SMB CEO — What Your IT Manager isn’t Telling You…
The first thing they need to tell you is to STOP USING THAT SAME PASSWORD FOR EVERYTHING!
Two, he or she needs to be honest. They don’t have time. Forty hours for a week to monitor all this? Plus everything else?
CIS Control 1: Inventory and Control of Enterprise Assets
CIS Control 2: Inventory and Control of Software Assets
CIS Control 3: Data Protection
CIS Control 4: Secure Configuration of Enterprise Assets and Software
CIS Control 5: Account Management
CIS Control 6: Access Control Management
CIS Control 7: Continuous Vulnerability Management
CIS Control 8: Audit Log Management
CIS Control 9: Email and Web Browser Protections
CIS Control 10: Malware Defenses
CIS Control 11: Data Recovery
CIS Control 12: Network Infrastructure Management
CIS Control 13: Network Monitoring and Defense
CIS Control 14: Security Awareness and Skills Training
CIS Control 15: Service Provider Management
CIS Control 16: Application Software Security
CIS Control 17: Incident Response Management
CIS Control 18: Penetration Testing
IT needs to be direct about their 40 hours, 8 hours per day, or two 4 hour shifts, 10, 4-Hour Shifts per week is not time to handle all IT related tasks. * Example, to patch all your servers and endpoints as required by your Cyber insurance, would take about 40 hours per week when combined with Remediation.
Btw, who am I, the writer? My name is Steven Palange, I work for The Soveraign Group, the parent company of Soveraign Solutions, a SOC, MSSP, MSP that specializes in security subscription license management and professional services. I also work for Soveraign Partners which specializes in Compliance Consulting for SOC1, SOC 2, CMMC, GLB, HIPAA, CIS Controls, and Benchmark accreditations and certifications and Audits. I also spend time working with Soveraign.Cloud, a single pane of glass for all your data compliance needs including CA, EUR etc… As a consultant for each, my job is client, partner, and project manager. My 40 hours a week is broken up into five days of two 4-hour “shifts”. For each shift, I review prior Discovery and then formulate more questions for each “shift” two new clients.
Four to Eight Major Meetings M-F 8–4 pm est talking about one of those above CIS Controls is how I spend most of my day. Two client meetings in the am and two in the pm, including one partner meeting or webinar per day.
And 90% of almost every one of these meetings concerns Ransomware, BEC, and malware in general. I meet and speak with 25 CEOS, CIOS, IT Managers, CPAs, Lawyers, and network administrators per week.
I have almost 100 conversations per month about how to use every one of the 12 layers in your security stack “hardened” against threats. “Defense in Depth!”.
- Only Courage and Respect will earn you your CXO’s Respect.
- Value — and with that Courage to Lead you must offer Value.
And that will start with being truthful with them and telling them that their entire home networks are wide open to you and your IT Team. And that is a major unacceptable risk that the network administrator not only had access to the Kingdoms keys but that any compromise of an IT Manager can mean both business and personal ruin. If they hack your company, and you’re a CXO, they’re coming after you next!
They, all your CXOs need to have their personal pcs networks endpoints etc by an outside source, an MSSP that provides personal security services.
(Soveraign.Solutions, and Soveraign.Cloud both provides VIP MSSP Solutions and Services for CXOs, VIPs, and HNWs. Soveraign.Partners can consult with you on a custom security cloud solution that fits the risk to your personal data. Partners use NIST, and CIS-18 CONTROLS, and can meet any and all-day Compliance needs. (All Compliance solutions and microservices are provided by Soveraign.Cloud “Your own personal Security Skynet”.
Here’s a Test for you and your CXO, that means you, Howard! CFO of a major REIT and client of ours. If your CXOs are all using one username and password for most of their logins, you are first in line for every
Bot, phish, malware attack, and more. They are your weakest link, and when combined with IT who won’t or can’t make them change, these are the companies that will fall first. Nation-State predators will target weak management first and then companies with weak security prevention partners, both internal and external.
Security is a Mindset — They need to tell their CXOs the Facts, boldly, and using metrics. And they want the VIPs, those with the most to lose by a breach hack, etc in them, and that we’re in a data war.
Cold War Data Wars
My job is to inform, educate, clarify, and provide a story context why this application later upgrade for one of their 24 different security stack layers is worth inviting the wrath of the CFO (doing his or her job) but demanding data, justification for this “unaffordable” expense?
You Welcome Learning and Growing in your Profession and Expertise, but that no-one from IT wants more work. In fact, tell them the truth and tell them you need help.
- OutSource IT — You Can’t Do it Alone.
- In-House Expertise — outsource the mundane tasks, automate everything but most of all, in-house IT “must” start seeing their suppliers in a more strategic cyber security relationship. If they don’t offer security expertise, they don’t belong on your Team.
CXO, “strength in numbers and defense in depth”. If you have an IT staff of five, you have an internal SOC Team of five. Five non-security professionals who all quickly learn each other's skill sets and then reach their internal protection level. A level quickly and easily penetrated by all 15 NationState Gangs including North Korea, Russia, China, Iran, and Israel (Cobalt Strike &! Pegasus two tools btw, are illegal for legal Red and Blue Teams to use for even Penetration Testing but being actively used, modified, and “automated” by both benevolent NationStates like North Korea is using to make sure all your endpoints are malware-free! ;)
- To be continued…please like to make sure you get more things your IT Manager isn’t telling you.
Steven Palange, The Soveraign Group, steven_palange@tlic.com
To be continued….