By Wayne Salas
Most companies sincerely believe they have a complete compliance program in place or that they are not going to be breached. That is farthest from the truth. Many companies have a compliance program and may have even implemented some of the controls that are required to be in compliance, yet are falling short because they still have not taken a holistic approach to securing their information. Unfortunately, having personnel or consulting firms that help assess, audit or even implement their Cyber or Information Security Management Systems may not be the sure answer without your due diligence. Today, even the consulting firms out there may not have qualified personnel to properly identify and implement your enterprise wide Governance, Security, Risk and Compliance programs.
Looking for a good consulting firm, or even consultant, will depend on the person either doing the interview or understanding the requirements in depth enough to ensure they are acquiring the proper services for their companies. Cyber Security entails detailed planning – just saying you can do it and being able to truly do it are two very different things. Over the past 25+ years, I have had over 250 to 300 engagements and for the most part 85% of those engagements, the company, even after being assessed for years, still didn’t fully comprehend the scope of their own environment. It takes around 3 years to properly implement and mature a Cyber Security Program. Personnel turnover and rotations can cause the program to fall by the wayside or suffer greatly if it’s not properly kept up. Cyber Security Programs are like gardens, if the weeds are left to themselves, they will overtake the garden and kill the fruit and vegetables within; if the cyber security program is not properly maintained, by next year’s audit or assessment, the weeds will have overtaken the program, leaving risky gaps and shortcomings in their security and thus ensuring that the company will not only be out of compliance but also dangerously vulnerable to breach.
Finding a good consultant requires any recruiter or Human Resources agent at a high level to understand the skill set required for the positions they are trying to fill. Or that the Chief Information Officer (CIO) or Chief Information Security Officer (CISO) understand what they need in a consulting firm to ensure they are getting the proper skilled consultants to implement their controls properly to be compliant.
There are skilled consultants out there that do understand what it takes to ensure they are giving their clients all the proper information necessary to implement their Cyber or Information Security Programs. But though the skilled are out there, there are relatively few in number available because the qualified ones are pretty much already employed or contracting on their own. Unfortunately, the much of the rest of those available are still young in the this field with less than 5 years of experience and not ready yet to deliver the complete cyber and information security program that your company requires to stay secure and in full compliance.
Recruiters call me all the time and many are just trying to fill positions and not worried on whether they are getting the right person or not. Unfortunately, that is the nature of the beast these days. Even a friend of mine, though completely unqualified, was hired as Director of Compliance for a major institution. He definitely does not have the skill set to be in that position but is still there to this day.
No worries though, there are lights at the end of the tunnel, but it is still going to take some time. As Cyber Security personnel and consultants mature, their understanding and abilities will become more complete on how to properly scope your environment and give good solid advice and guidance going forward.
Cyber Security Programs, if implemented properly, can survive personnel changes as long as upper level management knows how to maintain the program. Transparency is a must and having good. solid processes, policies, procedures, standards and controls in place will always make the program go smoother. Many companies only see the upfront cost, but do not realize that if a good consultant is acquired, they should be able to implement a solid and transparent Cyber Security Program that can survive personnel changes and be properly maintained, matured and even measured. In the long run, if the Cyber Security Program is properly implemented, in the future it will be great for the bottom line and that makes everyone, especially executive management, stakeholders and stockholders, if it’s a major publicly traded corporation, happy. This is why everyone should be behind the program. One thing I do know: there is no one solution to the cyber and information security problem and no one technology that can solve it, it takes a good consultant with an experienced and thorough understanding as well as good communication skills to be able to work together with their client in ensuring they are implementing and documenting every control necessary to implement a complete Cyber Security Management System.
Wayne Salas is the CEO and Senior Cyber Security Consultant at Firebird Security, Risk and Compliance Consulting LLC, Phoenix, Arizona He has over 25 years of Cyber and Information Security experience and is one of only about 3000 worldwide that are QSA, CISSP, ISO & HiTrust certified. He has worked directly with several enterprise wide standards and regulations including ISO/IEC 27001:2013, NIST SP800:53, NIST CSF, HIPAA, MURA, PCI, EI3PA, FFIEC, GDPR, Nevada’s, Michigan’s and Mississippi’s Gaming Minimum Internal Control Standards (MICS).