Sabrina Serafin, Partner and National Practice Leader of Frazier & Deeter’s Process, Risk and Governance Practice talks with Tim Martin and Skeet Spillane from Pillar Technology Partners about how they help clients prepare for all things cyber.
Culture of Compliance is available on iTunes and Google Play Music. Listen now using the player below or download it to listen later.
4 Critical Steps to Cyber Readiness with Pillar Technology Partners
This transcript was assembled by hand and may contain some errors.
It has been edited for readability.
Sabrina: Welcome to Frazier & Deeter’s Culture of Compliance podcast series. I’m Sabrina Serafin, Partner and National Leader of Frazier & Deeter’s Process, Risk & Governance practice. Today, we’re talking about the 4 Critical Steps to Cyber Readiness, and our guests are Skeet Spillane and Tim Martin of Pillar Technologies. Gentlemen, welcome. You have a strategy that focuses on loss, not cost prevention. With so many organizations that are struggling to manage expenses, talk to us about why this is so important.
Tim: Well, that’s a great question, and you know it really starts with how you view cybersecurity and the whole idea about loss prevention versus cost prevention. Obviously, cost has a budgetary emphasis, and, “Do we have the funds in the budget?” We really try to open up that view and expand that conversation around, let’s focus on what’s the bigger cost. Is it controlling a cost upfront or the loss down the road, and it forces them into a conversation and a thought process of, “It’s a business decision and not just a technology decision,” so it really begins to evaluate how you connect people, process and technology, all the moving parts that really go into an effective cybersecurity strategy. We want them to focus on more than technology.
It’s not just an exterior perimeter defense or set of tools or suite of tools, it is a entire strategy on how you build that into your process and procedures, how do you build that into employee behavior, but also how you include that into the technology, the technology tools you select. But, because we take them through that process, the interesting outcome is a very tight focus on targeting their spending, so it’s a better use of their budgetary dollars and how they’re spending their money, where they’re spending, what’s the most effective form of defense, and the strategies that they decide on as an organization, because cybersecurity, cyber attacks, affect every domain of the business. So, it makes sense to incorporate the entire organization in that whole defense strategy.
Sabrina: We understand you have a four step process that you recommend for cyber readiness. Can you walk our listeners through the steps?
Skeet: We start off with really wanting to understand what information you’re trying to protect, what are the critical assets to your organization, are they protected information, are they PHI of a healthcare space, are they intellectual property? What are the assets that really make your business unique and create exposure for your organization? Then also, what do those really mean to you financially?
You really understand the quantification of those assets with regard to your operations and your reputation. Answering that first piece is fundamental and foundational in how you’re actually going to structure all of your controls and how you’re going to build your defense and depth strategy so that you create a multi-layered protection posture.
Once you understand that, you move into the second phase of where you’re looking at what is the effectiveness of my cyber controls? As I’m looking at my assets, do I have the right levels of protection around them? And have I created tools that are effectively reducing my risk, that is fundamentally based on understanding what are the threats that are coming at me, and what are my vulnerabilities that exist? Those are not just vulnerabilities in terms of patching levels or risks to a specific server, but they’re more of a people, process and technology vulnerability. If you have a large number of users in your organization, you by definition increase the probability of attack just by having a large number of users, because there’s more points of attack to be managed. In context of that, you now need to really build your cyber controls to ensure that they’re effective at protecting and reducing those vulnerabilities to a manageable level.
The third piece that we look at is can you really take those two components and ultimately calculate what your cyber exposure is? Once you understand your assets, where they sit in your organization and your cyber controls, and what the efficacy of those controls are, you can then start to really calculate your cyber risk exposure. The cyber risk exposure takes those into account and really defines what your residual risk is, and from understanding that residual risk, you can then actually go back and determine what your best strategy to improve your security posture. Is it to transfer that risk into a cyber risk policy, or is it better to spend some of those dollars and efforts into increasing the efficacy of those cyber controls?
And all of this boils down to our fourth point, which is being prepared for a breach. A breach is really more of a “when” than an “if” scenario. Today, a lot of organizations are under attack from a variety of threat vectors, whether it’s through malware or ransomware or from insider information being exposed, and you need to be prepared to respond appropriately. Can you identify it, do you have the ability to understand it? And do you have the ability to really investigate, determine and then remediate the loss quickly so that you can minimize the exposure but also maintain the confidence of your customers and clients in context of it occurring, because how you respond has a lot to do with the long-term outcomes of a breach.
Tim: One thing I would add to that, Skeet, if you don’t mind, is thinking about preparing for a loss. Understand that a breach is imminent, it’s a matter of when not if. Understanding and quantifying that risk to a point where you can determine, “What’s my best point of attack, how do I best mitigate that risk, do I increase my effectiveness, my controls effectiveness, or do I transfer that risk into maybe an insurance vehicle?” Maybe it’s a third party insurance cyber insurance policy, or maybe it’s a captive insurance company that you have in place or that you want to create. There are some creative ways to transfer that risk. It’s all about understanding and quantifying that risk, understanding what your exposure is, and then how to best prepare to respond to a breach and reduce the impact, the financial impact of that loss.
Sabrina: Once we get through blocking and tackling, talk to us about Pillar Technologies and your approach to further addressing cyber risk.
Tim: That’s a magic question. Everybody wants to kind of flip a switch and turn cybersecurity on. We really begin understanding where you are currently, what is your current security posture, what do you have in place, understanding, walking through that. Walking through those four steps and helping them understand, “What is my attack surface,” how big is it, you think about that as well.
So, really, it’s beginning with an end in mind, but understanding what your current security posture is, and then assessing those gaps and then remediating those gaps, and then how do you move forward. That’s really where we’re best at helping, providing guidance in that whole conversation. So that’s at the leadership level; that drills down into the technical, into the implementation, into policy and procedure development, into employee awareness training. It’s really building that cyber safe culture that connects all the moving parts of people, process and technology. That’s the best place to start, and we’ve got a very easy process for initiating that and guiding them through the four steps.
Skeet: I would add to that, Tim, that the way we’ve structured our services model is in three main categories: assessment, really identifying what your real risks are, understanding whether you have technical risks, whether you have any process or people related risks, getting those really quantified. Then identifying remediation plans, which moves into our second area of services, which is really helping the organization to have the expertise to deliver the effective remediation controls, and then ultimately being able to operate going forward. Which is our third area of expertise, whether it’s in a Virtual CISO, Fractional CISO type of environment, or on into more of the operational security processes and technologies to ensure that you’re able to continue to enforce once you’ve actually established the security posture.
Sabrina: Could you elaborate?
Tim: Our Virtual CISO offering is designed on two parts. One is from a subject matter expertise, to be able to really bring you the broad experience-based view of security, what it means to an organization, and do that in context of the business and operations. We bring a lot of business acumen to that role, as well as extensive years of experience in the information security space, but then there’s a secondary component, which a lot of organizations are struggling with today. There are requirements through regulatory and other avenues where they are required to have a named information security officer, and a lot of times those organizations don’t necessarily have a full-time need for that. To give that as a partial role to someone internally, they don’t necessarily get the depth of expertise, so our offering is designed to be able to give them a fractional experienced chief information security officer and to be able to drive their security posture and their security organization forward without them necessarily needing to commit to a full-time employee in their budget and in their organization.
Sabrina: Thank you, Skeet Spillane and Tim Martin, for being with us today and sharing these insights. For our audience, thank you for listening to Frazier & Deeter’s Culture of Compliance podcast, and please join us for our next episode.