SMB CEO — What Your IT Manager isn’t Telling You… | by Steven Palange

IT needs to be direct about their 40 hours, 8 hours per day, or two 4 hour shifts, 10, 4-Hour Shifts per week is not time to handle all IT related tasks. * Example, to patch all your servers and endpoints as required by your Cyber insurance, would take about 40 hours per week when combined with Remediation.

Btw, who am I, the writer? My name is Steven Palange, I work for The Soveraign Group, the parent company of Soveraign Solutions, a SOC, MSSP, MSP that specializes in security subscription license management and professional services. I also work for Soveraign Partners which specializes in Compliance Consulting for SOC1, SOC 2, CMMC, GLB, HIPAA, CIS Controls, and Benchmark accreditations and certifications and Audits. I also spend time working with Soveraign.Cloud, a single pane of glass for all your data compliance needs including CA, EUR etc… As a consultant for each, my job is client, partner, and project manager. My 40 hours a week is broken up into five days of two 4-hour “shifts”. For each shift, I review prior Discovery and then formulate more questions for each “shift” two new clients.

Four to Eight Major Meetings M-F 8–4 pm est talking about one of those above CIS Controls is how I spend most of my day. Two client meetings in the am and two in the pm, including one partner meeting or webinar per day.

And 90% of almost every one of these meetings concerns Ransomware, BEC, and malware in general. I meet and speak with 25 CEOS, CIOS, IT Managers, CPAs, Lawyers, and network administrators per week.

I have almost 100 conversations per month about how to use every one of the 12 layers in your security stack “hardened” against threats. “Defense in Depth!”.

Only Courage and Respect will earn you your CXO’s Respect.
Value — and with that Courage to Lead you must offer Value.

And that will start with being truthful with them and telling them that their entire home networks are wide open to you and your IT Team. And that is a major unacceptable risk that the network administrator not only had access to the Kingdoms keys but that any compromise of an IT Manager can mean both business and personal ruin. If they hack your company, and you’re a CXO, they’re coming after you next!

They, all your CXOs need to have their personal pcs networks endpoints etc by an outside source, an MSSP that provides personal security services.

(Soveraign.Solutions, and Soveraign.Cloud both provides VIP MSSP Solutions and Services for CXOs, VIPs, and HNWs. Soveraign.Partners can consult with you on a custom security cloud solution that fits the risk to your personal data. Partners use NIST, and CIS-18 CONTROLS, and can meet any and all-day Compliance needs. (All Compliance solutions and microservices are provided by Soveraign.Cloud “Your own personal Security Skynet”.

Here’s a Test for you and your CXO, that means you, Howard! CFO of a major REIT and client of ours. If your CXOs are all using one username and password for most of their logins, you are first in line for every

Bot, phish, malware attack, and more. They are your weakest link, and when combined with IT who won’t or can’t make them change, these are the companies that will fall first. Nation-State predators will target weak management first and then companies with weak security prevention partners, both internal and external.

Security is a Mindset — They need to tell their CXOs the Facts, boldly, and using metrics. And they want the VIPs, those with the most to lose by a breach hack, etc in them, and that we’re in a data war.

Cold War Data Wars

My job is to inform, educate, clarify, and provide a story context why this application later upgrade for one of their 24 different security stack layers is worth inviting the wrath of the CFO (doing his or her job) but demanding data, justification for this “unaffordable” expense?

You Welcome Learning and Growing in your Profession and Expertise, but that no-one from IT wants more work. In fact, tell them the truth and tell them you need help.

OutSource IT — You Can’t Do it Alone.
In-House Expertise — outsource the mundane tasks, automate everything but most of all, in-house IT “must” start seeing their suppliers in a more strategic cyber security relationship. If they don’t offer security expertise, they don’t belong on your Team.

CXO, “strength in numbers and defense in depth”. If you have an IT staff of five, you have an internal SOC Team of five. Five non-security professionals who all quickly learn each other's skill sets and then reach their internal protection level. A level quickly and easily penetrated by all 15 NationState Gangs including North Korea, Russia, China, Iran, and Israel (Cobalt Strike &! Pegasus two tools btw, are illegal for legal Red and Blue Teams to use for even Penetration Testing but being actively used, modified, and “automated” by both benevolent NationStates like North Korea is using to make sure all your endpoints are malware-free! ;)

To be continued…please like to make sure you get more things your IT Manager isn’t telling you.

Steven Palange, The Soveraign Group, steven_palange@tlic.com

To be continued….

CIS Control 1: Inventory and Control of Enterprise Assets

CIS Control 2: Inventory and Control of Software Assets

CIS Control 3: Data Protection

CIS Control 4: Secure Configuration of Enterprise Assets and Software

CIS Control 5: Account Management

CIS Control 6: Access Control Management

CIS Control 7: Continuous Vulnerability Management

CIS Control 8: Audit Log Management

CIS Control 9: Email and Web Browser Protections

CIS Control 10: Malware Defenses

CIS Control 11: Data Recovery

CIS Control 12: Network Infrastructure Management

CIS Control 13: Network Monitoring and Defense

CIS Control 14: Security Awareness and Skills Training

CIS Control 15: Service Provider Management

CIS Control 16: Application Software Security

CIS Control 17: Incident Response Management

CIS Control 18: Penetration Testing

Written by Steven Palange