Get My Score

Blog

Cybersecurity Scoring Blog Series

To help your organization understand and leverage a cybersecurity scoring posture as part of our overall information security management program, you will find this first in the three-part blog series the jump-start you need. Over the course of the series, we will present the concept of a cybersecurity posture along with a framework and an approach to calculate your overall posture score.

  1. Introduction to CyberPosture Scoring
  2. Cybersecurity Posture Scoring vs Risk Scoring
  3. Using a Security Framework to Measure Your CyberPosture Score

Cyber Security Posture Scoring: How Strong Are Your Controls?

For many years, security frameworks have presented a common methodology for assessing cybersecurity risks. Recently, frameworks have begun to emerge as a way to also assess an organization’s cybersecurity posture—a measurement of the strength of the deployed controls that are meant to protect the digital infrastructure. 

One way to understand the difference between a risk assessment and a posture assessment is to consider the case of a major city located on the coastline. A risk assessment can identify the extent to which the city harbor is susceptible to storm surges and flooding. In reaction to that assessment, the city might choose to install offshore barriers. 

A posture assessment would then measure just how effective those barriers are in defending against potential storm surges and floods. The stronger the barriers, the lower the risk becomes in future assessments.

The Key Attributes of a Cyber Posture Scoring Platform

While generating an overall cyber security posture score is important, the platform you utilize should also include attributes that allow you to put that score to good use. This includes making the results comprehensible to personnel with minimal cybersecurity training. The results must also be meaningful and represent the strengths of the risk controls in order to adequately drive prioritized action plans starting at the board and executive level, working its way down to the security operations center and the security analysts. 

The scoring results provided by the leading cybersecurity scoring platforms are based on industry-standard cybersecurity frameworks. They are also comprehensive—incorporating all the risk signals that the organization is aware of, and then comparing those risks to the controls in place to mitigate the risks. 

Leading solutions also provide extensibility to integrate cybersecurity posture scoring with other security management applications. In addition, you can incorporate risk signals added in the future to ensure your security controls keep pace with new threats.

The Benefits of Cyber Posture Scoring

While risk assessments are meant to help you lower your risk score, control assessments are meant to help you raise your cyber posture score. The higher the number, the better your security posture. By applying cyber posture scoring, organizations reap several benefits:

  • Measures the efficacy of the information security and compliance programs for the enterprise.
  • Creates a better understanding of the security and compliance posture, and how to address important concerns.
  • Compares internal security and compliance controls against the most common threats.
  • Produces a benchmark to compare security performance against industry peers and competitors.
  • Facilitates communication of cybersecurity reports with executives by explaining security program effectiveness within the business context.
  • Provides additional guidance to help reduce and mitigate cybersecurity risk.
  • Generates machine learning insights to enable proactive measures against risk-inducing behaviors.

In the blogs that follow, we compare and contrast posture assessments vs. risk assessments, the basic elements of a posture scoring framework, how cybersecurity posture scoring works, and how to get started with scoring your cybersecurity posture—including what you need to do before you can start scoring. 

Download our whitepaper on the topic: Your CyberPosture Score

 

 

 

 

0
0
0
s2sdefault
ciso challenges 2018

 

Instituting Solid Security Standards in Tough Times

The modern Chief Information Security Officer (CISO) faces myriad challenges as he or she strives to protect company data, meet regulatory requirements, and spread security awareness. Their mission to institute solid security standards is often hampered by a lack of readily available talent and a limited budget.

It’s a difficult, often thankless task, but resourceful CISOs with the right strategy, support, and tools can prevail. 

 

A Varied Role

The lack of a common, widely agreed upon definition of a CISO’s job muddies the waters considerably. The first wave of CISOs were often tasked with defining the role as they worked and there are still major differences in the responsibilities bestowed by different organizations.

First and foremost is the need to manage security and protect data, but many CISOs are also now expected to help build security into the infrastructure and train the workforce to be vigilant.

With the mass adoption of cloud services and the proliferation of complex hybrid environments, exacerbated by the rise of the IoT, the virtual office, and shadow IT, CISOs really have their work cut out for them.  A difficult job that requires synergy with various departments is fast-becoming more difficult.

