the better of us, when we don’t get back on the horse.

If this sounds familiar let me tell you that you’re normal and you are not actually alone. For me I really think it’s about focus, which turns out to be my word for the year. I’m trying not to have as many squirrel moments and stay focused on the task at hand, trying to overcome the shiny object syndrome that I have.

That is why I was excited when my friend Susan Trivers recently invited me to her workshop about singular focus. She talks about 3x3x3. You pick one outcome to focus on for the next three weeks and then you set an appointment with yourself three times a week for three hours at one time to only focus on that outcome. Over three weeks that is 18 hours of dedicated focus. The thing I liked about it was that the outcome can be anything, even a question that needs to be answered. My first 3x3x3 is my podcast, C-Suite Success Radio and getting all my shows moved over to the C-Suite Radio platform. Check back in three weeks to see if I have accomplished this mini-goal.

When things don’t go as planned as they often don’t, a short-lived pity party may be in order, but that can’t last long if you are serious about accomplishing new things. To quote my favorite line from The Big Bang Theory “Buck Up Sissy Pants” and get back on the horse.

If you have goals you are trying to reach and need someone to give you a kick in the pants or help you work through the plan reach out to sharon@c-suiteresults.com.

Tags Goals

Best Practices Growth Management Personal Development

The Gorilla in the Room

At a recent conference I attended, the keynote speaker talked about a study that I realized had surprising implications for effective leadership.

In this study, people watched a video of kids passing basketballs. Half the kids were wearing white shirts, and half wore black shirts. The instructions were to count how many times the kids in the white shirts passed the ball. Halfway through watching, a kid the same height as everyone else, dressed in a gorilla costume comes walking onto the court from the right-hand side of the screen stops in the middle of the kids, looks directly at the camera, pounds his chest, and walks off the far-left side of the screen. When asked after how many people saw the gorilla, only 50% responded yes. That is because the other 50% were so focused on the instructions to count the kids in white shirts passing the ball that they completely missed this gorilla in the room.

Why is this important, and what does this have to do with leadership?

It’s important because it highlights how much we can miss when we have selective attention, which is defined as the process of focusing on a particular object in the environment for a certain period of time while simultaneously ignoring irrelevant information. Our attention is a limited resource so it makes sense that using selective attention allows us to tune out unimportant details and focus on what really matters.

The everyday purpose for selective attention is that by focusing on too many new ideas and opportunities people become overwhelmed and can’t make a choice about how to move forward, analysis paralysis sets in, so selective attention is imperative.

But what happens when that selective attention turns into tunnel vision? We often think that what we are focused on is the most important thing, the only answer. But what If you and your team are so focused on what you think the answer is that you miss out on new ideas and opportunities?

I propose that selective attention should be done deliberately and with intention in order to ensure that it does not turn into tunnel vision. This means that instead of being so focused on your solution that you only see the ideas, people, and research that support that decision; what if you spent some time each week with your team or a partner deliberately focused on new ideas, open to the possibility that your idea is not the best solution?

The goal for this time is for your team on a weekly basis to get together and discuss their specific focus and the tasks they are currently using selective attention to complete. Each member of the team can then ask questions to see if tunnel vision has taken over, if new ideas are needed, or if new opportunities have been missed.

This should be a healthy conversation that allows debate, conversation, and challenges to keep everyone thinking in new ways. If nothing new comes from it, they can go back to their selective focus on that task or project for another week. However, is something new sparks from this, they should be allowed to explore what that might mean for the project and the team.

This is especially important if you are responsible for a team or project. Of course, you want your team to focus on their tasks in order to reach the desired outcome for the project. Selective focus is necessary in order to get work done without distraction, but it can also lead to missed ideas and new innovation when done in isolation.

The intent of being deliberate in selective attention and making time to ponder new ideas and opportunities is to help avoid tunnel vision and realize that the details you tune out might actually matter.

If you have examples on how selective attention has affected your team for better or worse, email sharon@c-suiteresults.com to share your experiences.

Best Practices Growth Management Personal Development Technology

Cybersecurity Checkup

Most people understand that going to the doctor and dentist on a regular basis is good preventive practice for their health. Getting your teeth cleaned and x rayed can help prevent future damage, and getting regular blood work and physical exams can catch issues before they become serious.

The same is true for your technology and business practices around cybersecurity. Regular checkups and exams are necessary for the basic health of your systems and to prevent more serious problems later. Knowing early on if there is an issue that needs to be fixed can help you before it becomes too late or more costly.

As a security consultant I am akin to your general practitioner at the doctor’s office. I conduct checkups for systems and processes to determine the cybersecurity health and potential future needs for organizations. Having someone with this skill set to come in at least annually and look at your systems is key in maintaining a healthy network. The result of ignoring your security checkup can lead to an unavailability of system resources, which happens when attackers use Ransomware to keep you from accessing critical business data. Another concern that the checkup addresses is ensuring there is no weakness in the integrity of data or what seems to be the most common headline, the loss of data to hackers or attackers.

