16 TABLE OF EXPERTS: CYBERSECURITY ADVERTISING SUPPLEMENT

Boston Business Journal: Our topic is cybersecurity — a topic of critical impor-tance. Almost every day you hear about a breach of some type occurring and impacting business. When prioritizing cybersecurity issues, what is the most important prevention or the response to a breach?

Robert Hill: It’s an interesting question because we immediately want to think prevention. But what we have learned is that prevention eventu-ally fails. We’ve seen that with the recent breaches. And we’ve realized that we are judged on our response. You’re judged by regulators, you’re judged by auditors, you’re judged by shareholders and ultimately, you’re judged by your customers on how you respond to that breach. And today it is not so much an if, it’s a when. It is something that you have already understood the what, the where, the why and the who in that response. It is imperative that companies begin to recognize that the response is how they are being judged in today’s cybersecurity world.

BBJ: Great point. Frank?

Frank Andrus: I think with large companies and even with small companies it starts a little bit before that. They have to actually understand what they have and why they have it and why it’s being used. And then they want to

try to prevent and protect that business model. And then of course you want to be able to respond to any type of incidents that happen. Because I agree there’s going to be a breach that’s going to happen. It’s just a matter of when. And how you respond and react should fit back into that model.

Lisa Parcella: I agree. I think that prevention is certainly part of the puzzle. I echo the sentiments that have been discussed, you also need to under-stand that attackers are at the ready to find the weaknesses in all of your systems and vulnerabilities. Understanding the level of risk that you’re willing to take on and accept, having an incident response plan in rela-tion to that, and then understanding exactly what your posture’s going to be and how you’re going to present the issue and then respond to it in a manner that’s you know is responsible and takes into account all of the factors that you have to protect. In the event of a breach all the data and the folks who are impacted, do you know how are you going to make right what’s happened?

BBJ: Anurag, from your perspective?

Anurag Sharma: I’ll take an auditor’s take on this topic. What we find is orga-

<cybersecurity>Cybersecurity – from data breaches, to system hacking to identity theft, securing your systems

is of critical importance to business. Having best practices and the right partners to help you

meet your security goals is essential. The Boston Business Journal sat down with four providers

of cybersecurity services for a conversation on key areas of importance and investment when it

comes to protecting your business.

OCTOBER 27, 2017 TABLE OF EXPERTS: CYBERSECURITY 17

nizations have invested a lot of money in protection technologies because that is the first thing to do. Where the biggest gap lies today is on the response and recovery piece and the protection piece. There are industry studies that have shown that the aver-age number of day it takes for an organization to detect that they have been breached is 200 days. They have been breached and for six months they don’t even know that they were breached. Take the example of Equifax. You can’t have a bigger security budget than an organization like Equifax. But even for them detec-tion was such a big challenge. And then comes the response. That’s where most of the orga-nizations fail because one, they don’t accept the fact that it can happen to them. Which is a uni-versal fact now. You just assume that you will be breached and then think of the various types of scenarios and come up with how your response would be in each one. Make sure that your core response team knows what to do when this happens so that you can come out of it strong and not make a mess of the whole thing.

RH: To expand on what he was saying, with that statistic of 200 days; we have seen less than a ten day decrease from 2016 to 2017. After it’s detected, six months, it’s another two months to contain. And that’s where that response plan is failing. We don’t have a plan how we will contain and how we will move the busi-ness forward once we’ve detect-ed that threat.

FA: I think a lot of this comes down to money and budget. A lot of companies just want to check a box. So they move to prevention first so that they can pass some sort of an audit based on compli-ance or whatever it may be. So they’ve checked that box and then they think they’re done. And then once a breach happens —which we all know that a breach will hap-pen —they don’t have the response process in place. They really don’t understand what they were trying to protect and they may not be protecting everything. What they need to realize is if they spend the money up front on a true roadmap of how to do this it will be a lot cheaper than what Equifax is going through right now.

AS: One of the challenges that we have seen when we speak to the CEO’s and the CFO’s is a lot of times the whole aspect of pro-tection is driven by the IT team and security team. The response has an element of IT in it but then it requires legal, it requires a PR team to be involved, it requires interaction with government

agencies and that’s when it becomes a little more complex, and that is why we see orga-nizations struggling to get that piece in shape. Currently it does not spread out across different departments.

LP: I think that’s right. I think what you find is that there are different pockets of folks. The development team develops the application, the testers test the application. If there’s an incident response the risk team comes in. At a global level again instead of checking the box organizations really need to make security a pri-ority that trickles down through-out the entire organization. Whether that’s training for devel-opers, for end users, response plans, making sure that it’s an integrated and holistic approach so that there aren’t these silos working independently to try to solve different parts of the problem that clearly you can see break down once a problem is exposed.

BBJ: From each of your perspec-tives how can organizations go beyond that and assess their cyber readiness and their resil-ience to an attack? What are some of the things they can and should be doing?

