Managed Services and Risk: Mitigation or Inherent Acceptance?

With the evolution of cybersecurity over the last decade, it’s easy to forget what security is; the art of dealing with risk. The flood of funding into the space has created a host of marketing buzzwords that pollute the board room and pull the attention from the “why?” of security. What is the reason cybersecurity exists? What is the problem we’re trying to solve?

Control-based vs risk-based

The conversation around security has shifted, and not for the better. Historically, security teams built programs around assessing risk and deciding on how best to deal with it. However, today’s world of endless frameworks focus more on technologies, and less on the risks they’re implemented to address. This controls-oriented program development has led to the emergence of security leadership that show pause at the mention of a “risk register”. This isn’t to say that risk isn’t considered, but more that it isn’t properly enumerated at a level that gives the security team flexibility in addressing the risk.

Security frameworks like NIST, SANS, ISO, etc. are great lists of controls to consider for a security program but are built with a one-size-fits-all approach. By starting with a comprehensive audit, and developing controls that mitigate specific threats, many organizations can move to an acceptable risk posture without many of the “checkbox” controls contained in most frameworks.

Risky decisions

Common risks exist across different organizations, but how those risks are addressed is a business decision the security team develops their strategy around. When handling risk, there are three options:

  • Accept – The risk does not represent itself as a threat worth investing resources to lessen. Accepted risks should be entered into a risk register, naming the business owner that accepted the risk and note why they’ve accepted it; usually due to low probability or low impact.
  • Mitigate – These risks are not accepted and pose enough threat to a business that resource investment is warranted to prevent the risk from coming to fruition, or at least lessening the probability or impact to an acceptable amount.
  • Transfer – The risk is not accepted, but the business will not mitigate on its own. Leveraging third parties, the risks are contractually moved from the business to the provider. Common forms of cyber security risk transference include Cyber Security Insurance and Managed Security Services.
Risks worth transferring

There’s an existential problem in security right now. The problem isn’t new attacker tactics, techniques, and procedures (TTPs), new malware, or the speed of malware to get to market; rather, there are products to identify these threats, but not enough skilled headcount to properly implement the products, and investigate and respond to the alerts! This headcount shortage is an industry epidemic leaving security teams scrambling just to perform basic tasks, forcing most organizations to ignore alerts generated from the implemented security products, assuming the products were properly implemented and configured in the first place.

Alert triage and response

Looking at the tasks security teams perform to achieve risk equilibrium, many require deep knowledge of the organization and continuous communication and participation in meetings like change-control. However, the tasks of identifying a false-positive for a wrongly flagged graphics card driver requires little knowledge of the organization.

Transferring the risk of alert triage and response can free organization resources to focus on security responsibilities that are best kept in-house like GRC, vulnerability management, and policy creation. This transference also lessens the probability or impact of the departure of a single person being a significant detriment to the security team.

The most common cause of shelf-ware (technology that is being paid for, but is no longer, or was never used) is the sole-owner or user of that technology leaving the organization. Regarding incident detection, triage, and response, employee churn presents a much larger threat than underutilized budget. This risk is magnified by the litany of false-positives generated by security products making the required headcount necessary to triage every security alert unattainable.

Leveraging a service provider for certain functions will provide the level of expertise necessary to implement, maintain, and utilize the technology. The shift also transfers the burden of hiring and maintaining the staff necessary to perform these functions to the service provider; ideally removing the shelf-ware dilemma.

Transferring risk to a service provider

Ignoring alerts and foregoing security expertise is not a risk most organizations choose to accept and handling it in-house is often difficult or cost-prohibitive, so it makes sense security service providers (MSSPs), including managed detection and response (MDR), are gaining in popularity. The difficulty comes in choosing the right MDR, and ensuring they’re mitigating risk, rather than accepting it.

The false-positive dilemma

As mentioned earlier, the problem of false-positives and the impacts they have on security teams is significant, but why does this problem exist?

Defining the terms:

  • False-positive – An alert that was generated based on an event that was not malicious.
  • False-negative – An event that was malicious but did not generate an alert.

From a product-manufacturer perspective, a false-negative is brand damaging, but a false-positive is just assumed. Endpoint and network detection technologies are attempting to identify everything an attacker could do to perform malicious activity in an environment. With the skill of attackers improving, products have had to create looser detection rules that allow them to be effective at detecting potentially malicious activity, thus avoiding false-negatives. For an effective, detection-oriented, security product, false-positives are almost necessity. With this understanding, how do service providers, who are providing services for potentially millions of endpoints, profitably scale a service?

The Techniques
  • Build a Bigger Army – This is not scalable or profitable, but it is pursued by some service providers. This approach typically results in sub-par service that provides little value and leads to a frustrated customer that has essentially purchased a different source of alert fatigue.
  • Attack the Source of Alerts – Is a particular detection rule being too noisy? Shut it off! The alert fatigue problem is solved, but it also diminishes the effectiveness of the product.
  • Set an Arbitrary Investigation Threshold – Too many Critical, High, and Medium alerts to investigate? Just look at the Critical and High. Still too many? Critical-only should be fine (if we forget the retail breach was a medium alert).
  • Turn Alerts into Incidents –Rolling up multiple alerts into a single incident is a great way to make, what looks like, a high-fidelity alert, but could also be a group of false-positives. The danger here is creating incidents that take much longer to investigate.
Machine Learning!

