Retrospective review is an important part of any good cybersecurity program. So much so, NIST builds it into the Cybersecurity Framework, and many other industry standards and best practices incorporate continuous improvement as part of their methodologies. But one frequently overlooked, but critical, point of retrospection is for a CISO who has been on the job for a while to consider how they might have made things better from the beginning. In an interesting article posted on HelpnetSecurity, Ray Pompton of F5 networks started asking CISOs that very question. If you follow our blog, the results shouldn’t be that surprising: the single biggest regret was that they had not put in place a cybersecurity strategy. Instead, they dove into the technical weeds, and the result is a patchwork of cybersecurity tools and duplicated efforts that was neither cost-effective nor efficient.
Another interesting take-away is that CISOs would implement more independent validation of the information from their staff. As we discussed in an earlier post, traditional approaches to cybersecurity and data privacy create inherent, systemic incentives for staff to down-play, and sometimes outright hide, problems they encounter or create. Independent review, though a combination of a strong compliance program and automation, can significantly strengthen a company’s cybersecurity program and is an important part of a comprehensive cybersecurity strategy.
Are you a CISO with similar concerns, but are you unsure how to get started? Fathom Cyber can help you create a defensible cybersecurityTM program that protects your organization, and you, when a breach occurs.
Fathom Cyber’s CEO Jim Goepel was featured in the CISO Talks podcast published by Lepide. The main topic: how to improve board and CISO communications.
In a first-of-its-kind move, Yahoo!’s former shareholders have successfully obtained a $29 million settlement based around the failure of the company’s executives to properly protect the company from cybersecurity threats. The shareholders argued that the executives were not involved in setting cybersecurity policies or in the cybersecurity decision making process. Many experts see this as opening the floodgates for future, large dollar shareholder derivative suits which will add additional costs and distractions to companies already struggling to recover from a cybersecurity incident or privacy breach. When you add in the efforts of institutional shareholders to remove executives, including board members and the C-suite, from the companies in which they invest after a significant cybersecurity incident or privacy breach, executives are being forced to play an active role in cybersecurity and data privacy.
To survive these internal struggles, your company needs a defensible cybersecurity program. As the Yahoo! settlement drives home, empowering the executives with the information they need to take the reigns for the company’s cybersecurity and data privacy efforts is core to a defensible cybersecurity program. Executives need to shift their mindset from one in which they are merely informed about cybersecurity and data privacy issues to one in which they are involved in the cybersecurity decision making process. They need cybersecurity and data privacy to make sense.
Don’t wait for your company’s next security event or data breach to implement a defensible cybersecurity program. By then it may be too late.
Fathom Cyber’s unique, risk-based approach to cybersecurity and data privacy allows companies to create agile yet defensible cybersecurity programs. Contact us at [email protected], or visit our website at https://www.FathomCyber.com for more information.
Fathom Cyber’s CEO, Jim Goepel, was quoted in an article about cyber insurance published on Spiceworks.com. The article has some excellent insight into how and when companies are purchasing cyber insurance.
Are you confident that your company’s cyber insurance covers the risks your company faces? Fathom Cyber can help you find peace of mind.
Jim Goepel, Fathom Cyber’s CEO and General Counsel, was quoted in an article on IoTForAll.com about where IoT is headed in 2019. The full article can be viewed here:
Where Is IoT Headed in 2019?
Fathom Cyber’s Jim Goepel was interviewed in an article about the importance of a strong cybersecurity culture and appropriate policies for companies looking to implement a Bring your own Device (“BYOD”) plan. For many companies, BYOD is a boon, helping to cut costs and improving employee morale by allowing employees to use devices they already have and with which they are comfortable. But for many companies, BYOD quickly becomes BYODB…Bring your own Data Breach. Executives must carefully examine the risks and rewards before authorizing a BYOD policy, and they must ensure that appropriate controls are in place to measure, monitor, and assess the effectiveness of those controls. Fathom Cyber’s unique approach to cybersecurity helps ensure not only that the risks and rewards are carefully identified and balanced, but also that they decisions made are properly documented for regulatory, compliance, and litigation defense purposes.
