Category

CISO-as-a-Service

NIST 800-171 is being enforced!

By CISO-as-a-Service, CISO/Management, Cyber Security, Risk Management No Comments

In October 2017 I wrote how the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012 required contractors to implement NIST Special Publication 800-171 by December 31, 2017 regarding data protections and safeguards around Controlled Unclassified Information (CUI).

Similar to the first implementation of the Healthcare HIPAA regulations, we did not see an immediate attempt to audit and enforce the requirements of the mandate.  I stated then that failure to follow the requirements would result in breach of contract with the government (Department of Defense).  After the publication of NIST 800-171, there were many questions around what constituted CUI. Furthermore, if you read the language in government contracts, you will see how ambiguous the definitions of data protection requirements really are.  We’ve discovered that most contracts do not always follow the requirements of the rule; see 252.204-7012 (a);

1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or

(2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

Many prime contractors have told us that they are waiting to see what enforcement steps would be implemented and/or until the regulations were fully ratified (The latest version, as of today’s date, can be found at; https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final and Revisions 2 will be published soon).  These “wait and see” companies felt their partial implementation of the regulation was “good enough.”  We have pushed existing and prospective customers on the fact that there are many risks beyond simply the contractual requirements to achieve compliance and that doing so early on could save them headaches, costs, fines, etc. in the long-term.  At Cyber Self-Defense, we’ve responded to many actual data breaches across many industries which were highly preventable, and we continue to encourage customers to become compliant as soon as possible.  We encourage our customers to get ahead of the curve and develop a risk-based cybersecurity program for the sake of enabling the business’ success; noting that compliance becomes easier and less expensive when done according to the needs of the business and implemented in a manner that is compliant with regulations and contractual requirements.

Well my friends, this discussion has just turned another corner!

In January of this year, the Under Secretary of Defense, Ellen M. Lord, sent a memorandum to a large number of organizations directing them to enforce the provisions of the contracts.  (Found here, https://www.acq.osd.mil/dpap/pdi/cyber/docs/USA000140-19%20TAB%20A%20USD(AS)%20Signed%20Memo.pdf

Lord asks these agencies to begin to audit ensuring compliance with the requirements.  Specifically;

To effectively implement the cybersecurity requirements addressed in DFARS Clause 252.204-7012 and NIST SP 800-171, I have asked the Director, Defense Contract Management Agency (DCMA) to validate, for contracts for which they provide contract administration and oversight, contractor compliance with the requirements of DFARS clause 252.204-7012. Specifically, DCMA will leverage its review of a contractor’s purchasing system in accordance with DFARS Clause 252.244-7001, Contractor Purchasing System Administration, in order to:

  • Review Contractor procedures to ensure contractual DoD requirements for marking and distribution statements on DoD CUI flow down appropriately to their Tier 1 Level Suppliers.
  • Review Contractor procedures to assess compliance of their Tier 1 Level Suppliers with DFARS Clause 252.204-7012 and NIST SP 800-171.

To ensure that a similar approach may be taken at companies for which DCMA does not administer contracts (such as the Secretary of the Navy’s ship building contracts), we will work with representatives of those communities to implement a similar solution.

So, what does this all mean?  We believe this will be similar to what happened with the implementation and enforcement of the HIPAA regulations.  Companies will wait for enforcement to begin, and there will be a mad rush to become compliant.  In the meantime, these companies will be the targets of cybercriminals, they will be the new “low hanging fruit,” and ultimately suffer the negative impact of a breach compounded by the heavy fines or contract cancellations.  We encourage you, if you are not following a cyber security plan which truly enables the business, to prioritize building a comprehensive program.  EVERYONE is an unfortunate target of criminals!

Please don’t delay. The longer you wait the greater the risk of non-compliance becomes. Let us help you solve the mystery of cybersecurity by assessing your current state program and designing and implementing compliance and data protection. Contact us today!

Cybersecurity Leadership (CISO): A Modern Approach to Cybersecurity

By CISO-as-a-Service, CISO/Management, Cyber Crime, Cyber Security, Defensive Tactics, Risk Management No Comments

Businesses have a corporate responsibility to secure their own and the information they have been entrusted with. Many companies believe that this is expensive, not their responsibility, etc. They also assume (usually incorrectly) that the IT department is handling cybersecurity. Most companies lack the talent necessary to build a security  program that is cost-effective, enables the business for success, and has the necessary depth. When the Cyber Self-Defense team speaks with companies, they tell us they do not know where to begin. Our answer to this issue is always the same; start by hiring the right talent to make you successful. CISO-as-a-Service® might be your answer!

Talent

At Cyber Self Defense, we often hear that cybersecurity talent is becoming harder and harder to come by. With the increasing level and complexity of cyber attacks, companies are looking for cybersecurity teams to help them to build their programs, yet job requisitions remain unfilled.

