Mardi Humphreys, Change Agent, Integration Edge

7. Not having to remember my passwords – Every year about this time I have to either remember (uh, no) or find (ditto) the username and password I created last year for my annual updates (e.g., insurance renewals) and trainings (i.e., don’t ask). Has this prompted me to keep them in a safe place where I can find them once a year? (Again, uh, no.) When I go through the process of changing them, they are so long and involved (e.g., minimum 14 characters, at least one capital letter, at least 16 numbers, at least 11 special characters, etc.) it’s no wonder I fail to remember them or write them down. Luckily in 2022, Passwordless Authentication will become more common.

6. Virtually trying before buying – Warby Parker already does this to a degree with their virtual try-on app. In 2022, Augmented Reality will allow sellers to create realistic 3D models of their products. Since stores’ fitting rooms are still closed (thanks, COVID), I’m looking forward to finally being able to discern if the back pockets on a pair of trousers are deep enough to hold my phones before purchasing them.

5. Smaller mobile phone – 2022 will see 5G normalized. This means I can get a smaller (and cheaper) mobile because phone processors and graphics chips will become obsolete. My Spotify playlist will be streamed to my phone as if it’s a video feed. It also means I don’t have to be so quick to buy those trousers I mentioned in #6.

4. No more colonoscopies – Kohler, Toto, and Google are all working on technology around Smart Toilets. So far, they can monitor health indicators like sugar levels, body temperature, and blood pressure, to name a few. Fingers crossed colonoscopies will soon be extinct.

3. Becoming a permanent couch potato – by changing his company’s name to Meta and transitioning Facebook to one of its offerings, Mark Zuckerberg is declaring the advent of the metaverse. Defined by Zuckerberg as an embodied internet where you are in the content, not just viewing it, 2022 seems to be the beginning of a totally immersive environment. (Yes, like The Matrix. But hopefully, without all the dystopianism.) I look forward to visiting my friends’ Instagram accounts and eating the photos of the food they constantly post.

2. My own personal robot servant – While I’m integrating into the metaverse, someone (or something) will have to keep an eye on things back here in reality. Sure, a robot can clean my floors, but in 2022, I expect to be able to purchase a robot that will also keep an eye out for burglars, make out my grocery list, and give me the answer to Final Jeopardy.

1. Printing my own tiny house – In the interest of making my robot servant’s life easier, I’m willing to downsize to a tiny house. (Okay, maybe it doesn’t care, but I do. That’s what makes me so nice.) Given the current housing stock, I may have to 3D print one. The IEEE Computer Society thinks that 2022 will bring a revolution in fabrication for 3D printing. This will allow for the production of designs that, until now, would have been too expensive. Of course, it may take all of 2022 to 3D print my tiny house.

Kathy Vogler, Communications Manager, Expedient Technology Solutions

I’m a member of a fantastic Dayton area technology leads group. We are homegrown and somewhat modeled after the very successful BNI group methodology. We cover technology from A to Z with one person representing each type of technology touch.  We are all “in technology” these days and we cover a large swath of technology with much of it residing in Gray Areas. 

So exactly what is a Gray Area?

A gray area is an often-used analogy to the area of color that exists between black and white, complete opposites.  To an artist, gray areas result from ambiguity and rich variations that naturally occur in our environments.  It’s been said that the ability to see and think in gray areas is a basic element of intelligence. A price can be expensive or cheap, but the gray area will determine if it’s a reasonable price or a good value.  It’s hard to categorize gray areas because often they are unique.  I saw this and it is a perfect example: A boat is like a canoe and a kayak without technically conforming to either of those categories.  Complex systems, like technology, are literally too complex to model easily.

Are you a Boat or a Canoe?

Who says they are in technology?  Everyone.  Not picking on any particular industry, because most people I know are really awesome people, but unfortunately, there are people who believe they can sell anything to anyone.  Do they say “I am a seller of a specific business product or service”? Nope, these days it may sound something like “I work in business technology and help people manage and reduce costs.”  And, while this is probably true, it falls into the gray area of technology.  Competition is fierce in nearly every business.  COVID took a toll on our traditional methods of working.  Remote and hybrid working changed things immediately and for the future. Supply chain issues are mounting and making us rethink our strategies.  It’s wise for all companies to look deeper into technologies to add to their repertoire. Often, non-technical companies in the traditional sense will acquire a technology team that compliments their existing services and salespeople are compensated for promoting and selling these newly added technologies.  The logic is that it’s all technology since everything plugs into the network.  I believe it’s critical that we always reflect our actual services and resources to our clients to avoid potential failures on their networks.  Businesses completely depend on their technology.  There are experts in all areas of business technology, from one extreme to the other and including all of those gray areas. 