When most people think of cybersecurity, they think about using tools to stop bad actors. It is about find business-intelligent ways to mitigate risks. One popular mitigation technique is cyber insurance. But cyber insurance is undergoing a lot of changes as insurance companies rush to adapt to customer demands and changes in both the way companies conduct business and the corresponding changes in risks. Does your insurance policy cover the way your organization conducts business? Is the value of the coverage appropriate? Is your organization able to prove to the insurance company that it is meeting its obligations under the contract?
As a recent article from Hewlett-Packard Packard alludes to, a well-structured cybersecurity plan takes these and other issues into account. Fathom Cyber can help your organization assess its cybersecurity plan, identify shortcomings, and create a roadmap for addressing those issues that aligns with your organization’s business priorities, including mitigation plans like cyber insurance.
Many companies, including vendors doing cyber risk analysis, tend to focus only on the cost of fines, breach notification, and credit monitoring efforts when defining the cost of a breach. But, according to research by the Ponemon Institute funded by IBM, this only begins to scratch the surface. The average data breach costs the breached company $148 USD per record when other, secondary factors like lost reputation, lost productivity, brand tarnishment, and lost revenue are accounted for. This means that for the “typical” data breach, a company can expect to lose nearly $4 million USD. The costs can vary significantly depending on industry, with healthcare and financial services organizations seeing costs nearly three times average. Ultimately, a poor cybersecurity culture is a fundamental reason why organizations continue to be breached. The CISO of a major bank was interviewed by Ponemon for NBC News, and said “Even though this was not our first data breach, I was surprised to see just how easy it was for the attackers to seize the identity of privileged users. The theft of valid credentials allowed them to bypass perimeter defenses and hunt for vulnerabilities”.
Effective cybersecurity begins with the Board and C-suite. If the organization’s officers and directors are not creating the right culture, employees will not pay appropriate attention to cybersecurity.
The state of Ohio recently enacted legislation which creates an affirmative defense for organizations involved in a data breach. “All” the organization has to do is prove that it has in place a written cybersecurity program that reasonably complies with industry standards. This is a great example of using legislation to create a carrot, rather than just a stick, when it comes to cybersecurity. Of course, there is still a lot of wiggle room in the legislation. For example:
- What qualifies as a written cybersecurity program? This may sound like a silly question, but just how detailed must this cybersecurity program be?
- How often must the program be updated?
- What happens if the organization deviates from the plan?
- What “industry standards” are acceptable?
- Is it acceptable to only be in compliance with a single industry standard (e.g., PCI)?
- What is “reasonable” compliance?
Fathom Cyber has create a unique approach to cybersecurity and data privacy that is based on leading standards, like the NIST Cybersecurity Framework and the Center for Internet Security’s to 20 controls, which means your organization can feel confident it will meet Ohio’s requirements (and those of other states and countries). Using our approach, your organization will create a robust, comprehensive, well-documented cybersecurity program that continuously improves and responds to changes in the organization’s business priorities, risks, threat landscape, and legal and regulatory requirements. The cybersecurity plan also documents deviations from the industry standards, to help demonstrate reasonable compliance.
Contact Fathom Cyber to learn more about how our innovative approach to cybersecurity can help your organization enhance its cybersecurity and data privacy protections while limiting its liability. Fathom Cyber: make cybersecurity and data privacy make sense.
We talk a lot about the growing need for officers and directors to be more hands-on with cybersecurity. We recently came across an interesting case from a few years ago that proves this point. As the article below discusses, in the Wyndham Worldwide case, a shareholder filed suit to compel Wyndham to sue its Officers and Directors for breach of their fiduciary duty. The shareholder lost very early on because Wyndham was able to demonstrate that the Officers and Directors had been on top of cybersecurity issues, including being proactive in addressing shortcomings as recommended by different vendors, and discussing cybersecurity issues at least fourteen times in four years, with the audit committee discussing these topics an additional sixteen times in that same timeframe.
Fathom Cyber gives your organization’s officers, directors, and other executives powerful information to help withstand such a suit.