Get My Score

Blog

 

To help your organization understand and leverage a cyber security scoring posture as part of our overall information security management program, you will find this first in the five-part blog series the jump-start you need. Over the course of the series, we will present the concept of a cyber security posture along with a framework and an approach to calculate your overall posture score.

Cyber Security Posture Scoring: How Strong Are Your Controls?

For many years, security frameworks have presented a common methodology for assessing cyber security risks. Recently, frameworks have begun to emerge as a way to also assess an organization’s cyber security posture—a measurement of the strength of the deployed controls that are meant to protect the digital infrastructure. 

One way to understand the difference between a risk assessment and a posture assessment is to consider the case of a major city located on the coastline. A risk assessment can identify the extent to which the city harbor is susceptible to storm surges and flooding. In reaction to that assessment, the city might choose to install offshore barriers. 

A posture assessment would then measure just how effective those barriers are in defending against potential storm surges and floods. The stronger the barriers, the lower the risk becomes in future assessments.

The Key Attributes of a Cyber Posture Scoring Platform

While generating an overall cyber security posture score is important, the platform you utilize should also include attributes that allow you to put that score to good use. This includes making the results comprehensible to personnel with minimal cybersecurity training. The results must also be meaningful and represent the strengths of the risk controls in order to adequately drive prioritized action plans starting at the board and executive level, working its way down to the security operations center and the security analysts. 

The scoring results provided by the leading cyber security scoring platforms are based on industry-standard cybersecurity frameworks. They are also comprehensive—incorporating all the risk signals that the organization is aware of, and then comparing those risks to the controls in place to mitigate the risks. 

Leading solutions also provide extensibility to integrate cyber security posture scoring with other security management applications. In addition, you can incorporate risk signals added in the future to ensure your security controls keep pace with new threats.

The Benefits of Cyber Posture Scoring

While risk assessments are meant to help you lower your risk score, control assessments are meant to help you raiseyour cyber posture score. The higher the number, the better your security posture. By applying cyber posture scoring, organizations reap several benefits:

  • Measures the efficacy of the information security and compliance programs for the enterprise.
  • Creates a better understanding of the security and compliance posture, and how to address important concerns.
  • Compares internal security and compliance controls against the most common threats.
  • Produces a benchmark to compare security performance against industry peers and competitors.
  • Facilitates communication of cybersecurity reports with executives by explaining security program effectiveness within the business context.
  • Provides additional guidance to help reduce and mitigate cybersecurity risk.
  • Generates machine learning insights to enable proactive measures against risk-inducing behaviors.

In the blogs that follow, we will compare and contrast posture assessments vs. risk assessments, the basic elements of a posture scoring framework, how cyber security posture scoring works, and how to get started with scoring your cybersecurity posture—including what you need to do before you can start scoring. 

In the meantime, should you have any questions or need help generating a cyber security posture score for your organization, visit http://www.cavirin.com/why-cavirin/cyberposture-score or contact Cavirin to speak with one of our security posture scoring professionals.

 

 

 

 

0
0
0
s2sdefault
ciso challenges 2018

 

Instituting Solid Security Standards in Tough Times

The modern Chief Information Security Officer (CISO) faces myriad challenges as he or she strives to protect company data, meet regulatory requirements, and spread security awareness. Their mission to institute solid security standards is often hampered by a lack of readily available talent and a limited budget.

It’s a difficult, often thankless task, but resourceful CISOs with the right strategy, support, and tools can prevail. 

 

A Varied Role

The lack of a common, widely agreed upon definition of a CISO’s job muddies the waters considerably. The first wave of CISOs were often tasked with defining the role as they worked and there are still major differences in the responsibilities bestowed by different organizations.

First and foremost is the need to manage security and protect data, but many CISOs are also now expected to help build security into the infrastructure and train the workforce to be vigilant.

With the mass adoption of cloud services and the proliferation of complex hybrid environments, exacerbated by the rise of the IoT, the virtual office, and shadow IT, CISOs really have their work cut out for them.  A difficult job that requires synergy with various departments is fast-becoming more difficult.

CISOs must recognize potential threats and evangelize for the security cause to secure the budgets and cooperation they need to be successful.

 

Spreading Awareness

As cloud adoption continues to gather pace and organizations look for safe ways to migrate vast amounts of data, some security risk is inevitable. Perhaps the single greatest action CISOs can take to combat and mitigate that threat is to train the workforce and advance security awareness. After all, Gartner suggests that through 2022, at least 95 percent of cloud security failures will be the customer’s fault.