Another technique that’s becoming increasingly popular is the use of machine learning to weed through false-positives. Moving past the animosity towards marketing teams for taking real technology and turning it into a glorified way to describe statistics; machine learning can be broken into two main concepts:

  • Supervised – Using a set of training data, an algorithm can be created to determine the relationship between a new piece of data matches and data used for training. This methodology is commonly leveraged in security to identify malware. While useful in scenarios where training data is properly labeled and available, those prerequisites somewhat limit the usefulness in identifying malicious behavior.
  • Unsupervised – Developing a baseline of “normal”, unsupervised machine learning identifies deviations from the baseline. Unsupervised machine learning technically doesn’t generate false-positives, because it is alerting on anomalies, but given all anomalies aren’t necessarily malicious, this technique is usually paired up with cumulative risk scoring to drive anomalous activity past a threshold, where it will generate an alert hopefully more relevant to security.
Inherent risk

Given the available approaches to dealing with false-positives, it’s clear that there is some necessary risk-acceptance that must happen to get the alert count to a level that allows security teams to efficiently deal with the “high-priority” alerts. This acceptance is not based on the organization’s risk tolerance, but instead on the limitation of resources to mitigate, which places an inflated cost on the risk […] Read more »..

Small and Medium-sized Financial Institutions: The Security Challenges They Face Each Day

It’s no secret that financial institutions are in criminals’ crosshairs. This has been the story ever since people and organizations started putting their cash in the care of others. But unlike the good ol’ days of dramatic ski-masks-over-face, gun-in-hand heists, the majority of today’s banking crimes are digital, and thus, involve far less bravado and derring-do.

While cybercrime and fraud affect all financial institutions, each sector has its own specific concerns. The concerns of large institutions generally take center stage due to their high profiles and the large stakes involved, but often, concerns specific to small and medium-sized institutions go overlooked. In this article, we will examine the issues that cause the most distress to IT and security teams at small and medium-sized financial institutions.

Why Cyber Criminals Love Small and Medium-sized Financial Institutions

Small and medium-sized financial institutions are often seen by cyber criminals as low-hanging fruit — sure, they could go after JPMorgan Chase or Goldman Sachs for a huge payoff — but a heist of that nature requires boatloads of planning and effort. For an attack of that scale, an assailant must have incredibly powerful tools as well as a flawless plan, which could take months and even years to orchestrate.

Add to that the immense challenge of evading the law once the attack has been executed. High profile attacks on banks make great news fodder and criminals can expect to be hotly pursued and tried for their misdeeds.

Unfortunately, this is not typically the case with smaller targets. It doesn’t take quite as much planning or effort to hit smaller players and since these crimes are not as high profile, it may be easier for the attacker to get away with them. All in all, small and medium-sized financial institutions are a wise choice for attackers looking for a relatively easy swindle.

The Security Challenges that Keep Small and Medium-sized Financial Institutions CISOs Up at Night

There are many cyber security issues that plague small and medium-sized financial firms, ranging from structural issues to out-and-out threats. While each organization is unique, security leaders at most, if not all, small and medium-sized financial services firms must overcome these structural challenges.

Lack of Buy-in/Understanding from C-Suite/Leadership

Each financial services firm has its own business drivers, those issues that are integral to the success and advancement of the business model. While issues like customer satisfaction and regulatory compliance generally top execs’ lists, the issue of cybersecurity doesn’t always show up on their radar.

There are a few reasons that cyber security may not be the first thing on many leaders’ minds. To start with, it can be very difficult to prove the return on investment for security-centered projects. In the words of security expert Bruce Schneier, “Security is about loss prevention, not about earnings.” Proving how much a company saves by preventing a breach does not produce the same tangible benchmarks as do other, more concrete investments.

Moreover, leaders may not have sufficient IT and/or security knowledge to grasp the full severity of weak or inadequate defenses. While some decision makers certainly are well versed in technology, it’s often not a part of their job requirements and they simply may not grasp the importance of investing in new solutions as they become available. Likewise, they may not understand the full legal and operational ramifications of falling prey to a breach.

Lastly, according to, leaders at smaller firms are often convinced that their firm is not worth the attacker’s time or effort. This leads to a dangerous stance of security complacency, an attitude that nothing further is required to protect the firm, based on their own erroneous assessment of limited risk.

Limited Budgets

As mentioned above, small and medium-sized financial institutions typically have much more limited cyber security budgets than larger institutions. A recent survey by Untangle found – shockingly! — that of 350 small and medium-sized businesses polled, 50 percent had annual security budgets of less than $5,000 US and of those, 50 percent had budgets of less than $1,000 US.

In light of these numbers, it comes as no surprise that at many smaller FinServs, there is no one specific person or team tasked with cybersecurity – it’s just another aspect of IT’s responsibilities. Moreover, their tools are nowhere near as comprehensive as those found at larger institutions. This increases the chances of breaches and extends time to detection (TTD) and time to respond (TTR) in the face of incidents.

At the same time, small and medium-sized financial firms still have conveniences like customer-facing apps and websites, which are necessary to compete with the big guys. But as with the rest of their technology stack, these applications may be less robust and secure than those developed by banks with more money to allocate to security. This makes these less secure applications prime pickings for attackers.

Dependence on Third Party Vendors

Small and medium-sized financial institutions are heavily reliant on integrations with third party suppliers. As with businesses of any size, these firms need to share information with partners and contractors to remain relevant and agile in an increasingly connected world.

But granting access to third parties can come with great risks — by making your network accessible to third parties, you allow their vulnerabilities to become your vulnerabilities, their liability to become your liability. This was clearly demonstrated in the infamous Target hack of 2013, when the behemoth saw their point of sale system breached due to an integration with an HVAC vendor whose credentials were stolen.

In the typical integration, external partners can access the company’s networks without adequate monitoring and limitations. This allows them access to far more resources than needed to do their jobs, making the organization a sitting duck. And as third-party vendors are often also small and medium-sized businesses, there is a very real chance that they may have less-than-adequate security, which compounds the risk. Further, the decision of which vendor to use is often made with little regard to vendor security practices and how those may affect the institution and its networks.

The Threats that Nightmares are Made Of

While budget limitations, support from top brass and third-party vendors are ongoing headaches for security officers, threats that commonly target financial service businesses are the night terrors that bolt them awake in a cold sweat.

