Recently Michael Peters, CEO of Lazarus Alliance, spent time with David Cogan of Money Radio and eLiances discussing the differences between proactive cyber security and reactive cyber security. You can replay the broadcast as heard on money radio.

An overview of the discussion was when you think cyber security, what comes to your mind first?

I’ve posed that question to many an audience over the years and most frequently the response is what folks see on the nightly news or through some new source. Recently people will respond with examples such as Home Depot, Target, Sony, JP Morgan and the European Central Bank which of course are just a few of the most notable instances of breaches we seen in the news over the last twelve months.

I point out to these same groups that in reality, there are only two forms of cyber security and its Proactive Cyber Security and Reactive Cyber Security. I’ll explain what that means and let’s see if you agree.

Reactive Cyber Security situations are going to be in the news because something bad has happened. Reactive security companies help you clean up the mess. When you become aware of a cyber security breach at some company, it’s probably because you are watching the business catastrophe unfolding through some syndication source. You eventually get a notification by the company, your bank or credit card provider informing you that your private and personal information has been stolen which leaves you to worry and watch hoping that nothing bad happens to you.

From a business standpoint, it has become painfully obvious at all levels including shareholders that cyber breaches have a really negative impact on business value not to mention careers of everyone involved especially at the highest levels of the company. We have all seen for the first time in 2014 CEOs, CIOs and CISOs losing their jobs as a direct result of culpability or negligence on their part.

No doubt about it, cyber security breaches have a hugely negative impact on the financial health and reputation of the victim company.

So this brings me to the second form of cyber security which is proactive cyber security. Proactive Cyber Security is all about keeping you out of the news by implementing the right controls and countermeasures. We know it’s not enough for the government or the private sector to have rules and regulations. PCI DSS certification did not save Target, Home Depot or other retailers. The FFIEC or the NIST Framework for Improving Critical Infrastructure Cybersecurity did not save JP Morgan or other financial institutions from their breaches.

You need qualified assistance to make it effective. It’s tough when there are not enough talented cyber security professionals to go around. Businesses are short-staffed. Academia is not training and educating enough to keep up with the demand.

The best possible course of action to avoid being the latest corporate cyber security breach is to take a proactive approach. I’m the CEO and Lazarus Alliance is Proactive Cyber Security™.

Be sure to check out the dynamic group of hybrid entrepreneurs who spend time together at eLiances where entrepreneurs align hosted by David Cogan.

Thank you to Money Radio for inviting me to discuss the differences between Proactive and Reactive Cyber Security.

I was reading a news article this morning about another security debacle at NASA involving the theft of a laptop containing the command and control codes for some high-tech toys like the International Space Station. The thing that amazed me the most was not that NASA would be a high value target, but that this laptop apparently was not encrypted. Seriously? Something that is considered entry level to security professionals is apparently only deployed to about 1% of all NASA computing devices, including mobile devices.

First off, I do have sympathy for NASA and it’s dwindling congressional budget, however, two things are painfully evident and not excusable. First, there is great open source disk encryption available so budgetary excuses do not hold water. Second, this is not cutting edge technology and a few years ago, when the economy was good and the budgets were fat, this was never accomplished. The current, and at a minimum, the preceding NASA CISO’s should be dismissed in shame and given Darwin awards for incompetence. I don’t need to name you two boobs (no offense to actual breasts meant) because everyone can just Google NASA CISO to find out who you are, where you came from and where you went. This would not have happened on my watch.

In my second book, Governance Documentation and Information Technology Security Policies Demystified, I introduce you to a concept I call The Security Trifecta™. Security does not have to be complicated. I have spent my career within information security demystifying what for some is a like understanding a foreign language. The fact of the matter is that by taking three well defined pragmatic steps, we raise the bar and achieve success; governance documentation, technological enforcement and vigilant teamwork working together to promote security.

The Security Trifecta in brief:

• Governance Documentation: The foundation for what we do is based upon the written word. We collectively, collaboratively, cooperatively establish standards that are based upon philosophy, legal requirements, best practices, and regulatory demands.
• Technological Enforcement: When governance documentation has been established, we set about implementing and enforcing those standards as much as possible through the usage of technology. Some technology implementations allow for the end user to exercise greater choice and control, whereas others strictly enforce our standards taking the human choice element out of the mixture.
• Vigilant Teamwork: The reality is that nothing works very well without teamwork. Controls and standards break down without careful tending just like weeds take over our gardens without vigilance. We must regularly review our security standards validating their relevancy and we will remain agile to adapt to the changing business landscape putting into practice carefully considered revisions to our ongoing security program.

The Security Trifecta is an effective and logical approach to information security I developed over the course of my career. The interesting thing is that the conceptual approach may also be applied to any other business process making it formidable to say the least.

Lazarus Alliance is Proactive Cyber Security™

Lazarus Alliance SSAE 16 Assessment Services

From SSAE 16 Audits to IT Security Consulting, the experts at Lazarus Alliance provide a variety of services to fulfill your audit needs. SOC 1, SOC 2 and SOC 3: We are ready when you are!

Lazarus Alliance is completely committed to you and your business success. Regardless of whether you represent the private sector or the public sector, we stand ready to partner with your organizations. Our competition may want to keep you and your employees in the dark where security, risk, privacy and governance are concerned hoping to conceal their methodology and expertise. We don’t prescribe to that philosophy. We believe the best approach is transparent and built on a partnership developed on trust and credibility creating sustainability within your organization.

Lazarus Alliance’s primary purpose is to help organizations attain, maintain, and demonstrate compliance and information security excellence – in any jurisdiction. Lazarus Alliance specializes in IT security, risk, privacy, governance,cyberspace law and compliance leadership solutions and is fully dedicated to global success in these disciplines.

Certifications Overview
SOC 1: Once a company has made the decision to enlist a third party to provide a service, they want assurances that those services will be provided timely, accurately, and securely. A SSAE 16 audit shows your commitment to maintaining a sound control environment that protects your client.s data and confidential information.

Not sure which report is right for your organization? Ask yourself these questions:

Will the report be used by your customers and their auditors to plan or perform an audit of their financial statements? If so, then the SOC 1 report is right for you.

SOC 2 and SOC 3: Service Organization Controls (SOC) 2 and 3 reports are designed to provide comfort over the following principles: Security, Confidentiality, Processing Integrity, Availability, and Privacy (if applicable) of a System in-scope. A System is holistically comprised of the Technology, People, Processes, and Data used to complete the services provided.

The following is a brief description of the goals to be achieved with each principle:

• Security: The system is protected against unauthorized access (both physical and logical).
• Confidentiality: Information designated as confidential is protected as committed or agreed.
• Processing Integrity: System processing is complete, accurate, timely, and authorized.
• Availability: The system is available for operation and use as committed or agreed.
• Online Privacy: Personal information obtained as a result of e-commerce is collected, used, disclosed, and retained as committed or agreed.

Still not sure which report is right for your organization? Ask yourself these questions:

Will the report be used by your customers or stakeholders to gain confidence and place trust in a service organization’s systems? If so, then the SOC 2 or SOC 3 report is right for you.

or

Do you need to make the report generally available or seal? If so, then the SOC 3 report is right for you.

We want to be your partner. For additional information please contact us!