What exactly is business technology? 

Simply put, business technology is any form of technology that is integrated directly into the operation of a business.  Twenty years ago, when I took a job at a technology company, it was fairly straightforward with infrastructure/hardware at one side of the building and programming/software at the other.  Gray area at that time was if your company did both.  As our reliance on the internet grew, so did the complexities of technology.  Ironically, the dot-com bubble burst at about that same time, but progressive-thinking companies survived and flourished.  Voice over IP originated around 1995 and grew to become a business standard.  Video communications, fax sharing, integration of copiers and door alarms all made our work experience more efficient by using the internet.

And of course, the introduction of the indispensable grand champion of smartphones (thank you Steve Jobs) changed it all. Social media arrived, the cloud became a go-to resource, we no longer stored our data on portable files that someone took home, and disaster recovery become a must-have business plan. Additionally, we have artificial intelligence, commercial drones, driverless vehicles, virtual reality, the Industrial Internet of Things, cloud and collaborative robots, and digital everything. We must never forget that cybercriminals evolve along with these changes.

To quote Pink Floyd “It could be made into a monster if we all pull together as a team.”

I mentioned I was part of a technology networking group, and this is how we work together, as a team.  Yes, we have a ton of overlap, and I don’t want to use the term “cooperative competition,” but in our group we each fill predetermined roles and truly help each other.  By doing this, we are collectively helping our clients and the Greater Dayton region with skilled resources in every aspect of technology.

Here are our group’s categories:

• ·         Data integration
• ·         Office hardware/software
• ·         Managed IT services (this is my spot)
• ·         IT coaching
• ·         IT staffing
• ·         IT promotional video
• ·         Structured cabling
• ·         Website and digital marketing
• ·         Fiber optics telecommunications
• ·         Copier and managed print services
• ·         Telecom/phone systems
• ·         Trade association education (this is Technology First’s spot)
• ·         Training and coding
• ·         Cybersecurity
• ·         Hardware OEM
• ·         Robotics
• ·         Software testing
• ·         Virtual reality

It’s an interesting mix and we have a ton of overlap with lots of gray areas to cover. But the plan with this thought process is that by working together we provide transparency and the right resources for our collective clients.  I took a quick look at “cybersecurity” and that one category all by itself has nearly as much gray area as the rest of technology.  It seems we live and work in the Gray Zone.  

If you ask me what my company does, I will tell you “We’re a cybersecurity-focused managed IT services company.”  Sure, we do a lot of other things too, but I think this is a very black and white statement and hopefully easy to understand.  Technology First is the embodiment of this strategy with a mission to connect, strengthen and champion our IT community. Area businesses, and all their employees, will succeed and continue to grow if they are using the right technology resources for their needs. Let’s all be a part of that success as it ripples through our community.

Melissa Cutcher, Executive Director, Technology First

As this year ends, I have been reflecting on our mission to connect, strengthen and be a champion for our IT community. So much has happened this year!

• Technology First hosted almost fifty special interest group meetings to engage regional leadership, to learn and find inspiration in their field of interest. With over 1,000 IT professionals in attendance!
• We hosted our first ever virtual digital mixer in partnership with Jobs Ohio and SOCHE. We had over twenty-five employers and over two hundred students and adults register for the event. It was a tremendous success, and we look forward to hosting the next Digital Mixer on Wednesday, February 16^th, at WSU Student Union.
• In April we launched a new website! The new website is fantastic and allows for peer-to-peer communication through the forums. If you have not checked it out yet…https://www.technologyfirst.org/Peer-Forum
• We hosted a Girl Scout Cyber Challenge in partnership with Girl Scouts of Western Ohio to explore the world of Cybersecurity for a day filled with activities. Activities were led by over twenty cyber security professionals/volunteers. Volunteers tasked just under fifty plus girl scouts with stopping a cybersecurity breach and went through various stations to break through technological based challenges.
• Technology First awarded $5500 in Scholarships to IT students at University of Dayton, The Ohio State University, Wright State University, and Sinclair Community College. To date we have awarded over $95,000 to students across the region! And this year the golf outing raised over $3800 for the Technology First Scholarship Fund!
• We participated in Career Adventure Camp in partnership with Dayton Metro Library and hosted four stations with almost 20 IT professionals who volunteered their time and talents towards to share IT career pathways with over 950 7^th & 8^th grade students. Our volunteers shared their professional journeys and experiences with the students and inspired them to consider careers in IT.
• Taste of IT 2021 was in-person! Wow, what a momentous event and it was amazing to see everyone in 3-D. We had two keynotes, twenty-five breakout sessions, over thirty exhibitors and over 300 IT professionals in attendance. It was a major event full of learning, networking, and fun! We look forward to seeing you next year for the 16^th Annual Taste of IT on Wednesday, November 16, 2022!

