Conversations in Risk-Based Security

October does not only mean we get to enjoy pumpkin spice lattes and hot apple cider, but it is also National Cyber Security Awareness Month (NCSAM).  According to National Initiative for Cybersecurity Careers & Studies (NICCS), this years’ theme is “Own it, Secure it, Protect it”.  The Cybersecurity and Infrastructure Security Agency (CISA) and the National Cyber Security Alliance (NCSA) co-lead the NCSAM initiative each year (NCSAM Toolkit).

A risk-based determination of whether – and how – to conduct remote assessments of vendors

Expert Contributors:  Angela Dogan, Lynx Technology Partners and Andrew Hout, Shared Assessments

Given how much time and money virtual assessment of vendors can save companies and their third party risk management programs, it may be surprising to learn that cost and convenience should have little, if anything to do, with determining whether a risk assessment should be performed in person or remotely.

Many of you may have read the recent article by Mary K. Pratt, contributing writer, TechTarget titled, Top 10 CISO Concerns for 2019 Span a Wide Range of Issues.  If you haven’t, check out the link later in this post, it’s worth the read.  Pratt outlined, through a series of interviews with top CISOs, the top ten concerns dominating the CISO’s agenda this year.

With scrutiny on companies intensifying as data breaches become a matter of when, not if, the subject of Third Party Risk Management (TPRM) enters the cybersecurity spotlight more and more. A November 2018 Opus and Ponemon Institute study noted “59 percent of companies said they have experienced a data breach caused by one of their vendors or third parties. In the U.S., that percentage is even higher at 61 percent – up 5 percent over last year’s study and a 12 percent increase since 2016.” Yet, despite this reality, a July 2018 CrowdStrike report notes “fewer than a third (32 percent) of respondents’ organizations have vetted all of their suppliers, new or existing, over the past 12 months.”

An abstract form our highly anticipated MSSP paper, What is the Business Case for MSSP?

The National Institute of Standards and Technology (NIST) advises that similar to financial and reputational risk, poorly managed cybersecurity risk may negatively affect performance and place an organization at risk by reducing its ability to innovate. Decision makers and executives are repeatedly experiencing losses due to their inability to be fully knowledgeable about properly managing cybersecurity risk and complying with guidelines of the established frameworks (such as following some of the key elements of the NIST Cyber Security Framework).

There’s a huge misconception in our industry today that a GRC platform is the end all be all to Third Party Risk Management (TPRM). This is so not true! The key to an effective, results driven, TPRM Program is to take the time to lay a solid risk-based foundation. History has shown, that if you just go purchase a tool and haven’t laid a solid foundation, the tool will not give you the results you’re looking to achieve. Regulatory bodies and Industry standards are embracing this philosophy as well. This process can be tedious and time consuming in the beginning but once complete, your result is a mature TPRM program that is ready to be transitioned into any GRC platform.

Companies spend millions every year on products and services to fix all their cyber security vulnerabilities. Then they spend just as much money on highly skilled, well-trained cyber professionals to manage those systems. All those resources are useless when an accountant, or a C-level’s executive assistant, or an HR manager, clicks a link they received in their email and BOOM.

A close look at the reasons companies fail reveals that there are substantial risks that don't typically fall under the purview of most GRC programs. The Forrester Report, Extend Compliance And Risk Management To What Really Matters For Your Business, explores how companies can improve business performance by expanding the fundamentals of their GRC program to the aspects of their company that drive success with customer interactions, which will in turn drive growth and revenue for the company.

Lynx Technology Partners is a minority, veteran owned, woman lead company so we know firsthand the reason for the holiday. We understand that it was created to be a day of service. Our employees work hard to support our clients by performing services for them and going above and beyond the call of duty but they also do the same in our communities. There’s a HUGE GAP in Cybersecurity Careers and  part of our mission to serve the community is to educate others and expose them to Cybersecurity careers. So, this past week one of our own, Angela Dogan, Director of Vendor Risk and Compliance Services, spoke to the Atlanta Girls Schools, STEAM students about the meaning of Cybersecurity and all of the possible Careers in the industry. This is one of the many ways Lynx Technology Partners decided to perform their day of service.

Lynx proudly announces their selection as a National Best and Brightest Companies to Work For winner. This award recognizes companies that excel at employee relations, use innovation to motivate employees, implement creative compensation programs and more. Winners will be recognized by National Association for Business Resources (NABR) at the National Best and Brightest Summit – Illuminate 2019 symposium and awards gala on September 15-17, at the Renaissance Chicago Downtown Hotel, located at 1 W Wacker Drive, in Chicago, IL.