Prepare Your Clients for the Rising Risks of Cyber Threats
Nowadays, more often than not, I’m hearing about yet another company that has been a target of a cyber attack. With companies worldwide migrating to the digital space to offer better value to their customers whilst achieving business efficiencies, it is no surprise that criminals are now also shifting their efforts over to the digital space.
As an IT training/consulting company, are your clients struggling with their capabilities in cyber risks? We had a chance to interview Mark Bernard, a security transformation expert and lead author of the NIST CyberSecurity Foundation course to talk about the importance of cybersecurity training and the key benefits for IT training and consulting organizations.
Who is Mark Bernard?
Mark Bernard has 25 years of experience in IT, specializing in information security and privacy. He is the lead author of the NIST CyberSecurity Foundation course. His skillset includes advanced programing, advanced network, and systems engineering among others.
He has worked for the likes of IBM, participated in the red team and is well versed in penetration testing, hacking and working with cloud computing service providers.
What is Cybersecurity?
Cybersecurity is all about protecting information and data that flows between organizations and facilities whether on the internet or on the cloud. Cybersecurity provides assurance for the three principles of information security: confidentiality, integrity, and availability.
Confidentiality means that only the right people have access to the information. Protecting confidentiality is about defending against unauthorized disclosure.
Integrity is also very important. People should get accurate information for the purpose they need that information for. It should be information that has not been interfered or tampered with. Several types of techniques are used to assure and validate the integrity of that information.
What good is information if you do not have access to it? Many organizations depend on information to conduct their business or their activities. It could be the military, a bank or a life and death situation in a health organization where access to information is needed.
These three principles are the foundation of information security and cybersecurity.
Cybersecurity VS. Information Security
Cyber security is about protecting information as it flows between facilities across the public network. In order to make this happen, each of those organizations has to have adopted an information security program and the principles of that program to make sure that cybersecurity can be executed consistently and produce consistent results.
How does Cybersecurity affect Big Data, Cloud Computing and the Internet of Things?
Cloud computing is all about using the internet and multiple locations to process, store and collect information. All of those processes rely on the internet and so anything that flows across the internet has to be protected and that’s what cybersecurity helps to accomplish.
Data is collected from multiple points which is then archived and processed in multiple locations. It’s all about crunching big information and grabbing analytical knowledge and wisdom from that information to apply for business purposes.
Cybersecurity provides assurance again through the three principles: confidentiality, integrity, and availability. It ensures that the information is of the highest quality, that it remains confidential and is only used for the purposes that it is collected for.
The Internet of Things
There are millions of devices around the planet that communicate across the internet to different locations. Cybersecurity helps to provide assurance and helps those devices continue to function as they are intended so that consumers and governments can gather the information that they need and process it. Emergency workers such as paramedics, hospitals, law enforcement and firemen use these devices to communicate and share knowledge.
Cybersecurity really helps industries and protects organizations to ensure that they continue to function normally and hopefully even more effectively as we continue to leverage the internet, grow it and expand it across the planet.
How will training affect our cybersecurity? What’s the value there to us?
Training is designed to share knowledge. The NIST CyberSecurity Foundation course is designed just for that. We take some of the best knowledge that is available, created and refined by thousands of professionals from around the planet, and we pull it all together to make this course the best.
The NIST CyberSecurity Foundation course trains people by blending technical skills with soft skills. The programmer and the program manager for information security within their respective industry or organization need to pick up a certain amount of soft skills in order to direct the technical skills. This foundation course helps them lay down the groundwork for the program so that they know how to leverage that information to highlight what resources are needed, when they are needed, how they should be deployed and where to access them from.
This is the foundation that we lay down to help expand security programs and cybersecurity frameworks for each organization. Training is a way in which we can provide assurance that we are sharing that information consistently across the board. So organizations which have to comply with the NIST cybersecurity framework will automatically learn about the tools and techniques that can be used to design their programs.
