Republished – Original Article Published at https://www.bizjournals.com/philadelphia/news/2024/10/25/latitude-information-security-ceo-cybersecurity.html
By Mark Ferrari – President and CEO, Latitude Information Security
Why is cybersecurity awareness so important?
The most effective tool of cyber attackers remains social engineering, and the targets include anyone and everyone within an organization.
When serving as a military officer, I worked on a weapon system that has been online continuously since 1962 and remains so to this day without significant incident or breach. In terms of information systems in the industry, that seems like an impossible track record. So, what’s the secret to assuring such a record of security? Of course, specific physical and technical controls play a key role, but the most effective controls are administrative: high awareness of threats, how to recognize them, how to respond to them, and strict adherence to detailed procedures. Security is in every aspect of day-to-day operations.
Unfortunately, we must strive for the same goal in private industry, government, health care, education, and we have a long way to go. It starts with awareness, in many ways and at many levels. It requires awareness on everyone’s part, including how to spot the phishing email, smishing text, deep-fake video, or vishing call. It requires adherence to procedures related to storing and transmitting sensitive data. It requires awareness on the part of IT leadership of the location and proper function of every asset in their environment. It requires awareness of senior leadership and boards of directors of the relentlessness and creativity of attacks so that necessary resources are made available.
Should an organization have a third-party Security Risk Assessment done?
You will gain awareness of your own program through a third-party Security Risk Assessment.
Know your shortcomings. Know your vulnerabilities. Some organizations choose to self-assess, which can provide a weak foundation; these rarely hold up against outside scrutiny. Independent third parties assure a more evolved assessment. They’ll know the threat environment and will know where and how deep to look for vulnerabilities. Critical in partnering with third parties is understanding the deliverables they will provide and the extent to which guidance is provided for the remediation of identified vulnerabilities.
Where should an organization start in building or evaluating a security program?
The first step in advancing a security program is to pick a framework — any framework. Why? They are all similar in terms of core security areas. The adoption of any framework — whether it’s HITRUST, NIST, ISO 27k, SOC2, etc. — provides a widely known and industry-accepted foundation.
What framework or certification is the best for my organization?
As always, it depends. The best framework to follow will depend on items like contractual requirements, the scope of business operations and strategic goals. Contractual requirements are often the deciding factor as specific audits (ISO, SOC2) and/or certifications (HITRUST) may be required prior to a party signing new business. Critical to note is that adoption of a framework, passing an audit, or achieving a certification does not guarantee an organization is “secure.” The concept of being secure is one that is continually pursued. Vigilance in continually advancing physical, administrative, and technical controls is key to protecting an organization.
Doesn’t adoption of a framework take years and bandwidth that my team does not have?
To avoid putting good money after bad, to avoid over-extending teams, find an expert third party that knows the frameworks inside and out. Find a partner that knows the security elements to satisfy the requirements and who can take on the heavy lifting of preparing for that audit or assessment.
Protect your business from cyber threats. Contact Brad Schleyer at [email protected] to get started.
Latitude Information Security is a cybersecurity consulting firm providing risk assessments, security program development, audit preparation, penetration testing, vCISO and other key services to a nationwide client base. Latitude simplifies the process for meeting and maintaining cybersecurity compliance standards with a detail-oriented approach and a tailored path for each client.