The Many Flavors of Insider Threats

Insider threats take many forms and affect all businesses, from the largest enterprises to shoestring operations. And while all businesses suffer when an employee goes rogue or an ex-staffer decides to spill the company beans, small businesses experience damage from insiders more often than their larger counterparts. This is especially true in finance, where the stakes are inherently much higher than for most other businesses. In fact, according to the 2019 Verizon Data Breach Investigations Report, the threat actors in 36 percent of breaches of financial institutions were insiders.

One reason small and medium-sized financial firms fall prey to insiders is that they often lack proper protocols for revoking access after an employee has been terminated. Smaller financial firms tend to have less robust IT standard operating procedures and thus when an employee is asked to leave, it may take days or weeks before his or her access to critical resources is revoked. This leaves the ex-staffer with plenty of time to collect whatever data he or she wants, which can then be given to competing banks — or worse, such as nation state adversaries and cyber-criminal syndicates.

Similarly, smaller firms also tend to engender feelings of trust and familiarity among employees. While this is great for the general work ethic, there is risk in trusting your employees too much. Large institutions often have tiered Identity Access Management (IAM) solutions in place to prevent employees from seeing information which is beyond the scope of their requirements. Once again, due to less sophisticated IT infrastructure and because of that cozy, feel-good atmosphere, smaller institutions may not have the same precautionary measures in place, allowing employees access to data far beyond their actual data needs.

Then there is the insider who, although not necessarily malicious in intent, is simply impervious to training. This is the employee who routinely clicks suspicious links or fails to notice clues indicating that he or she is being phished or scammed. Scary but true: According to Verizon’s 2019 DBIR, three percent of people will click on any given phishing campaign. And these well-meaning employees can cause just as much damage as those with ill intentions: In a small and medium-sized bank, the means or understanding to track just which employee is “that guy” may simply not exist — thus, the risk goes unmitigated.

Business Email Compromise (BEC) Scams

According to a report by security firm IronScales, 95 percent of successful cyber-attacks include an element of social engineering. Humans are easily manipulated and attackers are adept at creating all kinds of compelling scams to help victims and their money or data part ways. According to the Verizon 2019 DBIR, financially motivated social engineering attacks target financial services institutions disproportionately vis a vis other industries.

In recent years, BEC, or Business Email Compromise, has become one of the most potent phishing methods, generating losses of $676 million US in 2017. According to HSBC, small and medium-sized businesses are harder hit than larger enterprises.

In the typical BEC scam, the scammer impersonates someone in a position of power within the organization, perhaps the CEO or a senior member of the IT team. The scammer sends an urgent email to a lower ranking employee, demanding funds to be transferred. This perfectly crafted email is almost indiscernible from an authentic one and implies that the recipient must see to it that the funds are transferred immediately – or face repercussions. If things go according to the attacker’s plan, the employee sends the request off to the organization’s bank, where an unwitting bank employee complies with the email’s instructions and transfers the funds.

BEC scams cause damage to all kinds of businesses, as well as banks.  But no matter the industry, they affect banks because they are the ones through which financial transfers take place. In smaller institutions, standard operating procedure for transfers may not be clearly outlined and thus there is a greater danger that someone within the bank may authorize such fraudulent transfers.

Browser-Based Threats

Like all businesses, small and medium-sized financial institutions need to use the Internet for tasks such as researching loan applicants and corresponding with customers. So, every employee needs web access. But the risk that comes with open connectivity, namely, the fact that browser-borne malware can easily spread laterally throughout networks, cannot be tolerated in such a sensitive arena.

Browser-based malware is always morphing to ensure that it evades traditional security methods, but some attack elements remain the same; Cross-site scripting (XSS) and SQL injection (SQLi) attacks are some of the most common web-based attack methods and can potentially come from any website that has been infected — even those that have been deemed secure. These complex attacks can easily exfiltrate data off employee’s browsers. Moreover, browser-based threats are difficult to detect, which puts critical assets directly in harm’s way.

Many IT admins turn to whitelisting pre-approved web applications and websites to help keep out browser-based threats. But whitelisting has significant drawbacks — it leads to reduced productivity and agility as employees cannot always access the resources they need when they need them. It’s also not completely effective, as once-good sites can become infected with malware and in turn, pass that infection on to your network.

Small and Medium-sized Banks Have to Level Up to Survive

Beyond the threats themselves, small and medium-sized FinServs have to consider the costly fallout that comes along with successful cyber security attacks. Understandably, in the wake of an attack, customers may lose confidence and jump ship. And while larger financial institutions can absorb the costs of many, if not most, attacks, smaller ones cannot, which may lead to closures […] Read more »..

A New Framework for Preventing Cyber Attacks

The scale of data theft is staggering. In 2018, data breaches compromised 450 million records, while 2019 has already uncovered the biggest data breach in history, with nearly 773 million passwords and email addresses stolen from thousands of sources and uploaded to one database.

Current cyber defense tactics simply aren’t enough, a new model of defense is needed. In research published recently in Future Generations Computer Systems, my co-researchers and I propose a framework harnessing the power of machine learning to accurately predict attacks and identify perpetrators.

Outdated Tactics

The current manual security models are quickly becoming obsolete for a number of reasons. For one, there is simply too much data for human analysts to manually sift through. Hail-a-TAXII, a repository of Open Source Cyber Threat Intelligence feeds, provides more than one million threat indicators. IBM X-Force reports thousands of malware weekly. Verizon’s Data Breach Investigations Report details millions of incidents. These are just a few of the many data sources analysts have at their fingertips.

Another problem is that current cyber threat intelligence (CTI) tactics look only at low-level indicators, small attack signatures such as IP addresses, domain names and file hashes. Low-level indicators are easy for companies to block by plugging them into firewalls and security devices. Unfortunately, they’re also easy for hackers to change. Using only low-level indicators to stop a cyberattack is a little like trying to prevent thieves from robbing your home by enforcing only one window. The thief will just find another window.