AND, oh so much more! We would not be able to accomplish all these remarkable things, and more, if it were not for the amazing leadership and volunteers that make up Technology First. Thank you so much for your support. Volunteers change the world, and we are forever grateful! Thank you for joining us and we look forward to seeing you in 2022!

Cheers!

BY JOHNNY HATCH, AHEAD

Historically, monitoring has been something that could be manually deployed to a set of physical or virtual infrastructures, and once in place, you were good to go. Alerts and events would occur if something went wrong, and the monitoring tool would simply notify you with details about the incident. IT operations teams would nurse their infrastructure back to health, and all was good and right in the world again.

Fast-forward to today, however, and you’ll find a much different situation – one where enterprises are increasingly embracing a culture of DevOps and the world of monitoring is reckoning with the need to evolve and adapt. Production environments are no longer static or perpetual where monitoring is a one-and-done activity. Rather, concepts like observability—where teams are taking a holistic approach to measuring and understanding digital experiences—are being baked into the release management pipeline to ensure every application and every bit of infrastructure being deployed has monitoring attached to it. But how do you get there? What tools and technologies are ushering in this new age of monitoring and observability? The not-so-surprising answer: An intelligent combination of automation and data.

A Call to Automation

As the velocity of software release cycles increases, the manual approach to deploying monitoring agents or instrumenting everything in the release for proper observability becomes impractical and counterproductive. Can you imagine a developer checking in code to a source code management repository, creating a ticket in an ITSM system, and requiring someone within IT operations to manually deploy monitoring to that release? That flies in the face of speed, agility, and what a culture of DevOps is trying to accomplish (releasing better software, faster).

Leveraging automation tools, such as Ansible, Puppet, or Chef, is a great first step toward making monitoring pervasive with every release. This may involve the automated deployment and installation of a monitoring agent, the customization of a configuration file to define what gets monitored, or API calls to the control plane of a monitoring system to register new systems for observation. Fortunately, many continuous integration (CI) tools either have these automation capabilities out-of-the-box or stitch well with third-party automation tools.

Another growing trend we’re seeing in the quest toward making monitoring pervasive is ‘observability as code.’ In the same way that infrastructure as code seeks to codify infrastructure components as configuration files using JSON or YAML for consistent and repeatable use, we can leverage a similar capability with monitoring and observability. Increasingly, we’re seeing observability vendors develop terraform providers to do just that.  Head over to the Terraform Registry and search for your favorite observability vendor to see if they have something listed.

A Data-Driven Approach

Once a repeatable structure has been established to deploy observability in an automated fashion, we can take things a step further in the use and maturity of observability data. If the goal of DevOps is to release better software more quickly, the question of how we do that begs to be asked. Observability provides one answer: by leveraging data about the health, performance, and availability of the application while running in a pre-production, lower-tier environment. You might be asking yourself, “does that mean monitoring and observability should be deployed outside of just production?” The short answer is yes. There are a host of benefits to having the telemetry data to make better-informed decisions about whether or not to promote code from a pre-production environment to a production environment. Many in the marketplace have begun to call this process ‘release verification.’

Among the largest data sources to drive this automated decision-making process are the metrics, logs, and traces from our observability stack. If there is too much latency being identified by our APM tool, too many errors in the logs, or anomalous metrics coming from our applications or infrastructure, then our tooling should be integrated or stitched into our delivery pipelines to throw up a red flag and say, “Stop! Don’t release or promote this code.” In addition to taking automated action, it would also facilitate a quick feedback loop to the development team, providing insight into why it failed so developers can spend more time on value-add activities and less time troubleshooting.

Conclusion

Monitoring maturity has come a long way in a short period of time – especially as the ways infrastructure and applications are architected and released to market have evolved. Learning to become proactive in the use of monitoring and observability data as part of a CI/CD pipeline can be new to a lot of traditional operations teams (particularly for those who have historically focused on incident response activities). However, employing an automated and data-driven approach to the use of observability will result in better software, differentiated products and services, happier customers, and outpaced competition.

Sichi brings more than 20 years of experience growing innovative teams at international technology consultancies. Magnetic co-founders Beck and Barry Besecker will remain active board members.

The pandemic has driven more retail activity to the digital space. This increased demand for standout online and in-app experiences has helped Magnetic Mobile grow new and existing client partnerships. Having recently increased revenue by 85% and nearly doubled its workforce, the company looks to continue that expansion into 2022 and beyond.