CISOs must recognize potential threats and evangelize for the security cause to secure the budgets and cooperation they need to be successful.

 

Spreading Awareness

As cloud adoption continues to gather pace and organizations look for safe ways to migrate vast amounts of data, some security risk is inevitable. Perhaps the single greatest action CISOs can take to combat and mitigate that threat is to train the workforce and advance security awareness. After all, Gartner suggests that through 2022, at least 95 percent of cloud security failures will be the customer’s fault.

CISOs must develop a set of policies that enumerate precisely what action employees need to take when an incident occurs, whether it’s a suspected breach, a malware infection, or something else. Embrace the reality that people make mistakes and focus on how to deal with errors to swiftly correct them and minimize their potential impact.

Every employee should regularly complete a constantly evolving security training program that reflects the latest threats. It’s not enough to tick the completion box and move on; employees also need to be tested to ensure they are following policies. When people fail, further training is required.

 

Providing Proper Support

When CISOs were asked about their concerns for this year by the Ponemon Institute most of them named “lack of competent in-house staff” as their primary worry. There’s a dearth of experienced security professionals and this often leads to people being promoted from unrelated departments and training up in the job. Mistakes are the inevitable consequence.

To help support these security fledglings, CISOs can deploy supportive tools and software that offer an accessible overview of their organization’s cyber posture. (Know what is your CyberPosture Score.)
Automated alerts that highlight potential security issues, alongside clear advice on how to meet security standards and adhere to regulatory requirements can elevate the performance of inexperienced employees.
By conducting a full analysis of an organization’s security posture, compared with the necessary compliance considerations, best practices, and the latest benchmarks, CISOs can identify gaps in their defenses. This allows them to laser focus limited resources in the right places.

It’s crucial to bolster novice security teams with configurable software tuned to the required security standards. To effectively safeguard business-critical data, CISOs need the right strategy coupled with the right tools.

0
0
0
s2sdefault

New Generation Companies

IT has changed from driving the bottom line to driving the top line for enterprises. Most of these new applications are developed and built using the DevOps model. This movement was driven by new generation companies such as Google, Facebook, LinkedIn, Pinterest, Twitter, etc. Places where open collaboration is key, and more contributors are encouraged. In addition to changing the business landscape, these companies also built the next set of tools for big data, cloud, AI/machine learning and containers. All of these technologies are mostly open-source. This means the demand is rising for companies to get onboard. There has been a tremendous growth in recruitment activities among organizations that want to boost their open source technology presence. Hiring open source talent was a priority for 83 percent of hiring managers, an increase from 76 percent in 2017. Additionally, containers have been growing rapidly in popularity with 57 percent of hiring managers seeking container expertise (rise from 27 percent in 2017). Overall, we are now entering the scale of massive adoption across the business landscape hence driving the need for open source talent.

DevOps and Security Hiring

 

What are some steps companies and job candidates can take to benefit from this data?

Time to market is key. In the current business landscape, the speed of innovation has gone up dramatically with this new generation of open source tools. Companies need to recognize that they need in-house talent with the right set of expertise for their chosen toolset. Community-based technology fuels big structured and unstructured data. This also means innovative data-management and storage solutions. Both DevOps and SecOps must respond with an “open-source first” approach when it comes to deploying new software and security infrastructure. Almost any business that plans to survive wants motivated, creative people. They need a talent pool that’s more agile. They need the right mix of enterprise-grade folks who know what it takes to build enterprise-grade – secure, highly available, and robust applications. The newer generation of fast learners that can pick up the new toolset and drive innovation, with security, for business is in high demand.

How can people who are interested in a career in open source enter the field? 

 Jump with both feet into the pool. There are tons of amazing technologies available in the market to choose from. Pick the technology area that’s most aligned with your interest. Study it in and out and become an expert in the field. Participate and contribute to free and open source software (aka FOSS). These projects can offer a variety of learning opportunities. This can even help you start to build a portfolio of your work for prospective employers.  Another strategy is to learn how to make the best use of today's powerful open source technologies. Most of these technologies are new (a handful of years old) hence it depends on an individual’s attitude and aptitude to become the expert in the field and command top dollars from their perspective enterprises for their talent and deliver the results to their employers.

