News broke recently that the an investment advisory firm agreed to pay $75,000 to settle U.S. Securities and Exchange Commission charges, that it failed to have a cybersecurity policy in place before a breach compromised 100,000 individuals’ personal information. This is the latest example of regulatory and compliance enforcement by a federal agency and companies of all sizes should be paying attention. While the amount of the settlement isn’t headline grabbing, the actual enforcement of standards of care relative to cybersecurity is.
Regulatory compliance isn’t nearly as appealing as stories about large data breaches or Chinese hackers, but it generally highlights the kinds of fundamental blocking and tackling activities that lay the foundation for better security. Buying tools is easy, creating and implementing the policies and processes that will measure their effectiveness and ensure full deployment and optimization is not. Policy doesn’t stop attacks but it does force an organization to be thoughtful about what they will do and what they won’t do against the reality of their appetite for risk and more importantly their budget.
I recently had dinner with an accomplished CISO leading a multi-national corporation who bemoaned the focus on tool purchases and tactical day to day threats. As a former military officer he inherently knew preparing a concept of operations for the mission is the first step in organizing for victory. This means focusing on the “boring” things like strategy, capability, process, and logistics so that you optimize your chances for winning the war.
It’s hard to put a focus on policy and process when you’re trying to run a business but this latest action by the SEC highlights the importance and cost of doing nothing. CyberSheath can provide your organization with an integrated view of all information security activities that enable you to reduce risk, demonstrate business value, and optimize your people, processes, and technology. Our certified consultants are experts in Compliance and can arm your organization with information and guidance needed to avoid an unnecessary lawsuit, as described above.
How Can CyberSheath Help Your Organization?
To learn more, visit our Governance, Risk and Compliance service area where you can download a datasheet detailing our unique GRC approach. CyberSheath will also be attending the RSA Charge Conference Oct 21-23, where industry experts will be meeting to discuss the strategies and tools that will armor your organization for the security battle you fight every day. CyberSheath is a proud Gold Sponsor for this event, for more details on how CyberSheath will be contributing click here.