“Magnetic has a proven track record of delivering superior customer engagement for our partners and that reputation allows us to take advantage of new opportunities in the current landscape,” said Beck Besecker. “Brian’s vast experience leading collaborative teams at some of the world’s best enterprise-level tech firms will help us capitalize on that momentum, building on our strengths and growing Magnetic’s portfolio.”

Previously the Retail Loyalty Division of sister company Marxent before spinning out in 2016, Magnetic Mobile has partnered with Speedway (now part of the 7-Eleven family) for nearly a decade to support the digital components of its industry-leading Speedy Rewards program.

Magnetic Mobile combines data-driven design strategy with the latest technology to create digital experiences that keep customers coming back for more. With expertise in UX design, content strategy, front-end and back-end web development, mobile applications, and digital promotions management, Magnetic supports every step of the customer journey.

With headquarters in the heart of the Cincinnati-Dayton technology corridor, Magnetic is proud to be rooted in the Midwest. Rapid growth during the pandemic has enabled expansion of its remote workforce, adding top talent from across the country.

Magnetic has developed mobile applications and responsive websites for many of the nation’s top manufacturing and retail brands including Champion Windows & Home Exteriors, La-Z-Boy, and Bob’s Discount Furniture.

“Having been a client of Magnetic’s sister company, Marxent, I experienced first hand the customer focus and innovation that Beck and Barry bring to organizations. I look forward to working with them in their continued roles on the Magnetic board,” said Brian Sichi. “I couldn’t be more excited to join the leadership team at Magnetic and to expand on that legacy as we bring Magnetic’s capabilities to a broader client base while continuing to innovate.”

Sichi brings to Magnetic more than two decades of experience driving innovation at some of the largest technology consultancies in the world. Most recently, he worked as Director of U-Collaborate Innovation & Digital solutions for KPMG Australia.

His previous roles include Exponentials & Analytics Lead for Deloitte’s Leadership Center for Clients and Strategy, Innovation, & Transformation Practice Lead for Capgemini Government Solutions. Sichi is also a Marine Corps veteran, having served in the United States, Somalia, and Korea.

“Magnetic is a high-performing organization positioned to take our success even higher,” said Sichi. “We are a company built for a tech-savvy world and have a great opportunity to help existing and new clients improve their digital brand.”

Chris Kuhl, CISO/CTO, Dayton Children's Hospital

Is your greatest cybersecurity asset that shiny new tool your organization just purchased?  What about the integration between tool A & tool B into a unified dashboard? This is the great conundrum for cybersecurity teams, and I would like to convince you, that your greatest cybersecurity asset is your users.

According to Gartner, an IT research and advisory company, the worldwide cybersecurity market spending is forecasted to reach $170.4 billion in by 2022.  Yet, in 2020, organizations still suffered from a global loss of $945 billion.  I believe it is safe to say that we need a more comprehensive cyber strategy, that includes addressing the human risk along with the technology risk. 

According to the 2021 Verizon Data Breach Investigations Report (DBIR), over 85% of all breaches involved human interaction.  Human interaction includes phishing attacks, human error, misuse of privileges or having easily guessed passwords.  To focus in even more, phishing and passwords are the top two risks to any organization for a third year in a row.  Luckily, you can address all these topics with a security awareness program.

Creating a comprehensive security awareness program isn’t difficult.  It takes the three most challenging resources to acquire: time, leadership support, and an understanding of your organization’s culture. 

The first thing we need to do is replace the old mantra “users are the weakest link in your cyber defense” with “people are the primary attack vector.”  In healthcare, we are talking about people with advanced degrees, years of experience in their respective fields and valuable insight.  None of which is geared towards cybersecurity.

Secondly, we need to survey our users to gain a better understanding of the cybersecurity culture in our organizations.  Once you understand the current culture around cybersecurity, you can begin to develop the four focus areas for your awareness program.

Two important categories were mentioned above, phishing and passwords.  Easy ways to identify/report a phishing email and the use of passphrases instead of passwords should be included in your security training.  That just leaves two additional categories unique to your organization.  If you have a lot of remote workers, you might want to cover how to work remote safely and securely.  If you are doing manufacturing, you may want to cover what to look for with physical security and tailgating into the controlled rooms.

The importance of cybersecurity awareness training has become more front and center in the last 20 months.  Traditional network perimeters are dissolving from a combination of cloud platforms, smart devices and employees working from home more.  Protecting the user’s identity and PC become that much more important.