 

 

 

 

0
0
0
s2sdefault

Introduction of the Cavirin Connect Global Channel Partner Program

This week, we announced our new Cavirin Connect Program, empowering resellers, integrators, and MSSPs to offer the Cavirin CyberPosture Intelligence solution to customers worldwide, solving full spectrum hybrid cloud security challenges.

In the very competitive security market, the channel is looking for new ways to solve customer problems and differentiate themselves. The demand for a solution that provides controlled secure asset migration in complex hybrid cloud infrastructures represents just such a challenge and an opportunity.

Cavirin is ideal for this, as we have the perfect solution for organizations looking to maintain business continuity while moving critical assets in the cloud and in multi-faceted hybrid environments! Cavirin’s CyberPosture Intelligence solution, which includes a wizard-based, API-driven control plane, is simple to ingest by the channel. Cavirin Connect brings tremendous value to their customers while offering low cost of sale. Cavirin cloud security automation addresses that!

For MSSPs, the program aligns with evolving cloud service offerings and allows them to focus on hybrid cloud service delivery that has meaningful bottom-line impact most important to their consumers.

We help the channel better address C-level concerns of their customers too – security and visibility. Cavirin makes it simple for executives to understand their cloud security defensive posture, to understand potential risk, and to improve their stance against potential threats at low cost.

Unfortunately, organizations haven’t had access to a best-in-class solution like Cavirin that prevents data breaches by giving them unified control over all hybrid assets. It’s simply hard to control and protect what you can’t see! We deliver the visibility and control necessary to secure their entire hybrid cloud theater through our Cavirin Connect Channel Partners.

We’re in the business of making it easy to manage security in complex environments without having channel customers drive multiple silo viewing tools into their hybrid workloads. Cavirin’s atmospheric global control and visibility of the hybrid-cloud security plane allows our partners to deliver value highly sought after by today’s enterprise organizations.

Cavirin Connect equips our partners with the necessary technical and business acumen to enable them to deliver cutting-edge hybrid cloud security to their customers.

We also spent a great deal of time thinking about the onboarding and channel management process. In conjunction with the announcement, Cavirin’s partner management portal based on Allbound is now live, a one-stop shop for deal management, co-marketing, training, all with a goal of reducing the sales cycle and increasing the partner’s win rate. Key components of the program include tiered discounts and a 100% deal registration model to avoid channel conflict while increasing margins.

Inaugural members of the Cavirin Connect Partner Program include Astadia in the UK, Bodega Technologies, InterVision, Lite Distribution in Australia, Logicworks, Scalar in Canada, Titans Security in Israel, Veristor and others. Though less than 20% of our revenue today is via the channel, we intend for this to grow to 100% over time. Partner-driven lower-touch engagements will be the domain of our commercial team, while larger enterprises will follow a high-touch model, also driven through the channel.

Our promise is to deliver an unparalleled onboarding and ‘day-2’ experience that will generate value and cause partners to want to work with us…. a win-win for all involved.

Partnership, Protection, Profit with Technical and Business Superiority for our trusted Cavirin Connect Partners. This is Cavirin Connect.

Get information on Cavirin Connect.

 

 

  

0
0
0
s2sdefault

Healthcare IT Blog Series - 6 of 6

(This is the sixth post in a Blog series - Moving Healthcare to the Cloud.  The complete series can is now available: Introduction - The Move to the Cloud - Defining the Cloud Project - Managing Risk When Moving to the Cloud - Operationalizing Security in the Cloud - Measuring Success in the Cloud)


In the last blog of our Moving Healthcare to the Cloud series, we discussed how organizations can operationalize security in order to ensure digital assets remain protected. This blog wraps up the series and examines different ways to measure the success of your efforts to move to the cloud and keep your data secure.  

We hope you have benefitted from our ‘Moving Healthcare to the Cloud’ series. Over the course of the first five blogs, we showed how to identify what steps to take in the cloud journey. It starts with focusing on the why—making the business case for moving to the cloud. We then delved into understanding which of your systems are ready for the journey and which are not.