CISOs must develop a set of policies that enumerate precisely what action employees need to take when an incident occurs, whether it’s a suspected breach, a malware infection, or something else. Embrace the reality that people make mistakes and focus on how to deal with errors to swiftly correct them and minimize their potential impact.

Every employee should regularly complete a constantly evolving security training program that reflects the latest threats. It’s not enough to tick the completion box and move on; employees also need to be tested to ensure they are following policies. When people fail, further training is required.

 

Providing Proper Support

When CISOs were asked about their concerns for this year by the Ponemon Institute most of them named “lack of competent in-house staff” as their primary worry. There’s a dearth of experienced security professionals and this often leads to people being promoted from unrelated departments and training up in the job. Mistakes are the inevitable consequence.

To help support these security fledglings, CISOs can deploy supportive tools and software that offer an accessible overview of their organization’s cyber posture. (Know what is your CyberPosture Score.)
Automated alerts that highlight potential security issues, alongside clear advice on how to meet security standards and adhere to regulatory requirements can elevate the performance of inexperienced employees.
By conducting a full analysis of an organization’s security posture, compared with the necessary compliance considerations, best practices, and the latest benchmarks, CISOs can identify gaps in their defenses. This allows them to laser focus limited resources in the right places.

It’s crucial to bolster novice security teams with configurable software tuned to the required security standards. To effectively safeguard business-critical data, CISOs need the right strategy coupled with the right tools.

0
0
0
s2sdefault

New Generation Companies

IT has changed from driving the bottom line to driving the top line for enterprises. Most of these new applications are developed and built using the DevOps model. This movement was driven by new generation companies such as Google, Facebook, LinkedIn, Pinterest, Twitter, etc. Places where open collaboration is key, and more contributors are encouraged. In addition to changing the business landscape, these companies also built the next set of tools for big data, cloud, AI/machine learning and containers. All of these technologies are mostly open-source. This means the demand is rising for companies to get onboard. There has been a tremendous growth in recruitment activities among organizations that want to boost their open source technology presence. Hiring open source talent was a priority for 83 percent of hiring managers, an increase from 76 percent in 2017. Additionally, containers have been growing rapidly in popularity with 57 percent of hiring managers seeking container expertise (rise from 27 percent in 2017). Overall, we are now entering the scale of massive adoption across the business landscape hence driving the need for open source talent.

DevOps and Security Hiring

 

What are some steps companies and job candidates can take to benefit from this data?

Time to market is key. In the current business landscape, the speed of innovation has gone up dramatically with this new generation of open source tools. Companies need to recognize that they need in-house talent with the right set of expertise for their chosen toolset. Community-based technology fuels big structured and unstructured data. This also means innovative data-management and storage solutions. Both DevOps and SecOps must respond with an “open-source first” approach when it comes to deploying new software and security infrastructure. Almost any business that plans to survive wants motivated, creative people. They need a talent pool that’s more agile. They need the right mix of enterprise-grade folks who know what it takes to build enterprise-grade – secure, highly available, and robust applications. The newer generation of fast learners that can pick up the new toolset and drive innovation, with security, for business is in high demand.

How can people who are interested in a career in open source enter the field? 

 Jump with both feet into the pool. There are tons of amazing technologies available in the market to choose from. Pick the technology area that’s most aligned with your interest. Study it in and out and become an expert in the field. Participate and contribute to free and open source software (aka FOSS). These projects can offer a variety of learning opportunities. This can even help you start to build a portfolio of your work for prospective employers.  Another strategy is to learn how to make the best use of today's powerful open source technologies. Most of these technologies are new (a handful of years old) hence it depends on an individual’s attitude and aptitude to become the expert in the field and command top dollars from their perspective enterprises for their talent and deliver the results to their employers.

 

 

 

 

0
0
0
s2sdefault

 

A quick listing of some of the articles where Cavirin's thought leaders were quoted over the last month.  The who's-who of security publications, covering stories as diverse as GDPR, cyber insurance, and USB drive vulnerabilities.  Note that the citations below do not cover our channel launch.   Please go to our website for more.

 

Cyber Insurance, Security and the Enterprise Challenge

 

Reset Your Routers to Avoid Malware Attack, FBI Warns

Canadian Banks Warn Data Breach May Have Affected 90,000 Customers

Two Canadian Banks Report Potential Data Breach

 

Could GDPR Be the Best Thing That’s Happened to Marketing?

 

Can behavior-based cyber insurance improve cybersecurity?