Our main goal, as cybersecurity professionals, is to secure our organization.  To quote Gabe Bassett, one of the authors of the DBIR, “Your job is not to secure your computers but your organization. And if you’re not securing your people, you’re not securing your organization.”

Cadre Information Security

Alleviating cybersecurity risks comes in many shapes and sizes—and so do organizations. Large enterprises with deep pockets and full-fledged SOC teams adopt the latest technologies and processes to fight back against adversaries. But for mid-size organizations, reducing risk is often constrained to a pick-and-choose approach. With limited funds, headcount, and internal knowledge, those responsible for keeping data secure are left wrangling the tough decisions of what matters most.

Here at Cadre, we firmly believe that there is no “one size fits all” approach. We’ve had decades of experience with a variety of companies—some probably resembling yours. But even still, there isn’t a carbon copy of a security prescription to dole out. However, that doesn’t mean there aren’t best practices that everyone can follow to avoid common mistakes. And that’s the guidance you’re here for after all, so let’s jump in:

1. Don’t discount your value. Many mid-size organizations think that just because they are smaller, they aren’t a target. On the contrary, adversaries often perceive smaller companies as easy targets—and without the proper protections, they can linger undetected for lengthy periods of time.
2. Know where your security gaps are. We all get caught up in the day-to-day work. Especially when there’s new malware at every turn. But it’s critical to carve out time to analyze security risks as the business and world changes.
3. Establish a baseline. If you don’t know what is “normal,” how will you know what activity is “abnormal” on your network and devices? Businesses should have some form of monitoring and logging in place to flag any activity or incident that should be investigated.
4. Inventory your assets, and do it regularly. People and devices come and go. Be sure to complete quarterly asset inventory assessments so you know who and what is connected to your network.
5. Train users on security more often. There is never enough security training. Even the most vigilant users fall for phishing attempts. By creating more training opportunities, companies can move towards a culture of security where users understand strong cybersecurity isn’t only important for the company, but for them personally, too.
6. Evaluate supply chain threats. If recent high-profile breaches have taught us anything, it’s that the supply chain is more vulnerable than ever. We will begin to see it being regulated more, which can impact business function and revenue.
7. Put a business continuity plan into place. The old saying goes, “it’s not a matter of if you will be breached, but when.” Be sure your organization has continuity plans in place covering impacts from basic cybersecurity to core business functions for everything from targeted disruptions to a worst-case scenario.
8. Segment your network. What’s worse than a malicious actor that gets into your network? One that can move freely within it. To prevent this, be sure to segment your network.
9. Patch. Need we say more? Okay yes, patch in a timely manner and in a deliberate fashion. Audit your patching.
10. Accept help. Cybersecurity changes every day. Keeping up with vendors and their technologies, sifting through acronyms, and steadying a finger on the pulse of your company’s security is often an impossible task. Be sure you have a lifeline when something goes wrong or you need an outside perspective from a trusted source.

Of course, this list isn’t comprehensive, but it’s a good place to start. Even if you’re heard many of these best practices before, it can be a gentle reminder that some need renewed attention.

Still struggling with these 10? Need more help getting your cybersecurity in order? Read our blog, 10 Reasons a vCISO May be a Good Choice for Your Company.

SOCHE Announces Virtual Sessions with Employers on Careers in Information Technology

Purpose: To expose High School teachers and Career Guidance Champions to the different career opportunities in Information Technology to better direct students in career paths

When: Tuesdays from 3 PM - 4 PM (19 Oct - 7 Dec 2021)

How: Live 1-hour virtual sessions that will be recorded to share across all schools in Ohio for greater impact

Audience:  High school teachers, career champions,  guidance counselors

Presenter: Employers who have experts in the listed topics >> This could be you!!

Format: 25-minute information session on each topic below (e.g. Computer Programmer) given by Presenter with 5-minute Q&A. Suggested talking points for the presenter are offered below. The presenter can create a PowerPoint presentation or a demo that explains their job.

Presenter Talking Points:

• What is your job and how does it relate to your company’s success?
• What is a typical day like for you?
• How many hours a day do you spend in meetings or working in groups?
• Do you mainly sit at a desk doing work individually or do you have an opportunity to work in different environments?
• Are you expected to be oncall? If yes, how often?
• What education or other experience helped you to get your current job?
• When hiring a new employee in your department, what education does a candidate need?
• What skill do you most value in hiring a new employee?
• What advice would you give a student considering a career in your field?

