September 2019 - Fractional CISO

Here’s a scenario: You are sending a confidential email to an employee at another company that’s based overseas. You need to share the information with the person at that company, but you don’t want the information to get out beyond that connection. How many organizations will have access to that email?

Answer: More than you would like!

Let’s set up the scenario, and break down who might have access.

Your company uses Microsoft Office 365 for email, and the receiver uses Google’s G Suite. That means there are copies of your emails with both Microsoft and Google.

So here’s the thing: both of these companies use different third-party email scanning tools. Those companies have or had access to your email. Somebody has been able to peer in while operating the security infrastructure of each platform, even if a lot of the scanning is automated.

Seconds after you pressed ‘send,’ four organizations had access to your email! That’s not all, though – there actually might be more. Does Google or Microsoft use third party data processors? Do they partner with email scanning vendors? Sure, they may say all of their vendors have “the same commitment to privacy and security” and everybody is conversant in GDPR. That still means all of those parties have access. It’s just what they do with it that is governed by privacy rules.

In addition, both parties on each end of the pipeline use desktop and mobile email, so there are copies of your data with those devices.

But wait, there’s more…

Your counterpart uses lots of email integration tools for better managing email. It turns out that several other companies have access to the email! Yes, the kinds of optimization tools that offer us streamlined CRM (Customer Relationship Management) and good data insight also port data to various parties, increasing the footprint of who has access. This is turning into quite a crowd!

Then there’s the cloud. Both of your organizations back up the email to different cloud services. It might be public, private or hybrid cloud. They might use edge computing or cloud gateways. The bottom line is: while cloud offers the convenience and value of porting information through the global internet, it also gives those vendors additional seats at the table when it comes to access. That’s why, in the early days of the cloud, so many executives and other skeptics spent so much time looking at the vendors’ security practices. They didn’t just take the vendor’s word for it. Now, a lot of people have calmed down on cloud security. That doesn’t mean there aren’t any remaining concerns!

Let’s keep going.

Other people who may have access:

Both organizations have administrators who can get access to the email.

Your counterpart gives email access to his admin team.

His wife sometimes has access to his phone.

He forwarded the email to one of his colleagues, which subjects the email to even more copies!

You don’t know it, but your recipient is also party to a legal action, and his email is subject to government subpoena!

Some of these aren’t even on the radar for most of us. How would you know if a lawyer was peering over somebody’s shoulder? You wouldn’t – until some kind of glitch happens.

Likewise, with the wife and husband stuff.

Challenge Summary

In summary, there are somewhere between 10 and 100 copies of the confidential email that you sent floating around the web. All copies are subject to both legal subpoenas and illegal hacking… now how confident do you feel about the confidential information that you sent?

Email is inherently prolific: in other words, there are always copies being made. Between the cloud services, device copies, backups, and the number of parties involved, the number of copies swells easily.

There has to be a better way!

Confidential Message Best Practices:

There are several ways to improve privacy with your sensitive messaging, without resorting to sending messages via carrier pigeon.

Use secure email features such as G Suite Confidential mode. It is a tool Google provides to restrict the ability to copy, print, or download the email. You can also expire the email and require an SMS passcode to access it.

Don’t send the content in email. Keep the confidential part in a shared repository like Office 365 OneDrive or Google Drive and send a link. (There are still copies, just fewer of them and you, in theory, have more control.)
Don’t send the content in email. Use a secure messaging tool like Signal to transmit confidential information. Signal allows users to message, have voice and video calls with the content encrypted from end-to-end.

Don’t send the content in email. Physically mail it or tell in person. But you can use the mail service and don’t need the carrier pigeon!

Summary

Email is handy, but without good oversight, your data ends up all over the place! Use these common-sense tips to play it closer to the vest with what you send.

If you would like help with your cybersecurity strategy or program, give Fractional CISO a call for a complimentary consultation. We can be reached at (617) 658- 3276 or by email at [email protected].

A Virtual Chief Information Security Officer (vCISO) helps organizations to protect their infrastructure, data, people and customers. A vCISO is a top security expert that builds the client organization’s cybersecurity program. The Virtual CISO works with the existing management and technical teams. You may be wondering if your organization needs a vCISO. This article aims to cover all the considerations for engaging with a Virtual CISO.

How an organization uses its vCISO depends on the business itself. The organization’s structure, products and services, markets and IT context all factor in.

Some companies are content to just sit and wait for problems – but that kind of apathy can be fatalistic.

In most cases, waiting around is a terrible strategy! A Virtual CISO helps a firm to be proactive when initiative counts.

When a company is struggling to implement security, comply with industry regulations, and outpace competitors, a vCISO can help. Virtual CISOs provide guidance and measure the results of the client’s cybersecurity program.