 

More Data Leaked from AWS Bucket Misconfigurations

 

EU Privacy Activist Targets US with GDPR Rules

 

GDPR is on the books, Google, Facebook face lawsuits, others scramble to comply

 

Amazon Comes Under Fire for Facial Recognition Platform

 

Five Business Drivers For Organizations Moving To The Cloud

 

TeenSafe Data Leak Shows Cloud Security Weaknesses
Moving to the Cloud: Too Many Companies, Too Fast?

 

TeenSafe App Exposes Data on More Than 10K Accounts

 

TeenSafe Tracking App Exposes Thousands of Private Records

 

DHS Cybersecurity Strategy Keys in on Risk, Vulnerability Management

 

DHS Publishes New Cybersecurity Strategy
Chili's Discloses Data Breach Exposing Payment Card Information

 

IBM's USB Ban Earns Some Praise, Some Skepticism

 

Bolton's Push to Cut Security Post Not Sound

 

Tech Companies Vow Not to Participate in Government-Sponsored Cyberattacks

 

Bolton, team mull eliminating White House cybersecurity coordinator position

 

IT Management: Do Not Panic over GDPR Challenges

 

Adopt The Right Cyber Posture For Your Hybrid Cloud Environment

 

Twitter Advises Users to Change Passwords Following Encryption Failure
Tens of Thousands of Malicious Apps Using Facebook APIs
 

 

0
0
0
s2sdefault

Introduction of the Cavirin Connect Global Channel Partner Program

This week, we announced our new Cavirin Connect Program, empowering resellers, integrators, and MSSPs to offer the Cavirin CyberPosture Intelligence solution to customers worldwide, solving full spectrum hybrid cloud security challenges.

In the very competitive security market, the channel is looking for new ways to solve customer problems and differentiate themselves. The demand for a solution that provides controlled secure asset migration in complex hybrid cloud infrastructures represents just such a challenge and an opportunity.

Cavirin is ideal for this, as we have the perfect solution for organizations looking to maintain business continuity while moving critical assets in the cloud and in multi-faceted hybrid environments! Cavirin’s CyberPosture Intelligence solution, which includes a wizard-based, API-driven control plane, is simple to ingest by the channel. Cavirin Connect brings tremendous value to their customers while offering low cost of sale. Cavirin cloud security automation addresses that!

For MSSPs, the program aligns with evolving cloud service offerings and allows them to focus on hybrid cloud service delivery that has meaningful bottom-line impact most important to their consumers.

We help the channel better address C-level concerns of their customers too – security and visibility. Cavirin makes it simple for executives to understand their cloud security defensive posture, to understand potential risk, and to improve their stance against potential threats at low cost.

Unfortunately, organizations haven’t had access to a best-in-class solution like Cavirin that prevents data breaches by giving them unified control over all hybrid assets. It’s simply hard to control and protect what you can’t see! We deliver the visibility and control necessary to secure their entire hybrid cloud theater through our Cavirin Connect Channel Partners.

We’re in the business of making it easy to manage security in complex environments without having channel customers drive multiple silo viewing tools into their hybrid workloads. Cavirin’s atmospheric global control and visibility of the hybrid-cloud security plane allows our partners to deliver value highly sought after by today’s enterprise organizations.

Cavirin Connect equips our partners with the necessary technical and business acumen to enable them to deliver cutting-edge hybrid cloud security to their customers.

We also spent a great deal of time thinking about the onboarding and channel management process. In conjunction with the announcement, Cavirin’s partner management portal based on Allbound is now live, a one-stop shop for deal management, co-marketing, training, all with a goal of reducing the sales cycle and increasing the partner’s win rate. Key components of the program include tiered discounts and a 100% deal registration model to avoid channel conflict while increasing margins.

Inaugural members of the Cavirin Connect Partner Program include Astadia in the UK, Bodega Technologies, InterVision, Lite Distribution in Australia, Logicworks, Scalar in Canada, Titans Security in Israel, Veristor and others. Though less than 20% of our revenue today is via the channel, we intend for this to grow to 100% over time. Partner-driven lower-touch engagements will be the domain of our commercial team, while larger enterprises will follow a high-touch model, also driven through the channel.

Our promise is to deliver an unparalleled onboarding and ‘day-2’ experience that will generate value and cause partners to want to work with us…. a win-win for all involved.

Partnership, Protection, Profit with Technical and Business Superiority for our trusted Cavirin Connect Partners. This is Cavirin Connect.

Get information on Cavirin Connect.