The glut of data and preoccupation with low-level indicators contribute to a serious lag in identifying threats. The median time for an organization to determine it is under attack is 46 days. Attacks can go undetected for much longer, the massive data breach at Equifax in 2017, involving nearly 150 million pieces of personal data, went undetected for 76 days.

Relying on low-level indicators simply doesn’t make sense given what we now know about hackers: They use common patterns of attack that can be identified by looking at high-level indicators, otherwise known as Tactics, Techniques and Procedures (TTPs).

Examples of tactics common to certain threat groups involving the compromise of victims’ credentials include:

  • the exploitation of the victim’s remote access tools and the network’s endpoint management platforms by threat group TG-1314.
  • employing key loggers and publicly available credential dumper toolkits by TG-3390.
  • spear phishing using URL shortened links pointing to malicious websites by TG-4127, which targets government and military networks for espionage and cyber warfare.

Typically, hackers will specialize in one attack tactic and gradually evolve the tactic over time. Consider what’s happened with RAM scrapers: malware that enters servers and combs through the memory to find a distinctive code pattern, such as a credit card’s 16 digits. A RAM scraper was behind the 2013 Target data breach that compromised 40 million credit cards, as well as the 2018 Marriott and Hyatt breaches and many others in between.

While the tactic has remained the same, what has changed is how the malware transfers data to the attacker, advancing from FTP to the web protocol and finally to encrypting the information and moving on its own, no longer reliant on a human to copy and transfer the data. Fifty different families of RAM scrapers for stealing personal data currently exist.

The cyber intelligence community already maintains databases detailing high-level indicators. More than 130 adversary technique documents exist. As of late 2018, there were 45 known threat actors and 123 known software tools included in the ATT&CK taxonomy, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK taxonomy shows that the number of TTPs used in threat incidents range from one to 34, with an average of six.

If so much is known about TTPs, why aren’t analysts relying on them for cyber defense? Again, the problem is the massive amounts of data. Manually searching for correlated TTPs is tedious, error-prone and a nearly impossible task. That there is no commonly used vocabulary to describe attacks and attack tactics compounds the problem. TTPs are mostly reported as unstructured textural descriptions, which makes it difficult to correlate attack incidents of the same threat group based on similar TTPs due to synonyms and polysemous words. The same style of attack can be labeled one thing in one database and something completely different in another.

Building a New Framework

The framework we propose in Future Generations Computer Systems is based on our knowledge of TTPs and the problems plaguing the cyber intelligence community, too much data and no automated way to rely on more effective high-level indicators.

The framework creates a network of Threats, TTPs and Detection (TTD) mechanisms. To accomplish this, data was collected from related cyber breach incidents and reliable source threats in the public domain.

In total, more than 327 unstructured documents from about two dozen sources were used. Although machines will likely one day be able to deal with all the nuances of human language, we’re not there yet. This means the data had to be curated and semantically correlated before it could be analyzed by machines: we used ATT&CK […] Read more »..

Talent Acquisition, Retention Leading Diversity Initiatives in Cybersecurity Jobs

Talent acquisition and retention is the leading operational reason that companies have been ramping up their diversity initiatives, according to (32 percent) of respondents in the (ISC)²study.

Nearly one in three (29 percent) added that diversity is important to their organization because the workforce should represent the demographics in society:

  • Nearly three quarters of organizations surveyed (74 percent) instituted a stated diversity value or program in the last 2-5 years. On top of this, a further 16 percent have followed suit in the last 12 months.
  • Overall, 40 percent of survey respondents stated that the HR department is the primary driver of diversity and inclusivity efforts, including measuring employee diversity goals. This compares to just under one quarter (23 percent) who said it was the senior management team and just 10 percent that said it was the C-suite driving diversity initiatives.
  • 60 percent said that up to 20 percent of the current vacancies in their organizations are IT and/or cybersecurity-based. A further quarter (26 percent) said these roles constituted between 21-50 percent of their workforce.

Hiring Cyber Roles:

  • 77 percent of respondents said that cybersecurity roles were recruited for in their organizations in the last 12 months. The number of roles filled ranged from 1 to 31 across the responses, although nearly 55 percent of the respondents said that up to 10 cybersecurity personnel were hired by their organization over the last 12 months. 18 percent said that between 11 and 30 roles were hired in the last year.
  • 37 percent say just 6-20 percent of their IT department employees are aged 18-21, while 35 percent say none of their IT department employees are aged 18-21. This indicates a struggle to bring enough new talent into the department that can learn from their experienced peers[…] Read more »..

The role and the focus of a CISO with Tim Swope

Apex sat down with Tim Swope, Chief Information Security Officer at Catholic Health Services of Long Island to discuss his role and experience as a CISO. With extensive experience in the industry, Tim shares his advice and the value of an IT Risk Management Program being the cornerstone for all cyber security work.

Q: What is IT security doing to support innovation in the enterprise?

A: In addition to training the IT Security Staff, we all attend many seminars outlining new and innovative technologies and with our Proactive Risk Management model we are able to determine what GAPS those technologies will close in our organizations.

Q: What is the single most important thing CISOs should be focusing on today?

A: While many security leaders focus on the technical side of cybersecurity, a key focus of mine is risk management. Risk management is the overriding element for successful cybersecurity programs.  We need to know what cyber risks and 3rd party vendor risk that my affect our organizations, assign a risk level and then focus our remediation and management on the top tier risks first.

Q: How can you best describe the relationship between the CIO and the CISO in the enterprise?

A: The CIO and I work very closely together on the overall information strategy for the organizations.  That being said, while the CIO might push for technology solutions that will make access to information easier…..I ensure that we can effectively manage and monitor that technology.  In the Healthcare space, innovation has moved faster than our ability to secure it. I remind the CIO we are FIRST in the patient privacy and safety business..not the convenience business!!