LP: I think it can start with some-thing as simple as a change man-agement strategy. People, pro-cess, technology. Training peo-ple. Making sure they understand their role in cybersecurity at the organization no matter the level. Figuring out what can be mea-sured to make sure that the pro-cesses that we’re implementing and the training that we’re taking is working. Is it reduced number of vulnerabilities? Reduced false positives? If there’s phishing emails, are they getting report-ed to the IT teams. Look at it holistically and try to understand people, process, technology, how is everything working together to keep our organizations safe.

RH: I think she’s correct. One of the things that we see in the industry now is that there’s a false sense of security equals spend, or the amount you spend equals security within cybersecurity. And that’s false. That relationship is not there. We find that most organizations have an average of 17 tools within their cybersecurity department. I’ve seen them have as many as 34 different tools. They are spending this year alone $90 billion dollars in cybersecuri-ty but we’re still failing.

BBJ: Is there a right amount of tools they should have?

RH: It’s not the right amount. It’s

how those are applied. And I think that’s where a matu-rity model comes in. You have to understand what they’re trying to protect, and then set a matu-rity baseline. Once you understand where the gaps are and you understand what they’re doing or what they’re not doing you can then build a tacti-cal roadmap. Instead of reacting to a threat or reacting to a breach you are proactively putting poli-cies and strategies in place.

AS: I would like to answer this question in two parts. One is what we have seen so far and the second is where do we see it going forward in the next five to ten years. Historically what we have seen is you have a bunch of frameworks depend-ing on which industry you are in. You can scale it up and down very easily depending on your practic-es. And it addresses not just the technical aspects of your cyber risk but also the response piece. It is a holistic framework and we’ve seen the adoption of that across the industry. The biggest challenge is getting all the parts of the business to understand the issues. Cybersecurity is no longer a technical risk. It’s a business risk. It’s one of the biggest oper-ational and business risks that an organization is facing.

AS: So there is this gap where it’s very difficult for you to communicate these risks from the server room to the board room. Let me give you a quick background. You’re an organiza-tion. You need to come up with a financial statement. What do you do? You get an auditor. You have an accounting team. They do all the math. But you need an independent person to come in and say yes, your numbers look good. Then come up with a sim-ilar standard for cybersecurity. Go into an organization. Look at their existing cybersecurity practices and issue an opinion. Are you doing what you are claiming, what you say you’re doing and then issue an opinion. Now the CEO and CFO get to see another report which helps them understand where their organization stands as far as their cybersecurity is concerned. I think this is where the future will be. Because who’s interest-ed in knowing that? The board of directors, the CFO, the bankers who are going to loan money for your business. They want to come up with an easy way where they can look at something and say, all right, you’re good to go. Investors will

FRANK ANDRUS Chief Technology Officer,

Bradford NetworksAs Chief Technology Officer at Bradford Networks, Frank oversees all strategic technology functions, which includes evolution

of the current product line, new product and services development and setting the future

corporate R&D strategy. Frank has over 20 years of experience in developing software solutions for enterprise

and telecommunication network management applications. Frank’s professional background includes assignments as a Senior Architect at Aprisma Management Technologies, where he designed and developed large-scale systems delivering advanced management services for multi-vendor networks. He also held senior engineering positions at Cabletron Systems and delivered secure, highly available, network management solutions including patented automated device discovery methodologies.

ROBERT HILL Sr Consulting Security Engineer,

RoundTower Technologies, Inc.Robert Hill has more than 25 year of operations and security experience in IT, with specific competencies in the healthcare and financial

services industries, having served at Dell, Inc., Blue Cross Blue Shield and Wachovia Securities.

He holds a CISSP security certification and a BS in Biomedical Engineering from the University of

Alabama. He is well versed in Six Sigma and ITIL V3 Processes, Agile, Spiral, Waterfall and other development methodologies. Robert is passionate about driving positive, measurable business outcomes through transformational technologies. He is a service-oriented leader, critical thinker, and creative problem solver who develops tailored solutions to address his clients’ most pressing technology needs. His areas of proven expertise include security, service delivery transitions, data center migrations, sourcing transformation, disaster recovery / business continuity, and applications portfolio optimization. Robert presently resides in Birmingham, Alabama where he spends his spare time designing and building custom cars, which have been showcased in leading industry magazines. Robert has been recognized by the Department of Homeland Security for efforts as a first responder and disaster relieve coordinator with ACTS, ADS, ADRA International, and other humanitarian relief organizations. Nonetheless, he is most proud of his role as a single parent.