 

 

  

0
0
0
s2sdefault

Healthcare IT Blog Series - 6 of 6

(This is the sixth post in a Blog series - Moving Healthcare to the Cloud.  The complete series can is now available: Introduction - The Move to the Cloud - Defining the Cloud Project - Managing Risk When Moving to the Cloud - Operationalizing Security in the Cloud - Measuring Success in the Cloud)


In the last blog of our Moving Healthcare to the Cloud series, we discussed how organizations can operationalize security in order to ensure digital assets remain protected. This blog wraps up the series and examines different ways to measure the success of your efforts to move to the cloud and keep your data secure.  

We hope you have benefitted from our ‘Moving Healthcare to the Cloud’ series. Over the course of the first five blogs, we showed how to identify what steps to take in the cloud journey. It starts with focusing on the why—making the business case for moving to the cloud. We then delved into understanding which of your systems are ready for the journey and which are not.

From there, the series addressed how to assess the appropriate levels of risk for all the assets you are moving to the cloud to ensure confidentiality, integrity and availability. In our most recent blog, we demonstrated how to operationalize security. This includes the policy controls to put in place beforehand, how to monitor security, and how to react to breaches.

Some of the key takeaways from our series are the benefits of moving to the cloud, which go well beyond the cost savings. These include improved system and app availability, enhanced ability to manage risk, and increased ability to employ compensating controls and governance.

We also demonstrated how cloud environments are now just as safe—and likely even more safe—than on-premises environments. The key is to assess each of your systems and data sets to determine which ones you are comfortable with moving to the cloud, and which ones you prefer to keep on-site.

It’s then onto integrating your cloud environments with your systems that remain on-premises, and creating a security framework to protect all of your data as it travels across all of your environments. It’s all about implementing the necessary policies and controls, and then leveraging technology tools to control and manage the access of all your end user groups—including clinical staff, administrators, support staff, patients and your Business Associates.

With a plan and program in place, it’s now time to measure how well the policies, processes, and controls are working.

Metrics to Measure Success 

When it comes to measuring the success of moving a portion of your IT infrastructure to the cloud, here are the key metrics to research and analyze:

  • Availability—what percentage of the time can your end users access the applications they need to interact with each other and to do their jobs? Consider the level of availability for all your end-user groups—internal and external.
  • Reliability—if a system or application shuts down, how quickly can it be restored? Is all of the data recoverable? Be sure to test regularly so you know what to expect when a real disaster strikes.
  • Performance—is the throughput sufficient so end users do not get frustrated waiting for responses? For application usage to increase and generate business benefits, the user experience is critical.
  • Capacity—does the cloud environment easily and quickly scale up and down according to the demands on each of your applications?
  • Service—when technical support issues arise, do IT and end users have immediate access to help desk support? Are issues resolved promptly? When necessary, are issues escalated?
  • Cost—keep a close eye on server utilization and “zombie” servers spun up for a specific business purpose but no longer in use. You don’t want to be paying for cloud resources you don’t use.

All of the metrics above should be backed with a clear ‘Code of Ethics.’ The most important aspect of all when it comes to the cloud for the healthcare industry is to ensure data security. Identity management, privacy and access control should be monitored closely. It’s also important to consider how well your cloud environments conform to regulations. If you fail in the ethics arena, the fallout could be cataclysmic.

For specific metrics to determine how well do you manage access and risk as well as how secure and compliant your business is, there are a wide range of numbers to look at:

  • Number of security policy violations
  • Percentage of systems with formal risk assessments
  • Percentage systems with tested security controls
  • Percentage of non-compliant, weak passwords
  • Number of identified risks and their severity
  • Percentage of systems with contingency plans
  • Number of successful and unsuccessful log-ins
  • How many viruses and spam attacks were blocked vs. how many got through
  • How many patches have been applied

For these numbers to be useful, you first need a baseline that examines where you stand today, perhaps recording the results over a three-month time period. You can then compare those baseline numbers to ensuing three-month time periods. The key is to move the needle in the right direction over time.

Increase Value Over Time

As you measure the success of your cloud migrations, strive to improve your metrics in each of the areas listed above so that the value of your cloud environment increases over time. As cloud technologies continue to evolve, you will also want to evaluate how your organization’s use of the cloud should change.

The things you can do today will likely pale in comparison to what you can do tomorrow!

Be sure to check out all of the blogs in our ‘Moving Healthcare to the Cloud’ series. And for more information on migrating your IT infrastructure to the cloud and how to secure your cloud environment.

Read about how Cavirin can protect your ePHI.

 

 

 

 

 

 

 

 

Read about how Cavirin can protect your ePHI.

 

 

 

 

 

 

 

0
0
0
s2sdefault

© 2018 Cavirin Systems, Inc. All rights reserved.