Let’s look at three important elements of a cybersecurity checkup.

First let’s look at your infrastructure, which you can think of as the bones that make up your organization. If a device or system on your network isn’t configured correctly it can cause many problems. Systems and data can become unavailable to users and customers, or worse, malicious users or hackers could gain unauthorized access to your systems and data. During the checkup your security consultant will look at system configurations to help identify any weaknesses and provide recommendations for fixing any breaks they find.

Second you need to look at the hardware and software that makes up your network and is part of your infrastructure. These devices can be infected by what are known as a computer virus or bug and in broader terms referred to as malware. With people we have ways to detect if there is an infection and ways to prevent them or cure them. For your systems, the main way this is accomplished is through the use of anti-virus or anti-malware software. This software can test the system looking for vulnerabilities and weaknesses (bugs and infections). Your security consultant conducting your system check-up will make sure that the software is current and working properly, and look to ensure that all current patches have been applied to fix known issues.

When you go to the doctor there are many tests in which you get poked and prodded, many of which are not fun, but incredibly necessary. A good friend of mine was recently diagnosed with cancer as a result of his prostate exam. I am quite certain the exam was not something he was looking forward to and he could have easily put off, but since he didn’t put it off he was diagnosed early and has a very good prognosis for being cancer free.

This takes me to the third and one of the most important and often underutilized type security checkup – penetration testing. This is the most important, but least common checkup. This type of test should be conducted by a subject matter expert, i.e. a specialist rather than a generalist. This professional conducts very technical tests against your organizations systems to try and break in like someone who is up to no good, but doing so with permission and ground rules. They can do this from the Internet like most malicious hackers and they can do it from inside your network to mimic a malicious internal user. External and internal penetration tests are some of the most important tests you can run against your systems to make sure you truly understand the cybersecurity health of your organization from the inside out.

These important security health checks should also be conducted throughout the year by your IT staff as part of their ongoing operating procedures in addition to at least annually by an independent third-party. If you have outsourced your IT to a service provider make sure they are conducting regular security checks in addition to having an independent third-party or internal audit group do an annual checkup as well.

Don’t be caught with a diagnosis that is hard or expensive to fix because you decided to skip the annual checkup. If you have questions and want to discuss all the elements of a security checkup in more detail email sharon@c-suiteresults.com.

Best Practices Growth Management Personal Development Technology

Back to Basics

In the spirit of the recent Super Bowl, let me ask you this: Do you think the Patriots or Eagles would have made it it to the big game if coaches Bill Belichick or Doug Pederson didn’t focus on the basics first? How about legendary coach Vince Lombardi who after losing to Philadelphia in the 1961 Championship game (before there was a Super Bowl) started the next season holding up a football and saying “this is a football” then continued to work on the basics of blocking and tackling for the rest of training camp. His team won the Championship title six months later.

Whether you in pro sports or cybersecurity, getting back to basics is essential. However in modern times, organizations seem so focused on new technology or cutting costs and have forgotten about the cybersecurity basics.

When talking about cybersecurity basics we are talking about three things: People, Processes, and Technology.

We start with people because people are your first line of defense against a cybersecurity incident and as security professionals knows they are unfortunately your weakest link. They are your first line of defense because they can see anomalous behavior and activity, and they are your weakest link because they often don’t know what they are looking for.

Ransomware payouts of 5 billion dollar were made in 2017 with predictions for 11.5 billion by 2019. This attack is often successful because an innocent user clicks on the wrong link in an email or visits the wrong website.

This means that getting back to basics with people is all about good, consistent, and frequent security awareness training. Letting your workforce know that they are the front line defense against a cyber attack will peak their interest, they will want to learn more. Reminding them of their role and providing them with the knowledge they need to do something about it is the key in getting back to basics.

Make sure they know what to look for, what to do or not do on their computers, and how to report anything suspicious. Reward them for staying on top of security, give them some skin in the game (no pun intended.)

When you rely on that one annual security awareness computer course each year you are missing out on the basics. Your entire team needs regular training if they are going to be sharp on game day, which is everyday in the defense against the cyber attacker. And don’t forget that your employees who do have a job description that includes security need additional and ongoing training above and beyond what everyone else is getting.

We now move to processes because this is what people do daily for their jobs. It’s the process that gets data from point A to point B and the process can be manual or automated.

So what do processes have to do with cybersecurity? Processes are typically created by users who are trying to make their jobs easier (that’s fair) and have not given thought to security, which makes sense since it’s not what they are trained to do. However in creating those processes they don’t realize that they are creating security risks.

The solution is providing the business user with the knowledge that while they own their process they also have a responsibility for ensuring the processes is secure. That means providing a way for them determine easily if their new idea needs to be run by a security expert before implementing. Basically the players here (your users) need a coach (security expert) to run the play by before they run it on the field during the big game.

