Click Above to Download the Flyer
This is the course that I wish was available when I started out in cybersecurity! Reviewing contracts from a cybersecurity perspective was new to me. I didn't even understand who is allowed to sign contracts for a corporation. SOC 2 audits were a mystery to me as well — how do you get started? What level of effort does it entail? Should we obtain a SOC 2 or an ISO 27001 certification?
Many cybersecurity professionals don't have an MBA, and may have risen from the ranks as an IT or technical person. As they advance, they are thrust into the business world - they now need to master communication skills and understand the business priorities. They need to understand the significance of CAPEX vs OPEX. There is a lot to learn!
I hope you will join me for this class where we dive into the many skills necessary to be successful in the business world.
For more info, contact Michelle Stanfield, stanfieldm@bridgew.edu | 508.531.1088 or
Jennifer Reid, j5reid@bridgew.edu | 508-531-2324
Many consultants will provide incident response playbooks, customize them a bit, and then run a canned tabletop. The true value in incident response preparations is the PROCESS, not the playbooks. The process of creating the playbooks is invaluable. The playbooks themselves may well be thrown out the window during a real incident. Tabletops are also essential since they bring the team together so that the humans can learn to work well together.
Download the presentation which was delivered on D-Day 2024.
Statements of Work
Statements of Work (SOWs) from some Cybersecurity and IT consultants are clearly inflated to make it look like they are doing a lot of work.
If your general contractor did the same thing in their proposal it would look like this:
* We will buy nails, wood, glue, etc. (and they would list it all out)
* We will carefully put pieces of wood across each other
* We will then drive the nails into the wood, using best practices laid down by the Massachusetts State Board of Building Regulations and Standards
* We will then measure the work and ensure it meets the highest industry standards
etc...you get the picture.
Instead, wouldn't it be much better if the SOWs were simple and goal oriented?
Something like this:
-----------------------------------------------------------------------------
1. Email is vital for your organization's business. We want to ensure that criminals don't take over your email, or spoof emails so that they look like they come from you. We will ensure that vital emails to your clients, donors, and investors make it through. We will do this by:
* Implementing SPF, DKIM, and DMARC
* Implement strong authentication
* Educate your staff with engaging and interactive sessions where we explore common scams and how to protect yourself
etc...
-----------------------------------------------------------------------------
Additionally, these SOWs tend to focus on technology instead of the complete picture. Security is not merely a technological problem, and requires more than technological solutions.
Noted security expert Bruce Schneier perhaps put it best:
“If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.”
If you're looking for someone to secure your organization, please contact me. I promise you that I will not inflate the proposal with big words or charge you inflated amounts.
Please consider carefully the testimony of Jen Easterly of CISA.
​
While your organization may not be critical infrastructure, there is a good chance that you support critical infrastructure in some manner. Increasingly intrusions occur through third parties.
-
Are you an HVAC vendor for a Hospital?
-
Do you produce IoT or medical devices?
-
Do you produce software for accounting, lab results, patient records, or other systems used in Hospitals or other critical infrastructure?
Then you are a part of this also.
It is vital for all to understand the big picture here.
I also recommend watching the following video - I personally have met the agents and CEOs on this video and heard their stories first hand. This is real. This is not a spy novel.
https://www.fbi.gov/video-repository/made-in-beijing-030722.mp4/view
The internet has brought the battle out of the shadowy world of spies and to ALL OF US.
What does "HIPAA Compliant" really mean?
Organizations should be very careful about bandying around such terms as "HIPAA compliant", "HIPAA Certified", or "HIPAA Secure." We see these all the time, but as noted in the article below from the FTC, it can put your company at risk of fines for deceptive practices if you are not actually HIPAA compliant.
​
​
“Be careful about loose language suggesting some government imprimatur that doesn’t exist. Falsely conveying that kind of approval expressly or by implication violates the FTC Act.”
​
Interested in helping your organization become HIPAA compliant? Please contact me to discuss.