I like to be informed on whats hot in cyber security. Most of the time, it’s in the form of webinars. However, after this week, I realize after attending five “How To Improve Your Cyber” events, exactly the same advise was repackaged and presented:
- Patch Your Systems
- Backup Your Systems
- Harden Your Systems
Let’s Take Colonial Pipeline
Anyone doing a webinar on how exactly Colonial Pipeline got hacked? What tools were they using? What security framework? How big was their security team? Outsourced or SOC? SIEM? EDR? Automation?
“Disclosing these technologies would be a security vulnerability in itself. No company is going disclose security details”
I totally get it. But let me challenge you on this: Are you teaching people how to fish or just telling them to fish?
Most of these cybersecurity webinars are telling people… not teaching.
Be prepared for harsher feedback, because educating cyber leaders and pros with arguments substantiating the same advice is repetitive and making me want to not click “register”.
A few compliance and security factors to consider in your environment:
- Do you know your scope?
- Do you know your data within that scope?
- Is compliance your baseline or objective?
- Do you understand the compliance requirements?
- Have you mapped to external requirements?
- Are you following audit best practices?
- Do you have the right security partner?
- Do you know your adversaries?
- Do you have the visibility you need?
- Is your Operations appropriately configured and staffed?
- Have you built a culture of security across your business?
- Have you combined people + processes + technology?
- Do you have appropriate measures in place?
- Do you have trusted partners?
The guys at Armor are solid, btw. Enjoyed meeting them a few times in 2018 at their CTF events. And very recently at the Dallas Cyber Security conference.
“If you spend more time on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked.” Richard Clarke, Whitehouse Cyber Security Advisor
#6. Integration. When all InfoSec processes work as intended from end to end.
#5. Measuring Performance. When all InfoSec processes are monitored and measured to make sure they acheive their goals.
#4. Optomized Resources. All InfoSec knowledge and infrastructure are being effectively used as designed.
#3. Delivered Value. When security investments support business goals.
#2. Managing Risk. Consciously deciding to act.
#1. Strategic Alignment. When InfoSec and business strategy align, creates three achievements:
- The enterprise defines what good strategy looks like.
- Security matches the company’s DNA, instead of trying to rewrite it.
- The amount of money spent on InfoSec reflects how important security is to the organization.
It truly is a interesting time to be in Information Technology. Especially on the information security front. Although hacks and breaches consume the media, audit and controls run the IT hallways. This article contains a random sampling of notes acquired on this topic as leaders unpack what to measure and what not to measure.
“SOC2 audit is required to do business with us.” – Prospective Client
Not all auditors charge the same and, just like everything else, many times you get what you pay for. I’ve found quality and consulting come at a higher price, so selecting the right auditor is a key success point.
Found this article from Linford & Co, LLP CPA firm about SOC2 pricing:
Price estimates differ between firms as each will:
- Estimate the effort / cost required to do the work
- Have related overhead expenses allocated to the audit
- Require a certain level of profit from the engagement
Typically, our SOC 1 audits start at $17,500 and our SOC 2 audits start at $19,500 for small, non-complex organizations. And, since everyone needs one, we include a readiness or gap assessment as part of every first time SOC audit. These are starting points and the price of a specific SOC audit may go up or down as we customize proposals to our clients’ specific needs.
“ISO 27001 certification is required to do business with us.” – Prospective Client
ISO 27001: https://www.iso.org/isoiec-27001-information-security.html
Any idea how much an ISO 27001 certification costs? Found this article from Pivot Point Security:
- Precertification Phase I: $20,000 (e.g., Scope Definition, Risk Assessment, Risk Treatment Plan, Gap Assessment, Phase II Remediation Plan)
- Precertification Phase II: $18,000 (e.g., Gap closure (collaboratively), registrar selection, ISMS Artifact development, Risk Management Committee, Incident Response, Internal ISMS Audit, On-site Certification Audit Support)
- Certification Audit: $10,000
- Total cost for ISO 27001 certificate: $48,000
Once you have your certificate you will require a “surveillance” audit in years 2 and 3 to maintain your certificate. You will also need to conduct an Internal ISMS Audit each year – which the “average” company usually outsources to a third party. So figure your year 2 and year 3 costs are likely to be as follows:
- Surveillance Audit: $7,500
- Internal ISMS Audit: $7,000
“COBIT as an emphasis for IT governance, control, and risk management” – Prospective Customer