Contact Information: Please email your timeslot preferences >> Patty Buddelmeyer (patty.buddelmeyer@soche.org)

Nina Wyatt, Senior Technical Consultant, AHEAD

Managing vendor risk has become a challenging standard practice for most organizations today. With the adoption of cloud technologies and globalization of technology service providers, more companies are working to evaluate the security programs of vendors and service providers as well as gain visibility of vendor risk overall. Whether you are tasked with evaluating a vendor’s security program or responsible for maintaining visibility of enterprise vendor risk, both functions present challenges and barriers. Among these challenges, one of the most difficult for organizations to navigate is completing security questionnaires for partners or clients dependent upon their services, as no single industry or company has adopted a widely used standard for the process. This results in teams receiving lengthy questionnaires that all differ in volume and complexity. 

Another key challenge arrives for companies needing to establish a process for maintaining holistic, enterprise-level visibility of vendor risk. The present reality is that most companies find themselves burdened by both of these processes. Below, we’ll explore actionable steps to reduce the difficulty of managing vendor security and risk questionnaires, and steps to enhance the security of your organization through establishing a vendor due diligence review process. 

Simplifying Security Questionnaire Response

Multiple solutions exist to mitigate the challenge of performing vendor security assessments, but very few address the burden of completing security questionnaires. However, you can greatly reduce this burden by doing the following:  

Create a Repeatable Process

• Gather all information about the controls in your environment and provide the same questionnaire to all requestors 
• Eliminate questions not applicable to your business, operations, and environment 
• Keep answers short and simple 
• Create an encrypted, password protected, and centralized repository that includes public-facing/redacted policy/program documents, attestations, security compliance overview presentations, and a single version of your questionnaire 
• Recognize that offering too much information, screen shots, or tool-specific responses can exacerbate the problem 
• Ensure that all questions offer consistent responses whenever possible 

Recognize That Certification Attestation Can Validate Strength of Control Environment 

• Understand how certification (SOC2, ISO, NIST) can help – many topics covered in questionnaires are also covered in the control attestation process 

Recognize Liability Associated with Security Questionnaires

• Acknowledge that security questionnaires can be traced to liability risk, which may be inevitable for some organizations 
  • Upon completing the questionnaire, any future incident may prove a question was answered incorrectly, and organizations can be held liable for negligence or misrepresentation of the “secure” environment 
  • When evaluating the security of another organization, any future incident may prove a questionnaire and risk assessment process to be inadequate, and companies can be held liable for failing to perform an appropriate level of due diligence in vendor selection or monitoring 

This process requires both time and resources, which also introduces liability. If it becomes merely another ‘box’ to ‘check,’ consider revising the process to produce actionable and desired outcomes that enhance the visibility of vendor risk. For example, instead of asking for a policy about vulnerability management, ask for validation that no critical vulnerabilities exist in the environment. Not all vendors will be willing to share this information; however, a documented policy is not equal to control validation – and control validation is the only reliable source of security control assurance. 

Proactively Avoid Missed Business Opportunities

• If gaps are identified in your responses, include a remediation plan with a target date for completion (to prevent voiding potential business opportunities) 
• At minimum, this will show that your assessment processes are functioning and that there is already a plan in place to address self-identified control gaps 

Achieving Holistic Vendor Risk Visibility

If you are struggling to understand your organization’s vendor risk holistically, there are many solutions that can help. As with any great automation capability, process is paramount. Consider the following recommendations to raise your organization’s awareness of vendor risk: 

Establish a Policy or Standard

Begin with a policy or standard for evaluating vendors based upon your organization’s expectations (or regulatory requirements). The policy or standard should be framed by risk exposure and include: 

• What conditions or criteria determine the level of risk associated with a service provider 
• Which reviews are performed relative to the level of risk associated with each service provider 
• How frequently risk will be assessed (e.g., if a vendor is high-risk, consider performing annual reviews; if a vendor is low-risk, consider performing bi-annual reviews) 

It is vital to ensure that you can identify when conditions or characteristics of a service engagement change, as this may translate to a change in risk and require a change in policy (type of review, frequency of review, etc.). Without a mechanism to determine when and how the scope of an engagement has changed, the risk of falling out of compliance with the established policy or standard is heightened. 

Categorize Vendors by Risk

What conditions or characteristics need to be understood to categorize vendors by level of risk? As usual, it depends! 

If your organization has an appropriately structured Enterprise Risk Program, it is likely that these conditions and characteristics are already outlined in what is typically referred to as a risk tolerance or risk threshold statement within your risk management framework or risk assessment methodology.  

