Tag Archives: cybersecurity

Jessica Robinson, CEO, PurePoint

Few corporate crises are as reputation-damaging as a cyber breach. It is cited as a top concern of virtually every major organization worldwide.

The Ponemon Institute 2018 Cost of a Data Breach Study found that globally the average cost of a data breach was $3.86 million, a 6.4% increase over 2017. The average cost per record stolen was $148. The average cost of a data breach to a small business is $690k.

With that in mind, we turned to Jessica Robinson, CEO of PurePoint International, which provides Virtual/Outsourced CISO to middle market businesses in financial services and insurance. Jessica and her team specialize in working with companies with $100M-$500M in revenues. This article is excerpted from a LinkedIn essay advising C-Suite decision-makers what to avoid when hiring a Virtual CISO.

It was recently suggested to me by a security colleague who works in penetration testing that I write this article. However, it was only when I was feeling a bit alarmed after talking with several people recently about the security services they are receiving (or providing – yes) that I thought I would share a few thoughts.

More and more people are asking me about my role as an Outsourced Chief Information Security Officer (CISO). Since I started my company, the growth and size of the cybersecurity industry is predicted to expand by $133B in total spend of products and services by 2022. With regulations like the New York Department of Financial Services (NY DFS) Cybersecurity Regulation (23 NYCRR 500), the General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA), there are increasing companies offering an Outsourced or Virtual Chief Information Security Officer (CISO) service, cybersecurity services in general, and data privacy services.

After recently working with a $200M insurance company to meet NY DFS cybersecurity compliance requirements which was later validated by a regulatory visit from NY DFS, and additionally, in a role as Data Privacy Officer (DPO), working on a data privacy program to support organizational Binding Corporate Rules commitments to GDPR (which was validated by two other Data Privacy Officers), I continue to be concerned at what leaders (on the business side and technology side) think a CISO does.

7 Erroneous Assumptions about Outsourced CISOs

Though I have clear, distinct thoughts on what makes a good Outsourced CISO, below are the top seven mistakes C-level leaders make, and technology leaders believe, when hiring an Outsourced, or Virtual, CISO. For the sake of this discussion, I will define an Outsourced or Virtual CISO as a non-full-time employee. The actual hours may vary based on the needs of the business (size, business growth, industry, and regularly requirements the business adheres to). The word virtual also indicates the CISO may not actually spend much time, or any time, in the office and may work remotely. Even if that is the case, that would not negate the ultimate responsibilities an Outsourced/Virtual CISO has.

1. It can cost $500 a month for a Virtual CISO service. It’s important to understand every business does not need a CISO. If there is a CISO service offered for $500 per month it is a service being offered to a business that may not need a CISO service and/or they are simply not executing on the role of CISO, but more supporting as a virtual security manager. This role can be important for very small businesses depending on the industry, projected growth and target base of clients. However, an Outsourced CISO would not be hired for $500 a month, and certainly not for a regulated company compliant to key cybersecurity and data privacy regulations.

2. Outsourced CISOs only need to spend a few hours a month on your business. Perhaps this is true, if you are small company in a non-regulated industry. This can be the case with a small consulting company, or a few small retail stores and restaurants. Again, these businesses may need a security manager, not a CISO. In my experience, this also would not suffice for a regulated company in financial services. I have had security leadership roles in very large companies and in very small companies. Without a doubt, more of my actual time in hours has been with smaller companies because of the limited resources. As a CISO, with a regulated entity more than a few hours a month will need to be spent in the business.

3. An Outsourced or Virtual CISO is like Outside Counsel; they are on retainer and you just call when you need them, and they respond. I am not in a position to comment on the role of Outside Counsel, however, an Outsourced CISO is providing key deliverables to the business on an ongoing basis, not just when the business asks for something. If you have a CISO and they just “respond” when you need them, or just send you a monthly report, that is a red flag.