Q: How have you searched for and found the best vendors for your organization?

A: We have a very strict due diligence process for our vendors, especially those that will be working with PHI. However, we are constantly looking and evaluating vendors that may be able to save us cost, have greater automation and solve our needs better.

Q: What is the biggest challenge for a CISO today?

A: In the Healthcare industry, changing regulations, the need to expose patient data to outside entities and ensuring that the same IT security posture remains in place in the face of this change.

Q: What advice would you give an early stage CISO joining an enterprise organization?

A: When coming into a new organization as a CISO leader, I strongly believe in conducting an internal assessment to get an understanding of what controls and technologies are in place. While some CISOs may rely on an outside firm to conduct these, I choose to do an initial assessment myself, putting myself in an outside auditor’s shoes. Rather than looking at somebody else to do it for me, I’ll do it myself and I think that’s the key thing a CISO should do, is understand his or her landscape and do their own personal assessment and only then can you see what you really have.

Q: What is the importance of an IT risk Management Program in today’s cyber security landscape?

A: In order to deliver value to our customers, patients, employees, communities and shareholders, we at Catholic Health Services and other Healthcare organizations must understand and manage the risks faced across our entire organization. Risks are inherent in our business activities and can relate to strategic threats, operational issues, compliance with laws, and reporting obligations.  As part of the overall IT risk management process Information Security, Governance and Risk (ISGR) departments are responsible for various activities that are important to regulatory compliance, information security, data protection and risk management. This group has the authority and responsibility to investigate and assess compliance in all activities relevant to the Security Governance Program and to report on compliance status to IS Management.

The “Framework” that encompasses their Risk Management Program has the primary functions to:

  • Determine categorization of IT risks
  • Define the common framework used to identify and manage potential events that may affect information within the IT infrastructure
  • Define accountability for IT risk management
  • Determine the governance and oversight of IT  risk management activities

Internal and external events affecting our ability to achieve our security and operational objectives are identified at various points in the business cycle. During strategic and business planning and review processes, business unit management assesses the market and competitive environment to identify risks and opportunities facing their business. The various risk management functions within or assigned to that business unit provide expertise, support and input into the process. Each of the risk management functions is represented on applicable management committees to enable effective risk identification and business partnership.

Throughout the year, risk assessments, scans and surveys are performed by the ISGR team to identify internal and external events that might affect the achievement of the Company’s objectives. Additionally, the various risk management functions scan the external environment for risk indicators through analysis of applicable business intelligence, including trends in external health authority and other government inspections and enforcement, legislative changes, and shifts in market, payer and consumer models, as well as relationships with external subject matter experts.

Finally, risk management functions review the output from internal monitoring and assurance activities to identify gaps and emerging risk areas. Risks are analyzed, considering likelihood and impact of a given outcome, to determine how they should be managed.

If we can take a way one lesson from the need for a risk management program it is the following:

Risk Management is the number one process for Identifying potential risks and creating a plan to eradicate or manage them!!

We don’t accept Risk, we continually Manage it!


Tim Swope


Catholic Health Services of LI

Mr. Timothy Swope is currently the CISO of Catholic Health Services, an 18,000 employee hospital group in Long Island, NY. He is an Information Security and IT Risk Management professional who partners with Chief Information Security Officers and IT Governance, Risk and Compliance executives to assess and deliver IT Security and Risk Management programs to Health Care and Insurance, Pharmaceutical and government agencies. After spending over 2 decades assisting clients implement secure enterprise BI, EHR, Meaningful Use and other data science systems, Tim knows and understands the requirements and components that create a secure information security posture. A key area of his expertise centers around interpreting and applying Federal, State and Industry regulations such as: DSRIP, HITRUST, HIPAA, NIST SP 800-53, 21 CFR Part 11, Health Insurance Reform: Security Standards, FISMA (Federal Information Security Management Act) and locally the Zadroga Act to name a few.

He also supported cyber security requirements for Medicaid’s Delivery System Reform Incentive Payment (DSRIP) Program at 2 of New York’s largest PPS’s (Performing Provider Systems) Northwell Health and NYC Health and Hospitals.

He has supported the IT Risk Management and IS Security initiatives of organizations that include Excellus BCBS, Medimmune/ Astra Zeneca, MERCK, ENDO Pharmaceuticals, Novo Nordisk, Daiichi-Sankyo Solutions, Johnson and Johnson, District of Columbia Government office of the Chief Financial Officer, District of Columbia Water and Sewer Authority, City of Richmond, Virginia Department of Public Utilities.

Ohio Implements Data Protection Act

The state of Ohio has implemented its Data Protection Act to encourage businesses to voluntarily adopt strong cybersecurity controls to protect consumer data.

Senate Bill 220, the Data Protection Act, was sponsored by State Senators Bob Hackett (R-London) and Kevin Bacon (R-Westerville) and was signed into law in late 2018.

Senate Bill 220 provides different industry-recognized cybersecurity frameworks which a business can follow when creating its own cybersecurity program. In order to receive the benefit of the safe harbor, a business must create its own cybersecurity program.

The legislation provides an affirmative defense to a lawsuit which alleges a data breach that was caused by a business’ failure to implement reasonable information security controls.

Businesses are only required to incorporate one of the frameworks into the business’ cybersecurity program[…] Read more ».

Philadelphia University’s Cybersecurity Program Receives “Top Curriculum” in the US, an industry-leading educational research organization, has named La Salle University’s Master of Science in Cybersecurity a top 25 internet security program for 2019, and also awarded the program “best curriculum.” analyzed every online master’s program in internet security in the nation with a team of 43 industry experts, hiring managers, current students and alumni.