Reading this, you may be wondering if your organization needs a Virtual CISO. Here are some of the things that these top pros can do to help your company toward success and security.

A Virtual CISO: Protect Your Organization

Managing cybersecurity in today’s world is almost indescribably tough. Many business leadership teams, don’t feel up to the challenge, or they understand that outside firepower can enhance a security model.

Most mid-sized firms have some technical personnel or contractors that handle most of the technical needs of security. But who is looking at the big picture of cybersecurity for the organization?

Often this is a CIO, CTO, COO, Chief Compliance Officer or another executive that has a full plate of responsibilities. This executive might not have the bandwidth to cover their enterprise’s cybersecurity program. That gap leads to unnecessary risk!

Other organizations choose to put a mid-level technical manager in charge of security. These folks also have a full-time job. They don’t have the executive presence to influence senior management. They need buy-in for key security programs – especially when there’s a time-sensitive project. It’s not that these people aren’t working hard enough to implement best practices – it’s just that the company doesn’t have the tools that it needs to achieve!

A Chief Information Security Officer (CISO) is a senior-level team member. The CISO establishes and maintains an enterprise’s security vision, strategy, and programs. The role ensures information assets and technologies are appropriately protected. Most large organizations have a full-time CISO to handle their cybersecurity needs. Mid-range companies and smaller may not have such a role. Having a non-security expert in charge of security is a recipe for trouble!

A Virtual CISO is designed to provide expert security guidance through:

Understanding the organization’s strategy and business environment
Providing threat analysis and strategy updates in real-time
Anticipating future security and compliance challenges
Overseeing mid-level and analyst/engineering teams
Discovery, triage, remediation and evaluation of threats

All of this and more contributes to a safer, better positioned corporate vantage point.

Filling In as an Interim CISO

There are many cases where a larger organization’s CISO departs due to a new role, termination or an illness. In these cases, the organization needs a qualified person to manage its cybersecurity. The mandate to “handle security in real-time” means the CISO desk should not ever be empty: if an interim presence is needed, a vCISO is a valuable solution.

Why Do Companies Hire a Virtual CISO?

Companies are getting aggressive about getting a CISO on board for a number of reasons.

One is the range of new cybersecurity regulations that companies have to deal with. Past industry standards like PCI and HIPAA are now joined by bold new privacy and security rules that change how we view the company’s responsibility to safeguard data. Perhaps the best recent example is the European General Data Protection Regulation (GDPR) that’s having so much of an effect not just in the EU, but around the globalized business community.

Then there are the cautionary examples: data breaches splashed across the front page, chilling tales of pilfered data, identity theft, and commercial loss.

These are two of the biggest drivers toward a CISO strategy that plans for every eventuality, including an empty chair.

A Virtual CISO from Fractional CISO

With a vCISO from Fractional CISO, every engagement is a little different. In every case, the vCISO will work to understand your business environment, culture and objectives.

Then the Virtual CISO will get to work on:

Starting a cybersecurity risk assessment based on your organization’s assets
Establishing the organization’s cybersecurity strategy
Building a cybersecurity plan and program
Building a Governance, Risk and Compliance (GRC) program
Maintaining core security operations
Focusing on people including managing personnel, contractors and/or vendors
Building and executing a training strategy

Fractional CISO’s Virtual CISO service also involves:

Understanding the business environment and matching a management style that resonates with the customer
Quickly building trusted relationships with key personnel, resulting in a more successful cybersecurity program
Meeting customer requirements with a flexible Virtual CISO program
Having great templates and systems in place to maximize leverage.

A typical engagement involves being on-site for two to three weeks of the first eight weeks of the process. On-site participation varies based on customer preference and the requirements of the engagement. For more details on the Fractional CISO offerings, check out our services and offerings.

More vCISO Benefits

The key benefit of hiring a Virtual CISO is that you get the same expertise and capability as a full-time CISO. But you don’t have the associated level of overhead, benefits, and training. A firm can achieve its security goals related to prioritization, risk evaluation and training.

Virtual CISO Requirements

It’s important for a CISO to have a sufficient background in security, to understand the security landscape. The CISO has to keep up to date with the latest in the security industry. How can you make sure that a prospective CISO is a security expert?

Cybersecurity credentials can help. A CISSP (Certified Information Systems Security Professional) or CISM certificate is just part of the proof of capability for a CISO. The CISO needs to be able to talk intelligently about systems and compliance and translate that knowledge to teams. This role needs to have “people skills” as well as “tech skills” and expertise in the industry. That combination helps companies to safeguard their systems and re-organize for the business world of the future.

Next Steps with a Virtual CISO

If you would like to discuss whether a Virtual CISO is right for you, please give us a call for a complimentary consultation. We can be reached at (617) 658-3276 and our email is [email protected]. Let us help you to achieve your goals for cybersecurity!

Monthly Archives: September 2019