Last, but not least is technology and while many people think that technology should come first in protecting data it actually comes last. More on that in Security is Not an IT Problem.

This is about to get more technical and if you are a non-technical executive I implore you to read it and then talk with your technical advisors to determine how your team is doing on the technology basics.

From a technology perspective getting back to basics means ignoring all the new flashy technology on the market today. IT decision makers are inundated with fancy names, and terminology like cloud, artificial intelligence, threat modeling, next generation, ransomware, zero day, phishing, data loss prevention, and much more. This can divert their attention towards the new technology and away from the basics.

Patching is as basic as it comes for technology and something that has been around as long as there have been computers. However it is still not applied consistently within organizations and has been pointed to as the cause (there is never just one cause) for the Equifax breach. Only two months behind in applying the patch doesn’t seem like a big deal until it becomes one of the key reasons you lose 143 million customer records.

Back the football analogy when you know there is a patch available and you don’t apply it is like the coach and players knowing there is a hole in their defense, they know the quarterback can run right through it for the touchdown and yet they don’t make any change to fix the play.

There are many other basics when it comes to technology like password controls, user access controls, encryption, firewalls, and anti-malware software to name a few. None of these are new, they all have had technology to support them for a very long time and yet many organizations are not focusing on these basics. They allow users to have the same password for years, they don’t control the access levels that users have and often allow administrative access to non-administrative users, they don’t encrypt sensitive day, they have wide open firewalls, and they don’t install anti-malware consistently.

I warned you, that last section might have been Greek to you and that’s OK because you don’t have to know what it means, all you have to do is have someone in your organization or a trusted advisor you can consult with to ensure the basics are covered before you start purchasing all the new wizbang technology.

Start with the basics; people, processes, and technology, and build from there because you can have all the fancy technology in the world, but if you are not covering the basics you are still wide open to the offensive team making play after play. In other words you are allowing the hackers to come in and take whatever they want.

If you have questions about the basics email sharon@c-suiteresults.com. If you don’t have a security team and want more information on how Virtual CISO services work, which are designed to help small and medium size organizations maintain their security and compliance posture reach out so we can talk in more detail.

Growth Management Personal Development Technology

Do or Don’t Do, Complain is Not an Option

Post author By Sharon Smith
Post date February 7, 2018
No Comments on Do or Don’t Do, Complain is Not an Option

Recently I wrote an article about why compliance is good and how it can drive security. After I wrote it I saw a conversation on LinkedIn where security professionals talking a lot of crap about compliance and I thought, “ was I wrong?” That was a fleeting thought and I knew I wasn’t wrong in what I had written, but I also knew that we can’t keep complaining about the situation, talk shit, or roll our eyes; we actually have to do something that will impact change or we are just part of the problem.

So what can we do about making a change so that compliance has a positive impact on security?

Let’s start with the reason compliance gets such a bad wrap. Security professionals don’t see compliance help improve the security posture of an organization and organizational leaders see it as a cost for something they don’t understand.

It looks something like this: 1) the organizational leaders have a bad attitude about it, thinking “it won’t happen to me” and do the bare minimum for compliance in order to stay in business and avoid fines, 2) businesses are run by business people and they may not truly understand there is a difference between compliance and security, and/or 3) due to the attitude or lack of understanding they don’t provide the resources needed (people, budget, time).

For the leaders, let’s be real anything that can happen to the other guy can happen to you too. If Target, Sony, Whole Foods, Equifax, and so many more it would take an entire article to list them all (you’ve read the headlines) can be hacked, so can you.

For the security and compliance professionals, if executives don’t understand the difference between compliance and security are we really doing our job? Are making their lives easier or harder? Are we just selling them something and leaving or are we really advising and consulting?

No one this world is immune to bad things happening, but these two groups together can do something to improve the odds.

When these two groups come closer together in understanding, conversation, collaboration, and implementation we will actually start to move the needle.

The point of this short article is not a big how to list or more checkboxes. It is an awareness piece. If you are reading this as an executive you have a responsibility to learn more about how compliance and security are implemented in your organization. You must provide the necessary resources.

If you are a security or compliance professional how can you help your clients navigate this so that it isn’t so hard, so expensive, and so daunting? What can you do to help them operationalize security and compliance and make it part of doing business?

I don’t have all the answers, no one does, but we have to start talking about it. We have to stop complaining and start acting. We don’t have to know how we just have to know it’s possible and that is’t important, but we have start having different conversations. What problem are we really trying to solve and who wants to take real responsibility for solving it?

If you want to further this discussion I welcome a conversation, I want to help come up with the answers that I don’t have. I can’t do it alone because there are much smarter people than me out there. But until enough of us come together to solve the problem and for that matter identify what the problem really is, not much is going to change.

Email sharon@c-suiteresults.com so we can talk in more detail.

Quick links

Follow Us