According to, the study leveraged “an exclusive data set comprised of interviews and surveys from current students and alumni in addition to insights gained from human resources professionals.” Their methodology weighted academic quality (academic metrics, online programming, and faculty training and credentials) at 40 percent, student success (graduate reputation, student engagement, and student services and technology) at 40 percent, and affordability (average net cost, percent of students with loans, and default rate) at 20 percent. The study incorporated current data from the Integrated Postsecondary Education Data System (IPEDS) and statistical data from the National Center for Education Statistics. Only programs from accredited nonprofit institutions were eligible.

“We are honored to be recognized as a top 25 internet security master’s program, with a special nod to our curriculum,” says Peggy McCoey, assistant professor and graduate director for La Salle’s M.S. in Cybersecurity. “We have developed a flexible, rigorous, and highly relevant program to ensure today’s students develop competencies in cybersecurity management as well as breach detection, mitigation and prevention. The Program balances both theoretical and practical aspects and draws key learnings from industry practitioners to ensure attention to ethical principles and changes related to cybersecurity.”

La Salle’s M.S. in Cybersecurity is a 100 percent online asynchronous program with three start dates and eight-week courses so students can complete two courses per semester. noted its “engaging courses in cyberwarfare, cybercrime and digital forensics” in support of its “best curriculum” designation[…] Read more ».



Is Your Data Breach Response Plan Ready?

Fifty-six percent of organizations experienced a data breach involving more than 1,000 records over the past two years, and of those, 37 percent occurred two to three times and 39 percent were global in scope, according to Experian. In 2017 in particular, there were more than 5,000 reported data breaches worldwide, and there were more than 1,500 in the U.S. alone.

In an effort to help businesses prepare for data breach response and recovery, Experian launched its new Data Breach Response Guide last month to provide in-depth strategy and tactics on how to prepare and manage incidents.

Security asked Michael Bruemmer, Vice President of Data Breach Resolution & Consumer Protection at Experian, how cybersecurity has changed recently and how enterprises can revamp their security strategies to be resilient and ready.

Security: How have typical responses to data breaches changed over the past five years?

Bruemmer: Fortunately, responses to data breaches are immensely better. There has been great progress in preparation, as 88 percent of companies say they have a response plan in place compared to just 61 percent five years ago, according to our 2018 annual preparedness study with the Ponemon Institute.

One of the biggest changes in data breach responses over the last few years is that organizations now have a breach-ready mindset and know it’s not about whether a breach will happen but rather when it will occur. Thus, many organizations now have a data breach response team in place, which is key to implementing a quick and adept response.

Businesses have also started to include public relations personnel on their data breach response teams, which has helped companies maintain more positive relationships with their stakeholders post-breach. There is still room for improvement: while companies have a plan in place, a large majority don’t practice their plans in a real-life drill setting, and the C-suite and boards are still not engaged enough in the process.

Security: What still needs to occur to improve enterprises’ data breach response protocols and practices?

Bruemmer: A few areas for improvement include actually practicing the data breach response plan and therefore, feeling confident the company can handle an incident successfully. In our 2018 annual preparedness study, only 49% of companies said their ability to respond to data breaches is/would be effective. One of the reasons may be that most boards of directors and C-suite executives are not actively involved in the data breach prep process, nor are they informed about how they should respond to an incident.

Another dynamic that requires attention, and is relatively new, is the passing of the General Data Protection Regulation (GDPR) overseas. Companies that operate internationally must understand the legislation and make sure they are equipped to handle a data breach that involves individuals globally. They should hire legal counsel who have knowledge and experience in this area and enlist partners that have multilingual capabilities and a presence in key countries. That way, operations such as notifying affected parties and setting up call centers can be executed quickly. Organizations are still catching up here.

Security: When auditing their data breach response plan, what in particular should security leaders be looking for?

Bruemmer: Businesses should conduct an audit of every component of a response plan. Security leaders should also assess whether external partners are meeting the company’s data protection standards and are up-to-date on new legislation. For example, healthcare entities should guarantee that business associate agreements (BAAs) are in place to meet the Health Insurance Portability and Accountability Act (HIPAA) requirements. Additionally, vendors should maintain a written security program that covers their company’s data. Realistically, an organization could have up to 10 different external vendors involved in a data breach response, so keeping this circle secure is important.

Security: What are the top three issues business security leaders should plan for next year?

Bruemmer: Businesses should keep an eye on artificial intelligence (AI), machine learning (ML) and cryptomining malware next year. In a continuously evolving digital landscape, advanced authentication, or added layers of security, have become increasingly important for businesses to adopt when it comes to safeguarding against potential data breaches. However, while AI and ML are helpful in predicting and identifying potential threats, hackers can also leverage these as tools to create more sophisticated attacks than traditional phishing scams or malware attacks. Criminals can use AI and ML, for example, to make fake emails look more authentic and deploy them faster than ever before. Cryptomining has also become more popular with the recent rise of Bitcoin and more than 1,500 different cryptocurrencies in existence today. Cybercriminals are taking every opportunity, from CPU cycles of computers, to web browsers, mobile devices and smart devices, to exploit vulnerabilities to mine for cryptocurrencies.

Security: Are there any key tools or strategies security leaders can use to better engage with the C-Suite?

Bruemmer: Unfortunately, the lack of engagement by the C-suite and boards seems to be an ongoing issue. In today’s climate, companies should employ a security leader in the C-suite such as a Chief Information Security Officer to ensure protection is a priority and administered throughout the organization.

There should be ongoing and frequent communication about security threats by this officer to leaders and the board. In this instance, it’s better to over-communicate rather than hold back vital information that could help mitigate potential reputation damage and revenue loss […] Read more »




Nearly Half of Americans Willing to Give Brands a Pass for a Data Breach

New data shows that the U.S. public is surprisingly forgiving despite data breaches and controversies as long as companies demonstrate good faith.