Thousands of professionals around the globe have contributed to this knowledge. They have helped refine it over decades and this information is now being pulled together under the NIST CyberSecurity Foundation course so that others may benefit from it. Many people have been working in different aspects of security, but only a few organizations have had enterprise-wide programs. The NIST CyberSecurity Foundation course will help organizations design and deploy those programs. It will help expand on what has already been invested for by executives and boards of directors to ensure that cybersecurity is firmly addressed.
You also find hundreds of thousands of professionals who do not understand what cybersecurity is to begin with and are not equipped with the capability to use this knowledge in a meaningful way. So rather than spending years of ramping up and learning about the different aspects, I worked together with ITpreneurs to refine the process. We’ve taken the pieces of information and knowledge that are the most relevant and most important to the NIST framework and put it together to form this two day course. This is going to help people get up to speed quickly, help their organizations and protect them.
Which industries and organizations are going to be more receptive to learning about the NIST CyberSecurity Foundation course?
Any organization that relies on the open public network or shares information between facilities should be concerned. Those industries in particular that are part of the critical infrastructure, and president Obama has identified sixteen different industries, which pretty much covers all organizations within the economy including finance, military, health services and hydroelectric, are all included in there. Everything somehow touches cybersecurity.
The organizations of course that are going to be most affected are those that have the most potential impact on life in general. So the food chain, health authorities and probably hydroelectric since a lot of medical facilities depend on electricity. There is also the energy sector, so oil,fuel and natural gas fall under this category too. Those industries that help to power the economy and make it function properly should be the most concerned.
Some industries have already started to develop their own standards such as NERC CIP for the hydroelectric organizations. The NIST CyberSecurity Foundation course is going to complement those standards because there are some gaps with the management systems that touch on governance and risk management. Soft skills need to be firmed up and formalized so that they can be consistent and reproducible to create some level of assurance for executives and board of directors within the organizations.
What are some of the most important factors of the NIST CyberSecurity Foundation course?
I am the lead author of the NIST CyberSecurity Foundation course that we developed in cooperation with ITpreneurs. I have based it on my experience in developing and implementing information security programs which means that this course is designed specifically to be nondisruptive. We understand the types of situations that can create disruption and we understand that the value of cybersecurity and information security generally can be beneficial and can be seen as an enabler to an organization to produce better value for its customers. This is unlike when customers had their sensitive information breached in 2014 and in the years before that. Customers do not want their information exposed and neither do organizations. So this type of training provides assurance that such things do not happen.
Another benefit is reproducible security and consistent outcomes. Organizations can improve the efficiency and effectiveness of mechanisms used to protect information. Once again the three principles: confidentiality, integrity and availability come into play. They assure us that when information flows from site to site, is processed in the cloud, is from big data or the internet of things, that it’s the same exact data that you requested and hasn’t been tampered with or sniffed from some cyber criminal, remains protected and is available when you need it.
There are many benefits in having a consistent approach:
- reducing gaps,
- reducing vulnerabilities,
- protecting the reputation of the organization,
- reducing the chance of a breach and
- unplanned expenses.
Breaches cost millions of dollars and usually there is no budget to cope with such incidents. So this type of program gives assurance that the cybersecurity framework is actually effective and operating as intended.
The NIST organization (National Institute of Standard and Technology) is a branch of the US Federal Government and its mandate is to design IT standards, not just security standards but all IT standards that could be used by the government for its processes. We know that in IT standardization is essential to control costs. Customization on the other hand drives up costs and inherently can produce unplanned results which could lead to breaches or interruptions in services. NIST is the kind of organization that provides assurance that such incidents don’t occur.
The NIST framework was created in two stages. The first stage in 2013 and the second one in 2014 and we expect to see more changes. In the meantime we have witnessed a number of statutes being created. There has been a revision of the Federal Information Security Management. But also other acts have been created or enhanced:
- Cyber Workforce Assessment act,
- National Cybersecurity act,
- Cybersecurity Enhancement act and
- Homeland Security Workforce Assessment act effective in cybersecurity.
Legislation and compliance will be a requirement in the near future for many organizations especially if they work with the federal government in the United States. So it will be important for these organizations to adapt cybersecurity frameworks that will work for them.
Prepare your clients for the ever increasing cyber threats with NIST CyberSecurity Foundation course.