Uncategorized

Is your company at risk during a crisis?

To all CEO’s, CIO’s and CISO’s currently with the Corona Virus on the loose is your company prepared to respond? Many companies are thinking of laying off critical personnel that keep your information available during a crisis. Laying off critical personnel during a crisis is the last thing you should do. Are you in a panic or are you ready to respond in the case of an incident? Not only is the Corona Virus creating havoc worldwide, hackers are still attacking companies around the world. Recently Carnival Cruise Lines was hit by hackers.

Article: https://www.linkedin.com/feed/update/urn:li:activity:6643529645956354048/

If you do not have a good Cyber Defense, Disaster Recovery and Business Continuity plan in place then you are still open to be attacked. This is the time to get qualified personnel and consultants in place to ensure you have a defense in depth strategic plan to ensure you information is secured, available and ready. Cyber Security, Disaster Recovery and Business Continuity are crucial parts of any infrastructure and being able to respond in a controlled manner will ensure your resources are available when necessary. Company’s should be ready to respond, but in most cases, they have put off the necessary plans to make a profit and don’t think about the potential risks. Some companies will not survive this crisis and will end up going bankrupt, because of it.

Having qualified security personnel and consultants in place during this time will ensure your company is running smoothly once it is over. I have worked with many companies in the past and present and there thinking is let’s just put enough in place to pass the annual audit, not thinking something like the Corona Virus will ever hit. Whether it’s a local, regional or worldwide crisis company’s should really think about investing in their Cyber Security, Disaster Recovery and Business Continuity planning and shore up their defenses to make sure they are operational before, during and after any crisis.

Wayne Salas

Firebird Security and Compliance Consulting LLC

https://www.firebirdsrc.com/

wsalas@firebirdsrc.com

714-595-8370

Warning: Is your Cyber and Information Security Program Putting Your Company at Risk?

By Wayne Salas

Most companies sincerely believe they have a complete compliance program in place or that they are not going to be breached. That is farthest from the truth. Many companies have a compliance program and may have even implemented some of the controls that are required to be in compliance, yet are falling short because they still have not taken a holistic approach to securing their information. Unfortunately, having personnel or consulting firms that help assess, audit or even implement their Cyber or Information Security Management Systems may not be the sure answer without your due diligence. Today, even the consulting firms out there may not have qualified personnel to properly identify and implement your enterprise wide Governance, Security, Risk and Compliance programs.

Looking for a good consulting firm, or even consultant, will depend on the person either doing the interview or understanding the requirements in depth enough to ensure they are acquiring the proper services for their companies. Cyber Security entails detailed planning – just saying you can do it and being able to truly do it are two very different things. Over the past 25+ years, I have had over 250 to 300 engagements and for the most part 85% of those engagements, the company, even after being assessed for years, still didn’t fully comprehend the scope of their own environment. It takes around 3 years to properly implement and mature a Cyber Security Program. Personnel turnover and rotations can cause the program to fall by the wayside or suffer greatly if it’s not properly kept up. Cyber Security Programs are like gardens, if the weeds are left to themselves, they will overtake the garden and kill the fruit and vegetables within; if the cyber security program is not properly maintained, by next year’s audit or assessment, the weeds will have overtaken the program, leaving risky gaps and shortcomings in their security and thus ensuring that the company will not only be out of compliance but also dangerously vulnerable to breach.

Finding a good consultant requires any recruiter or Human Resources agent at a high level to understand the skill set required for the positions they are trying to fill. Or that the Chief Information Officer (CIO) or Chief Information Security Officer (CISO) understand what they need in a consulting firm to ensure they are getting the proper skilled consultants to implement their controls properly to be compliant.

There are skilled consultants out there that do understand what it takes to ensure they are giving their clients all the proper information necessary to implement their Cyber or Information Security Programs. But though the skilled are out there, there are relatively few in number available because the qualified ones are pretty much already employed or contracting on their own. Unfortunately, the much of the rest of those available are still young in the this field with less than 5 years of experience and not ready yet to deliver the complete cyber and information security program that your company requires to stay secure and in full compliance.

Recruiters call me all the time and many are just trying to fill positions and not worried on whether they are getting the right person or not. Unfortunately, that is the nature of the beast these days. Even a friend of mine, though completely unqualified, was hired as Director of Compliance for a major institution.  He definitely does not have the skill set to be in that position but is still there to this day.

No worries though, there are lights at the end of the tunnel, but it is still going to take some time. As Cyber Security personnel and consultants mature, their understanding and abilities will become more complete on how to properly scope your environment and give good solid advice and guidance going forward.

Cyber Security Programs, if implemented properly, can survive personnel changes as long as upper level management knows how to maintain the program. Transparency is a must and having good. solid processes, policies, procedures, standards and controls in place will always make the program go smoother. Many companies only see the upfront cost, but do not realize that if a good consultant is acquired, they should be able to implement a solid and transparent Cyber Security Program that can survive personnel changes and be properly maintained, matured and even measured. In the long run, if the Cyber Security Program is properly implemented, in the future it will be great for the bottom line and that makes everyone, especially executive management, stakeholders and stockholders, if it’s a major publicly traded corporation, happy. This is why everyone should be behind the program. One thing I do know: there is no one solution to the cyber and information security problem and no one technology that can solve it, it takes a good consultant with an experienced and thorough understanding as well as good communication skills to be able to work together with their client in ensuring they are implementing and documenting every control necessary to implement a complete Cyber Security Management System.

 

Wayne Salas is the CEO and Senior Cyber Security Consultant at Firebird Security, Risk and Compliance Consulting LLC, Phoenix, Arizona He has over 25 years of Cyber and Information Security experience and is one of only about 3000 worldwide that are QSA, CISSP, ISO & HiTrust certified. He has worked directly with several enterprise wide standards and regulations including ISO/IEC 27001:2013, NIST SP800:53, NIST CSF, HIPAA, MURA, PCI, EI3PA, FFIEC, GDPR, Nevada’s, Michigan’s and Mississippi’s Gaming Minimum Internal Control Standards (MICS).

https://www.firebirdsrc.com/

Email: wsalas@firebirdsrc.com

Experienced Consultants!!!

Things to watch out for in finding a good experience CyberSecurity Consultant and Company. Many companies have consulting, but do they have the knowledge to go deep enough to understand your environment and ask all the right questions. Some companies and consultants do not have the experience to actually do a thorough assessment of your environment. Having certifications is great, but without practical onsite experience you may not be getting what you pay for.

“Here are FirebirdSRC, We have over 20 years of experience in Enterprise CyberSecurity to help you define every potential gap and how to have a strategic plan to resolve any issue”