On the other hand, if your organization does not have a well-defined Enterprise Risk Program, you may not have achieved a level of growth that warrants one (yet). The good news is that you can inspire risk reduction specific to IT security by establishing a risk assessment methodology that centers around information security risk (availability, confidentiality, integrity). For an information security-centric approach, consider the following: 

AVAILABILITY RISK

CONFIDENTIALITY/INTEGRITY RISK

The process used to evaluate a low-risk service provider should not be equal to that of a high-risk service provider. If you opt to take a broad-brush approach, your department may be unnecessarily expending resources to perform risk assessments that extend little value to your organization. 

Establish a Consistent, Risk-Based Approach

Depending on your answers to the two questions posed above, you’ll need to determine how extensive of a review is warranted. The table below can be used as a guide when establishing a risk-based approach to perform vendor risk assessments.  

It is worth noting that ‘Limited,’ in this context, does not mean ‘less’ review. Rather, it means asking tailored questions directly associated to criticality and/or sensitivity – whichever applies per engagement. The point here is that if a review process were defined and issued to all vendors regardless of criticality or sensitivity (using the aforementioned ‘broad-brush’ approach), you would spend time requesting, collecting, and reviewing information that offers no real value to the organization.  

For example, if a service provider is not providing a critical service, do you need to see a record of successful recovery testing? Conversely, if a service provider is not storing, processing, or transmitting any sensitive data on behalf of the company, do you need to validate that encryption is used? 

Additional Considerations for the Vendor Risk Review Process

The following considerations may be helpful in defining a review process; all provide opportunities to reduce the burden of effort associated with performing vendor risk assessments: 

1. Include business purpose information, such as source departments, relationship sponsors, relevant technology or applications, and dependent business processes. Identifying these factors early on will make it easier to validate recovery capabilities or necessary data protections. 
2. Include questions that assess how critical a service is to validate that a vendor’s recovery capabilities are sufficient. If it is highly critical to operations, this may serve as justification to perform the review more frequently, or to gather information from process owners to determine if contingency plans exist internally. For example, if the service is non-critical, are business continuity and disaster recovery documents or associated questions necessary when the contract itself stipulates SLA language specific to recovery capabilities? 
3. Identify what data is being stored, processed, or transmitted. If highly sensitive data (such as PCI or HIPAA) is involved, you may want to perform the review more frequently or consider specific data protection controls that must be validated before a service engagement proceeds. 

In all cases, the questionnaire and documents requested should directly correlate to the service provided and actionable outcomes. Beware of defining a broad-brush vendor risk assessment process designed to treat all vendors the same way. Instead, employ a risk-based approach that will enable you to perform reviews quickly and effectively in a manner relevant to the service engagement. Doing so will not only provide your organization with valuable risk insights but minimize the burden of effort on your team and program. 

Monitoring & Measuring Vendor Risk

As the saying goes, “what is measured is improved.” Once your vendor risk review process is established, valuable data points can be gathered to increase the visibility of vendor risk. Here are a few metrics worth consideration: 

Vendors by Risk Categorization – Provide visibility to leadership as to what percentage of vendors are considered high risk. 

Vendor Risk Review by Status – Provide visibility to those managing the process, ensuring reviews are completed in a timely manner. 

Vendors with Authorized Risk Exceptions – Offer visibility of current risk tolerance or an indication that too much risk is accepted. Not all vendors will be able to satisfy your security requirements. In these instances, the risk should be documented and distributed to those authorized to accept risk on behalf of the company.  

Vendors with Known Issues – Elevate vendors with known issues to ensure relationship managers are aware of the issues to assist in tracking remediation efforts. Relationship managers can offer value to a vendor risk program by acting as the liaison to help monitor and close any known issues specific to a vendor’s security program. As risk issues are remediated, risk reduction is measurable and shows a direct benefit of the vendor risk review process. 

Vendor Review Resulting in Benefit – Identify when the vendor risk review process results in benefit to the organization. In some cases, information from a vendor review can strengthen contract language or offer variables that can be powerful in the contract negotiation process. Measuring these benefits can inspire the risk team to ensure that as the vendor review process continuously strengthens over time, the benefits outweigh the effort. 

Conclusion

Having the right level of guidance is paramount for organizations that are struggling to complete vendor security questionnaires or those that need to mature their vendor risk review process. Similar to information security risk, vendor risk is no small effort. In that spirit, it is easy to get overwhelmed and inundated with processes that offer little-to-no value to the organization. As illustrated above, the best vendor risk functions are those that are risk-based, actionable, and value-adding. 