4. Why hire a CISO when the IT team “has got it?” It is not the role of IT to fully manage security. Everyone in the organization is responsible for security, including IT, but having IT fully own security, inevitably, can surface inherent conflicts of interest and a false sense that security is fully adhered to. The IT team already has a really important job and we need them to do it really well! Simply, if security was solely IT’s job, in the United States we would not need over 300,000 people to fill cybersecurity roles currently, according to CyberSeek. Why would the CISO role even exist?

Additionally, there would not be a mandatory cybersecurity requirement for the role of the CISO to be implemented or serviced to covered entities regulated by the Department of Financial Services. The only exemptions include organizations with less than 10 employees, organizations that produce $5M or less gross revenue from NY operations in each of the last three years, or businesses that have less than $10M in total assets. The CISO would also not be required to report to the board, as stated in the NY DFS cybersecurity regulatory requirements. Regulators would be fine with just having the Director of IT, Head of Infrastructure or the Chief Information Officer (CIO) do it.

5. All the CISO does is write policies. A CISO does not write polices. Someone, or multiple people, on their team does, unless it’s a smaller company. In short, the CISO, along with several other partners help to validate (and enforce) that the policies accurately reflect the business and IT environment and culture, address regulatory concerns, and address current and future business and security objectives.

6. The CISO, especially in a $100M – $500M company, is just a project manager. No. In these smaller companies, a CISO is executing on core priority objectives at a much higher percentage of the time than CISOs in larger multi-billion companies because the team is much smaller. All CISOs are interpreting key technical information from a variety of sources and presenting that information to the board and influencing the decisions of board members, CEOs and C-level executives, and influencing the behaviors of ALL employees. They are also making the priority decisions on how the cybersecurity budget is spent and providing input on how the IT budget can (better) support security. The CISO is a strategic advisor, not a functional leader, to the business. Though project manager skills can be helpful, a CISO, as a leader in the business, influences the security of the products and services a company offers, which impacts the clients and other stakeholders, and impacts the profitability and reputation of the business. These are just a few reasons why this position is required to report to the board for companies regulated by the Department of Financial Services in the state of New York.

7. CISOs don’t really need to be a security leader; another leader in the organization can take on the responsibility. Each business may have a unique complexity or reporting structure that includes security. However, this approach, inevitably, can surface inherent conflicts of interest that exist within roles of responsibility (CIO, Chief Financial Officer (CFO), etc). It is easy for security to be added behind the priorities of other executives.

Having the right outsourced CISO is critical

In hiring a CISO, as a C-level leader, you are investing in a change to bring about desired business or regulatory outcomes, you are adjusting your schedule to make time for a topic you may not understand nor have a desire to discuss, you are making investments in your business positively, and you are creating true accountability on a topic where the ultimate responsibility lies with you.

Jessica Robinson, CEO, PurePoint

Read the complete article: What Really Does a Virtual CISO Do? The Top 7 Mistakes C-Level Leaders Make (and Myths Technology Leaders Believe) When Hiring a Virtual CISO

Left: Jessica Robinson, CEO PurePoint International

 

 
 
Kenneth Citarella

Cyber risk protection is a key aspect of reputation management for corporate leaders, high net worth individuals and their organizations. We interviewed Kenneth Citarella, Senior Managing Director, Investigations and Cyber Forensics at Guidepost Solutions to gain insight into the most common (and often surprising) threats they face. Guidepost Solutions LLC is a multinational investigations firm specializing in monitoring, compliance, international investigations, and risk management solutions. Mr. Citarella’s areas of expertise at the firm include computer crime and fraud.

What are some examples of cybercrimes you have seen that could have been prevented with better due diligence and proactive risk assessment?

We were retained to investigate problems at a firm after it had hired a new CFO to oversee the design and implementation of a new computer network. The new CFO hired a personal friend as a consultant on the project. Then they conspired to overbill the firm and monitor the emails of key personnel. Simple due diligence would have disclosed the relationship. Also, it is important to remember that due diligence on a third party vendor who will have access to your network must include their cybersecurity practices. One of the most publicly scrutinized attacks on a retail chain began through its HVAC vendor. Incidents such as these illustrate how important it is to be aware of your network’s vulnerabilities so you can identify and implement preventive practices.