The Consumer Attitudes Toward Data Privacy and Security Survey by Janrain also found that 42 percent of U.S. consumers surveyed report at least being open to forgiving the brand, while 7% refuse to forgive brands for allowing bad actors access to their personal data. Fourteen percent have lost all faith in an organization’s ability to protect their data.Nevertheless, consumers are increasingly taking control of their data into their own hands, the survey found. For example, 71% report downloading software that protects their data privacy or otherwise helps control their web experience. But Janrain’s survey brings good news to brands that are evaluating their consent-based marketing processes and capabilities in response to regulatory requirements or to strengthen customer relations.

If given the option, most people (55%) would let companies they trust use some of their personal data for specific purposes that benefit them in clear ways, the survey found. Only 36% wouldn’t let any company use their personal data. Sixty-six percent like the idea of being able to alert companies when they’re interested in something as long as they could “switch it off” when they’re no longer interested. Only 16% aren’t interested in this even if it came with preferences control.

When Janrain probed to gain more understanding about how effective digital brands have been in using consumer data to personalize their online ads, only 18% said ads “often” seemed to understand their needs, presenting brands with an important area for improvement. The largest bulk of respondents (47%) reported that these ads do seem to understand their needs at least “sometimes” while 26% said ads “hardly ever” understand them. Nine percent said online ads “never” do.

When asked whether they’d walk away from a business that requires personal information up front (like a phone number or email address) in order to conduct business, 15% of those surveyed said “yes” while 24% said “probably.” Fifty-four said it depends on whether the business is trusted or the only option.

Sixty-six percent of those surveyed renewed their call for GDPR-like rules in the United States that force brands to provide consumers with greater privacy, security and control of their personal data. Janrain asked a similar question in May of 2018 to which 69% responded favorably to more regulation in the States. This time, Janrain’s findings show consumers not only want more regulation, they believe it will actually help in the wake of high-profile breaches and controversies affecting well-known organizations such as Yahoo!, Equifax and Facebook. Only 9% believe such laws would be ineffective while only 6% believe more regulation would be too hard on businesses and the economy […] Read more »



Attention CEOs: The Great CISO Renaissance is Coming

In 2015, the Boston-based security advisory firm K-logix predicted an increase of Chief Information Security Officers (CISOs) reporting to CEOs, and in 2017 the NACD provided provide guidance on boards on basic cyber security principles.  However, CISOs continue to struggle for widespread recognition as an executive officer.  Although the CISO is responsible for integrating privacy requirements into security program controls, the EU’s General Data Privacy Regulation (GDPR) introduced and catapulted a new role into the executive ranks in 2018. The regulation creates a new “Data Protection Officer (DPO)” role serving as a quasi-regulator for EU Data Privacy compliance enforcement who must report to the highest levels of management. Data Protection Officers usually fall under Compliance leadership function closely associated with the General Counsel or legal department, and are integral to the company’s data privacy program oversight.  In contrast, the CISO who is responsible for technology risk management may report through a number of executive functions depending on the industry and company. The General Counsel is no stranger to the executive table, so it should be no surprise that the new DPO role leapfrogged the CISO in the corporate hierarchy.

Although CISOs have been improving their business and risk management acumen by focusing on non-technology-based topics such as GDPR compliance, Third-Party Oversight and Enterprise Risk Management at recent security conferences, the majority of job descriptions for CISOs continue to describe both tactical and strategic duties and continue to list the role under a CIO or CTO.  In response, an increasing number of seasoned CISOs are opting for independent consulting work in the growing Gig Economy rather than struggling for budget and resources within a company only to be sacrificed when the inevitable data breach occurs. If the unique challenges with rank and responsibility continue, the role of the CISO could become a standard appendage to a company like an independent CPA firm or external counsel providing advisory guidance.  

If you are a CEO considering whether you want a CISO on your leadership team, I offer the following reminders regarding the CISO:  

  • The role of the CISO is strategic, not tactical

Some organizations proudly announce they have passed their SOC 2 independent audit report without any findings to communicate the maturity of their security program.  If those organizations were expecting a “clean” SOC 2 audit report to eliminate the need for a customer assurance program, an experienced CISO knows that a SOC 2 report can be crafted to scope out the “dust and cobwebs under the carpet” and only focus on the shiny production service or solution offered to customers.   Rarely are SOC 2 reports accepted on their face as adequate governance of an enterprise risk management program. Additional audits and evidence will likely be necessary to satisfy partner and customer inquiries.

In another example, security solution providers usually begin their sales pitch by describing a legitimate business problem.  However, they quickly shift to focusing on the product features rather than recognize the business problem in context of other risks an organization may face as the company’s executive team would do at a risk review.

The fallacy in both of these examples is the assumption that successful execution of a tactical project will translate into a strategic solution.  The truth is that the problem being solved may or may not be significant in the organization’s big picture, and the CISO should not waste time and resources on low priority problems.  By elevating the role to the strategic level, the CISO will have the appropriate context to consider operational risk challenges within the organization. For example, a survey by Soha Systems reported that 63% of data breaches – nearly two-thirds – are attributed directly or indirectly to Third-Parties according to IAPP.  If the CISO is focused exclusively on the technology used to secure products or services, the company could be missing the larger threat from the access granted to merchants, vendors and subcontractors.  The operational risk has little to do with technology and more to do with processes and permission management.

  • The role of the CISO touches the whole organization just like the Privacy Program

The privacy program and security program are complementary teams – like a right hand and left hand.  Although they serve similar functions within the organization, they are not the same. The privacy office defines the privacy requirements for the business and the security program creates and implements the controls needed to achieve those requirements.  Security and privacy programs are often combined under an Enterprise Risk Program. Much the same way a privacy program includes human resources, training, sales & marketing, corporate communications, legal & compliance, finance, and information technology stakeholders, so does the information security program.  However, the privacy program is dependent on the security team to implement the necessary controls. If the DPO reports to the CEO and/or Board of Directors, but the CISO is not at an equivalent level or is external to the organization, maintaining a current status of the security program may be more challenging than necessary due to office politics and hierarchy.  The right hand and the left hand should communicate equally with the brain to successfully perform a complex job requiring both hands, or the right hand may not know what the left hand is doing.