Kathy Vogler, Communications Manager, Expedient Technology Solutions

I’ve lived most of my life in a relatively secure and crime free area.  I’m fortunate that my first real experience with personal property theft didn’t happen until 2010 when a trailer was stolen from our barn area.  This was completely shocking for us, at that time we didn’t lock anything including the house.  We have dogs, we have motion lights, we don’t take risky actions and there is no crime.  Well, those days are sure in the rear-view mirror, aren’t they! Everything seems to be fair game these days. The new normal must fall on the side of zero trust.  This isn’t just important to combat cybercrime, it’s for everything.  Businesses need to take physical security seriously.

“I get hired by companies to hack into their systems and break into their physical facilities to find security holes.”~ Kevin Mitnick, 1995 convicted hacker, owner of Mitnick Security Consulting LLC

Physical security is the protection of people, property and physical assets in a fashion similar to steps used by law enforcement. And while the Achilles heel to security will always be the human factor, security experts agree that the three most important components of a physical security plan are access control, surveillance, and security testing. 

Access Control at a high level is about restricting access to a resource and may even be part of your regulatory compliance requirements.  Physical access control limits access and often uses a proximity card or fob, password, PIN or biometrics to unlock the door. For example, an organization may employ an electronic control system that relies on user credentials, access card readers, intercom, auditing and reporting to track which employees have access to a restricted area. This system may incorporate an access control panel that can restrict entry to individual rooms and buildings, as well as sound alarms, initiate lockdown procedures and prevent unauthorized access.

Access Control has five main components:

Surveillance is most often done by video cameras using a video management system.  The surveillance could start at the outer edge of your perimeter to monitor your facility and parking lots to secure your outdoor areas.  These control systems ensure that you will know who enters your facility and when. Your camera systems serve two purposes; dissuasion when a potential thief knows they will be recorded which may prevent the criminal act and if anything does happen you will have a recording of it.  IP cameras are standard and no longer require specialized equipment to handle them.  A simple computer system connected wirelessly can record.  You may even consider adding night vision. Real time alert offerings can send snap shots or video alerts directly to your phone. 

Security Testing or physical penetration testing to assess the ability of the current physical security controls to prevent penetration by the bad guys and the testing of these systems on a regular cadence to ensure their efficacy.  Many cybersecurity breaches occur when attackers find they can take advantage of one or more physical security flaw.  Flaws are as simple as no one monitoring the video feed or through devices that are easy to disarm or avoid.

Armed guards and strong security policies are useless if the bad guys can infiltrate by verbal deception or piggyback techniques to access your facility.  Effective staff training, procedures and personal controls like visitor records are important.  You test your employees by sending phishing emails to see if they will click, you should also test to see if your staff will allow anyone who says they have a reason to be in your facility access.  In large organizations where people don’t know everyone, it’s as easy as slipping in the door alongside someone who has authenticated.  The goal of the bad guy might be to steal property, harm your employees or plug code into a USB port of an open printer that is attached to your network.  Any action like this can cause serious disruption to your operations, ruin your company’s reputation, or steal intellectual property.

Zero Trust “Never Trust, Always Verify”

If the bad guys enter your front door, you should not automatically give them access to everything inside.  How long can an intruder wander around your facility before they are detected or before anyone questions them?  Will the bad guy find sensitive information laying on desks or on the copier? Are there unlocked screens at workstations, accessible phones or open USB ports? There are hundreds of things a bad guy can do in a matter of minutes; plug in a USB with malicious code, clip a vampire tap on a cable, plug in a hardwired keylogger and you are completely compromised.

With a Zero Trust approach to your security including physical security, you can limit access and require further permissions. 

That said, and regardless of you hosting your own or outsourcing this, the interaction of every aspect of security and safety systems is most prevalent at the heart of your data and requires a comprehensive 360-degree review.  Your physical data center (on-prem or in the cloud) represents the epicenter of your customers’ and your company data and should be consistently controlled with security standards including monitoring and securing all environmental elements such as power, cooling and fire suppression.  Your data center should be the primary defense against cyber theft and any disaster that requires business continuity. Trained and experienced people keep physical and digital security systems running effectively.  Employee background checks, security and compliance training, regular access reviews, annual penetration testing against your physical infrastructure, and regular patching schedules for all systems are key.  If you outsource, are your third-party data center providers keeping your data safe? In addition to safeguarding infrastructure, do they have a plan for an active shooter?  Do they have a plan that includes hardened barriers at strategic points in the facility?

The world evolves and the only constant is change. Physical security and cybersecurity have the same weak link that is the human element.  It’s been said that “nice people create critical physical gaps.” Studies show that up to 60% of all people entering corporate offices do so without authentication.  Awareness and response training of your employees (not just the new employees) can go a long way to keeping your people, property, and physical assets safe.

I’m not really ready for Zero Trust at home, but we do lock the doors now.