From there, the series addressed how to assess the appropriate levels of risk for all the assets you are moving to the cloud to ensure confidentiality, integrity and availability. In our most recent blog, we demonstrated how to operationalize security. This includes the policy controls to put in place beforehand, how to monitor security, and how to react to breaches.

Some of the key takeaways from our series are the benefits of moving to the cloud, which go well beyond the cost savings. These include improved system and app availability, enhanced ability to manage risk, and increased ability to employ compensating controls and governance.

We also demonstrated how cloud environments are now just as safe—and likely even more safe—than on-premises environments. The key is to assess each of your systems and data sets to determine which ones you are comfortable with moving to the cloud, and which ones you prefer to keep on-site.

It’s then onto integrating your cloud environments with your systems that remain on-premises, and creating a security framework to protect all of your data as it travels across all of your environments. It’s all about implementing the necessary policies and controls, and then leveraging technology tools to control and manage the access of all your end user groups—including clinical staff, administrators, support staff, patients and your Business Associates.

With a plan and program in place, it’s now time to measure how well the policies, processes, and controls are working.

Metrics to Measure Success 

When it comes to measuring the success of moving a portion of your IT infrastructure to the cloud, here are the key metrics to research and analyze:

  • Availability—what percentage of the time can your end users access the applications they need to interact with each other and to do their jobs? Consider the level of availability for all your end-user groups—internal and external.
  • Reliability—if a system or application shuts down, how quickly can it be restored? Is all of the data recoverable? Be sure to test regularly so you know what to expect when a real disaster strikes.
  • Performance—is the throughput sufficient so end users do not get frustrated waiting for responses? For application usage to increase and generate business benefits, the user experience is critical.
  • Capacity—does the cloud environment easily and quickly scale up and down according to the demands on each of your applications?
  • Service—when technical support issues arise, do IT and end users have immediate access to help desk support? Are issues resolved promptly? When necessary, are issues escalated?
  • Cost—keep a close eye on server utilization and “zombie” servers spun up for a specific business purpose but no longer in use. You don’t want to be paying for cloud resources you don’t use.

All of the metrics above should be backed with a clear ‘Code of Ethics.’ The most important aspect of all when it comes to the cloud for the healthcare industry is to ensure data security. Identity management, privacy and access control should be monitored closely. It’s also important to consider how well your cloud environments conform to regulations. If you fail in the ethics arena, the fallout could be cataclysmic.

For specific metrics to determine how well do you manage access and risk as well as how secure and compliant your business is, there are a wide range of numbers to look at:

  • Number of security policy violations
  • Percentage of systems with formal risk assessments
  • Percentage systems with tested security controls
  • Percentage of non-compliant, weak passwords
  • Number of identified risks and their severity
  • Percentage of systems with contingency plans
  • Number of successful and unsuccessful log-ins
  • How many viruses and spam attacks were blocked vs. how many got through
  • How many patches have been applied

For these numbers to be useful, you first need a baseline that examines where you stand today, perhaps recording the results over a three-month time period. You can then compare those baseline numbers to ensuing three-month time periods. The key is to move the needle in the right direction over time.

Increase Value Over Time

As you measure the success of your cloud migrations, strive to improve your metrics in each of the areas listed above so that the value of your cloud environment increases over time. As cloud technologies continue to evolve, you will also want to evaluate how your organization’s use of the cloud should change.

The things you can do today will likely pale in comparison to what you can do tomorrow!

Be sure to check out all of the blogs in our ‘Moving Healthcare to the Cloud’ series. And for more information on migrating your IT infrastructure to the cloud and how to secure your cloud environment.

Read about how Cavirin can protect your ePHI.

 

 

 

 

 

 

 

 

Read about how Cavirin can protect your ePHI.

 

 

 

 

 

 

 

0
0
0
s2sdefault

Healthcare IT Blog Series - 5 of 6

(This is the fifth post in a Blog series - Moving Healthcare to the Cloud.  The complete series can is now available: Introduction - The Move to the Cloud - Defining the Cloud Project - Managing Risk When Moving to the Cloud - Operationalizing Security in the Cloud - Measuring Success in the Cloud)


In the last blog of our ‘Moving Healthcare to the Cloud’ series, we presented how organizations can assess, manage and reduce the risk of security attacks. In this blog, we discuss how to operationalize security in order to ensure digital assets remain protected.  