Similarly, if the CISO’s budget is nested within a CTO or CIO’s budget, re-allocating funds to other departments with deficient security controls is an uphill battle for the CISO.  Assume that the CISO has determined that risk associated with third-parties is the biggest risk for the company, but the procurement and/or human resources department need additional resources to screen contractors and other partners adequately.  If the CISO relies on a cost center such as the CTO or CIO to present the case to the executive team for additional funding, the message may diminish in translation, and the CIO or CTO may perceive higher priorities within the department. Providing the CISO with a seat at the table in executive team meetings will not only optimize spending decisions but will also improve collaboration and improve security and risk awareness among the executive team.

  • The role of the CISO is becoming a Regulatory Requirement

The Ponemon Institute has listed “Appointment of a CISO” as one of the factors to mitigate the cost of a data breach for several years.   Not surprisingly, regulators are beginning to require the appointment of a CISO as a compliance requirement. For example, the New York Department of Financial Services mandates “a qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy (for purposes of this Part, “Chief Information Security Officer” or “CISO”)” be appointed” for each entity covered by the regulation.  Furthermore, the CISO is required to provide an annual written report to board of directors or equivalent governing body on the cybersecurity program and material cybersecurity risks.  Although the New York regulation requires an Annual report to the board, the CEO should receive regular and recurring status on the cybersecurity risks for the company. In light of the additional focus on security and data privacy generated by public outcry, similar requirements may permeate to other jurisdictions in the form of similar regulations.

  • The role of the CISO includes some Individual Professional Liability

As referenced above, audits of corporate security and data privacy programs require the individual responsible for the governance of the program be qualified for the role and maintain his or her skills through continuing education.  This control is often addressed through requiring industry recognized certifications with continuing professional education (CPE) mandates, a code of ethics and a duty to the profession as a condition of certification in the job descriptions for these roles.  Loss of a professional accreditation such as a CISSP, CISM, CISA, CRISC or C|CISO in the case of a CISO or a CIPP or CIPM in the case of a DPO are potential risks to be considered when considering a role within an organization. Both CISOs and DPOs are likely to request Director’s and Officer’s (“D&O”) Insurance / Professional Liability Coverage under the corporate policy as a condition of employment.

Under GDPR, regulatory fines for a company can reach 4% of annual turnover or 20 million EUR for a privacy breach.  Some privacy professionals view the regulation as a “stacked deck” mechanism for funneling revenues to the EU from US companies.  Impacted companies are presumed guilty under the regulation’s “Accountability Principle” and requirement to demonstrate compliance with “Security by Design” and “Security by Default.”

If that assessment is accurate, lawsuits against both companies and the officers responsible for the security and privacy program issues are likely.  Companies need to be wary of potential criminal prosecution risk associated with mishandling of protected information.  CISOs who have their professional credentials provided to regulators, government agencies and customers as evidence of their qualifications will be reluctant to have their communications filtered through another corporate officer, especially if recommendations are not implemented because of other risks.  If an independent or fractional CISO is required to carry professional liability insurance to cover regulatory fines on that scale, the premiums for that level of coverage make the costs for their services exorbitant, and the company will still need to cover their own liability insurance premiums. In-house CISOs covered under the company’s liability policy makes more fiscal sense for regulated industries to avoid paying twice for the same coverage.   Previously unregulated companies are finding themselves within the material and territorial scope of GDPR and are being introduced to compliance requirements and fines, and they are only beginning to understand the impact to their organizations.


Experienced CISOs with an appreciation for the concept of enterprise risk are venturing out to form their own advisory practices in the booming “Gig Economy” where they can choose their own clients, travel schedule, industry and risk tolerance.  If nothing changes, the trend towards “freelancing” is expected to continue. With full control over pricing and insurance for “gigs,” these freelancers are able to set their own rates commensurate with the risk associated with the opportunity. According to, 34% of the total workforce, nearly 53 million Americans were freelancers, and this number is expected to increase to 43% by 2020.  The irony is that the growth of the Gig Economy is only increasing the challenges for the CISOs who remain in corporate America. Managing risks associated with contractors increases in complexity as the number of third parties engaged by an organization increases, so a critical mass is building.   

The problem with the independent consulting option is that many CISOs really do WANT to be a part of a leadership team and would choose that option if offered to them.  These executives rely on teamwork to make the program successful and being an outsider who may or may not be able to use the name of their client as a reference diminishes the personal fulfillment and recognition in a job well done.  Creating a direct reporting relationship between the CEO and the CISO is one of the best ways to demonstrate management’s commitment to the security program, save insurance costs and increase efficiency of the security and data privacy programs.  With improved visibility to enterprise risks, CEOs can be assured their teams are working on the right problems and the security prowess of their leadership team expands through increased exposure to and collaboration with the CISO.

Donna Gallaher, CISSP, C|CISO, CIPP/E

Ms. Gallaher served as a C-Level Strategic Advisor in IT and Cyber Strategy for multiple global companies for over 15 years drawing from her previous successes in engineering, solution selling, IT operations and leadership.  She provides value to clients by thoroughly understanding business and regulatory requirements, assessing obstacles and translating technical challenges into business risks allowing technology to function as a business enabler.

Ms. Gallaher serves on the Board of Directors of the Technology Association of Georgia Information Security Society, Evanta CISO Southeast Governing Body and is active in the local ISSA and Cloud Security Alliance chapters.  She is active in the lobby efforts to shape cyber security legislation and her recent articles have been published on the National Technology Security Coalition website.

Ms. Gallaher holds CISSP, CCISO, CIPP/E and ITIL certifications and is a graduate of Auburn University with a Bachelor of Science in Electrical Engineering.