How have the new technologies used by corporations changed due diligence methods — and where do you continue to see vulnerabilities?

Due diligence methods have not changed that much. Internet-based research has been around for years. But the objectives and scope have greatly expanded. For example, if you are acquiring a company, you are not only concerned with their profitability, personnel, facilities and other traditional qualities, but with their digital practices as well. Can your networks be integrated? Are data protection procedures equivalent? Are your BYOD polices the same? Questions like these have to be addressed so that you are at least aware of the risks you are assuming. These questions are as necessary as evaluating internal financial controls and inventory. The issues are similar when evaluating third-party vendors. They handle your data and access your network. Their cyber vulnerabilities become yours.

What are the most common cyber threats facing high net worth individuals and their families?

High net worth individuals and their families face all the same cyber risks as anyone else, but they are also more lucrative targets and often have higher Internet profiles—of which they may not be aware. For example, information about a prominent executive may exist on multiple websites, including those of his employer’s, a conference he attended, and a trade association he is involved with, as well as on public media platforms. In addition, the executive’s children may be active on numerous social media platforms, leaking details of family and parental activities. From these rich sources, a criminal can mine enough details to craft a carefully scripted approach targeting a specific person (which is known as spear phishing). Far more sophisticated than the more general shotgun attempts aimed at the unwary public, these attacks will reference details of the target’s professional or personal life that only a genuine associate would typically know. That is what makes them so hard to resist. Add the fact many high net worth individuals have personal administrators for their homes or offices who answer emails and the risk escalates. Modern communications have effectively created a due diligence obligation for high net worth individuals to know and control their Internet profiles in order to minimize their risks.

If you could give them one piece of preventive advice, what would it be?

Assume you are at risk. Get educated about your vulnerabilities, address them and periodically reassess.

Cyber risk is in the news daily (and many more incidents are not made public). Can you provide examples of the type of incidents that are most damaging to corporate and executive reputations?

Recent headlines provide all the examples we need. Multiple retail chains have been hurt because they cannot protect their customer data. If the public hesitates to shop at a store because of data breach concerns, sales, income and stock price can all fall. Intrusions have destroyed emails and corporate assets, exposed embarrassing internal communications and identified people looking for sexual affairs. Reputation repair for the individual and the organization may take an extended period of time—or may not happen at all. A high-profile corporate or personal life in the 21st century requires adequate cybersecurity at home and at work as well as a protected and controlled Internet profile. Highly qualified professional assistance to secure those objectives is a must.

This is the third in a series of interviews with experts whose work relates to online reputation management.

 
 
Future Crimes by Marc Goodman

Marc Goodman’s Future Crimes: Everything is Connected, Everyone is Vulnerable and What We Can Do About It (Doubleday, $30), is a must-read.  Goodman has spent a career in law enforcement and technology, including serving as a futurist-in-residence with the FBI.

Future Crimes exposes the ways criminals, corporations and countries are using new and emerging technologies against you – and how this makes you more vulnerable than you ever imagined.

Here are two excerpts that stand out:

If you don’t own and control your own online persona, it’s extremely easy for a criminal to aggregate the known information about you and use it for a wide variety of criminal activity, ranging from identity theft to espionage. Indeed, there are many such examples of this occurring, especially for high-profile individuals.

The more data you produce, the more organized crime is happy to consume. Many social media companies have been hacked, including LinkedIn (6.5 million accounts), Snapchat (4.6 million names and phone numbers), Google, Twitter and Yahoo. Transactional crime groups are responsible for a full 85% of those data breaches, and their goal is to extract the greatest amount of data possible , with the highest value in the cyber underground.

In 2013, the data broker Experian mistakenly sold the personal data of nearly two-thirds of all Americans to an organized crime group in Vietnam. The massive breach occurred because Experian failed to do due diligence.

Goodman concludes Future Crimes with an appendix of tips that will help readers avoid more than 85 percent of the digital threats that they face each day. (Turning off your computer at night is one.)  Reading the book will help you understand why they are so important.