After migrating IT systems to the cloud, integrating your cloud environment with on-premises systems, and assessing your security risks, the next step is to operationalize your on-going security program. By following the best practices presented in our previous blogs, you should already have the framework for a robust system in place.

The program should include a consistent security policy to help you determine everything you need related to protection, audits and remediation. A robust policy serves as a bedrock for establishing a strong security posture and helps you make sure you can answer all the key questions as you delve deeply into the details. Here’s just one example of the many scenarios you will need to consider:

  • How long can patient records be stored on-premises?
  • Does the length of time for storage change if you move records to the cloud?
  • Are there privacy and regulatory issues to be concerned about in one cloud platform versus another?

As this example illustrates, security and compliance become more complex when you move part of your IT infrastructure to the cloud and integrate it with on-premises systems and other cloud environments. But with a proper robust framework in place, you can make sure you ask all the right questions so that the answers identify any security policies and controls you need to change.

Security Lifecycle Management Maintains Security Posture

Operationalizing security involves establishing a lifecycle management program in order to maintain the security posture of your cloud and on-premises infrastructure—from conception to the retirement of various components through all the stages of deployment, integration and support. Tools, applications, operating software and even the hardware appliances will likely go through upgrades and then eventually be replaced by new technologies.

Other components, such as policies and controls, will also go through revisions as business, IT and data conditions change. Here’s a rundown of the key components to manage: 

  • Security Policies—document system constraints that determine the data that the internal staff, patients, Business Associates and other end users can access. The policy should answer the basic questions, “Which groups of end users can do what on each system, and which data sets can they access?” The can also be defined by time, physical position within the facility, and geo-location if the users are operating remotely.
  • Security Controls—apply documented processes and countermeasures, such as firewalls, to prevent as well as detect and mitigate security risks to your data and digital assets.The controls should safeguard sensitive information and prevent unauthorized system usage. The controls need to match your policies and must be monitored to ensure proper enforcement. Misconfigured or unattended controls could result in an increase in exposure, oftentimes increasing the risk with a false sense of security.
  • Application Development Security Framework—it’s just as important to protect your application development and staging environments as it is to protect your production environment. These environments are also subject to cyberattacks and thus need the same level of defense and monitoring.
  • Compliance Auditing—involves a comprehensive review of your adherence to regulatory guidelines, such as HIPAA. While internal audits should occur on a regular basis, regulatory bodies will require you to hire independent consultants to validate your compliance preparations and assessments.
  • Security Monitoring and Response Tools—there’s a wide range of tools to choose from for both security risk monitoring and response, and it’s important to rely on multiple, integrated tools so that you can put attacks into context. You need to make sure you focus on those presenting the highest risk and avoid working on any false positives.

As you formulate your policies, controls and tools, the data access given to various end users will need to vary before, during and after a security breach. As data sets grow bigger, as compliance laws evolve, and as end users become more educated and empowered, the need to adhere to mandates is just one of several reasons to keep ahead of any regulation.

Ongoing monitoring to uncover policy violations and to determine if there are corrective actions to be taken is critical. But monitoring under steady state conditions (where no active response is needed) is also vital. It allows you to establish an “All Clear” baseline against which deviations can be realized.

Also a Competitive Differentiator

In addition to protecting your digital assets, maintaining a strong security posture and staying ahead of compliance regulations (even before the deadline) can be used as competitive differentiators. If your patients see evidence that your organization is proactively addressing security issues, the more likely they will want be treated by your doctors and nurses. Likewise, your Business Associates will more likely want to do business with you.

The falsehood that advertising your security policies will result in a hacker attack is not a reason to avoid raising security awareness. In fact, promoting your security efforts will stimulate laggards to get moving, which will benefit the entire healthcare industry!

In our next ‘Moving Healthcare to the Cloud’ blog,we will wrap up the series by discussing how to measure the success of your efforts in establishing a strong security posture.

Read about how Cavirin can protect your ePHI.

 

 

 

 

 

 

 

0
0
0
s2sdefault

© 2018 Cavirin Systems, Inc. All rights reserved.