Trends

This is what we know;

  • Cybersecurity professionals are demanding more money.
  • Companies are creating positions that are vague, all-encompassing, and that fail to help them to build a comprehensive cybersecurity program.
  • Companies are electing to hire junior professionals who are unqualified to lead the program; with no strategic or leadership experience.
  • Companies are compromising on experience, qualifications, and other critical knowledge factors, just to get someone in the role.
  • Companies are over-spending on technology because they do not have the strategic outlook and risk-based approach which is so critical to any cybersecurity program.
  • Audit Pleasing- many companies build their cybersecurity programs to please auditors; they fail to see the need for true security. They also fail to see that a properly built program can be done at about the same cost of program meant only to “check the box”.
  • Companies add technologies that are just sitting in the racks.; we have seen situations where systems are installed with less than 10% of the features configured and used. Please see my article on “Blinky Light Syndrome”.
Common fears of hiring a CISO-as-a-Service®

1. Is the CISO-as-a-Service® a group of professional consultants who have no real-world experience?

  • The one thing we hear from our customers, when wanting to hire a CISO-as-a-Service® is that they tend to get “professional consultants”. It is important to hire companies who hire individuals with real leadership level experience building cyber security programs, while an employee of the company.
  • Professional consultants are great, but unless they have the practical experience of managing a program for an organization, they will struggle finding the correct balance between security and operations. They will also struggle with the political aspects of building a program.
  •  Any leader can tell you that there is a huge gap between the professional consultant and someone with full-time experience.
  • You should interview YOUR CISO and determine if he/she has the requisite knowledge and skills to make you successful. We enjoy having people interview us, as they would an internal employee. We would be glad to provide you with a resume of your CISO to show their qualifications.

2. Is there a conflict of interest, when a company comes in as a CISO and then sells us their other products and other non-related services?

  • It can be a conflict of interest if your CISO-as-a-Service® professional is a part of a large firm that sells products and other services; occasionally, they tend to push you to purchase their products, meaning the CISO might have not have your best interest at heart. Instead of being fully vested to ensure a purpose fit program for the company, he/she might be forced to push product and services.

3. How can a part time company build a program faster and cheaper than our internal employee?

  • A CISO-as-a-Service® professional hits the ground running with the tools, tricks of the trade, and other pieces of information that can make a huge difference in the overall successful delivery.
  • We have discovered that being a third party, your professional opinions are more likely to be considered. Many times, an internal person must deal with too many internal politics.
  • With a professional company, you do get the collective knowledge of the team. This benefit is critical to your success.

4. I am the acting CISO or want that job; I am the CIO and do not want to look bad; or I have other fears that this company will displace me, my team, or others and or damage my reputation.

  • As a consultant with experience performing in this capacity, it is our job to make you successful, based on your definition of success. Your CISO should ensure that your company is highly successful in all aspects of the process.
  • It is also our responsibility, as it would be in a full-time CISO, to ensure that we mentor staff and prepare them to take over for us.
  • We should be a core part of the TEAM that is designed to enable the company to succeed.

5. Is a CISO-as-a-Service® just going to come in, drop templates on my desk and have me implement them?

  • No unless they don’t want to succeed! This person should be YOUR CISO and perform is the SAME capacity, just on a part time basis.
  • Any templates or other tools that are brought in should be used as a starting point, above ground level, to allow a faster (controlled) implementation; No template is a one size fits all, it must be molded to your company. It must have an implementation strategy. It must be your company’s established program that is implemented through a formal process that follows your company’s normal flows.
Conclusion

A responsible company knows that to run their company correctly, they must have the correct leadership! Most companies would never ask corporate attorney to lead the IT department. At the same time, most companies would never place a paralegal into the corporate counsel position.

We believe that the same is true for companies who make the Chief Information Officer (CIO) in direct charge of cybersecurity. Most Chief Information Officers (CIOs) will tell you that they are not comfortable managing cyber security and IT at the same time; these can be conflicting. We’ve also found that companies who place a Security Analyst into the position of strategically building a cybersecurity program will fail to recognize a comprehensive, risk-based, and cost-effective solution that truly enables the business to succeed. Hire the right person for the job and you will reap the rewards of your decision.

We look forward to your feedback on our website; www.cyberselfdefense.org

CISO-as-a-Service®

Cyber Self-Defense was built as a result of a growing demand in the marketplace seeking out knowledge, expertise, and leadership in cybersecurity and risk management.  Our clients wanted us to bring in our templates, processes, experiences, and our collective knowledge and put it to work for them.  They wanted people who had built programs from the organically — from the ground-up. They wanted people who were known for enabling the business through cybersecurity efforts, not people who shut the business down with high costs and inappropriate rules. This is how we grew into a full-time business which has positively and directly contributed to the success of our clients.

Cyber Self-Defense has years of experience in reducing your cybersecurity risk and we would love to work with you on all your cyber risk needs. We make cybersecurity attainable for all organizations, without inhibiting your ability to work and make a profit. Cyber Self-Defense can be reached at: (866) CYBER-96 or on our website: www.cyberselfdefense.org