LISA PARCELLA VP of Product Management,

Security InnovationWith a background in product management, security awareness, marketing communications, and academia, Lisa leverages her vast experience

to design and deliver comprehensive security-focused products and educational solutions for the

company’s diverse client base. Lisa’s primary role at Security Innovation is to work with

customers, prospects and industry experts to ensure we are creating innovative and holistic products and programs that address the various needs of today’s global workforce. Lisa spearheaded the company’s Security Awareness 365 program, an innovative mix of computer-based training, multimedia assets and programmatic tools that helped place Security Innovation as a Leader in Gartner’s Magic Quadrant for Security Awareness for three years in a row. In addition to managing internal training programs and product lines, Lisa provides strategic counsel and support to the company’s clients, helping them optimize their program methods, metrics gathering, messaging and execution.Before joining Security Innovation, Lisa served as Vice President of Educational Services at Safelight Security. Lisa was responsible for managing subject matter experts and instructors in the creation of Safelight courseware. In this role, Lisa worked with internal teams and a global customer base to create dynamic, interactive learning solutions. Lisa also led the marketing team, working to promote and perpetuate the Safelight brand worldwide. Lisa holds a B.A. from the University of Vermont and a M.A. from Boston College.

ANURAG SHARMA

CISA, CISSP, CRISC, MBA, Principal, Withum

Anurag is a Principal of the Firm’s Cybersecurity Consulting practice and Service Organization Control (SOC) practice. Anurag is a Certified Information Systems Auditor (CISA), Certified

Information Systems Security Professional (CISSP), and Certified in Risk and Information

Systems Controls (CRISC). He is also designated as a SOC 1 and SOC 2 specialist by the Oversight Task Force of

the AICPA Peer Review Board. Anurag is one of Withum’s leading IT audit specialists. His areas of expertise include Cybersecurity Assessments (NIST Cybersecurity Framework), SSAE 16 (SOC 1) Audits, SOC 2 Audits, Information Security Consulting, Corporate Governance, Sarbanes-Oxley Section 404 compliance and ISO/IEC 27001 Consulting.

18 TABLE OF EXPERTS: CYBERSECURITY ADVERTISING SUPPLEMENT

be interested if you’re undergoing a merger or acquisition —you want to know how good their cybersecurity practices are.

BBJ: What are some of the biggest threats that companies face and what can they do to mitigate those risks?

LP: Social hacking is one. Malware is still very much a problem. Hackers, are 75 percent external threat versus insider threats. That means insiders trying to maliciously take data. We’re seeing a rise in

state actors too. Just yesterday there was a report released that’s alleging two separate governments put malware into anti-virus soft-ware to try to steal and compro-mise data. And then there’s a rise in stolen or weak passwords – I think about 81 percent of breach-es in 2017 occurred from them. It boils down to a people problem. So training people to understand how to act securely within their orga-nization. These attacks prey on the idea that people are very busy. They don’t necessarily understand how to recognize a threat or they

are simply just trying to speed past this task to get to the next task. Training really comes into play on what to look out for and how to act in a manner that is. AH: I can’t agree with Lisa more. In fact Bruce Schneider who is one of the leading security experts in the country once said amateurs attack technology, professionals attack people. Because it’s easy to do. If you can get to someone who’s sitting behind the seven layers of security and make him click on a link, open an attachment, you have

your malware sitting right inside these layers of technology. The top two or three recommendations from our audits are always human firewall. You need to strengthen your human firewall because that gives you the best return on security investment. You need to reinforce those train-ings once a year. Make it a part of the culture because that is the only way you can sustain security in your organization.

RH: To echo what they’re both say-ing social engineering is where we’re seeing so much of this. Social

APPLICATION SECURITY IS THE #1 CAUSE OF SECURITY BREACHES

Don’t go it alone.

Training development teams to write more secure code can help prevent 70% of future vulnerabilities. Contact us today to learn how we can help.

One ofBoston Business

Journal’s Largest

Cybersecurity Firms in

MA

www.securityinnovation.com 1.877.694.1008 @SecInnovation

Robert Hill, Sr Consulting Security Engineer, RoundTower Technologies, Inc.

Frank Andrus , Chief Technology Officer, Bradford Networks

Anurag Sharma, CISA, CISSP, CRISC, MBA, Principal, Withum

Lisa Parcella, VP of Product Management, Security Innovation

OCTOBER 27, 2017 TABLE OF EXPERTS: CYBERSECURITY 19

engineering is where you are using psychology to gain access and/or trust of a human element that allows access into existing protocols within an organization.

BBJ: Are there two or three simple things that a company should do or when they should hire someone?

FA: I think the first step is compa-nies need to understand is that their security team is every employee.

AS: Right, you need to test the strength of your human firewall. Do phishing assessments. We have folks who will come and phish every individual in the organization and provide you a report which would show who are the folks who actu-ally did not or did fall for any of the phishing emails. Then you know your highest risk employees are these guys. Then you go and spend some more time educating them and then change the culture.

RH: You’re moving that cybersecurity perimeter to your end user and that is important to make sure that you are moving that protection perimeter as far out as you possibly can.

LP: One thing that is important is to put into context that everyone at an organization is important and security is everyone’s job. The idea with phishing attacks and social

engineering is that hackers are going after everyone. They’re going to take any entry point they can. That’s why the human firewall is so vast because you know, anyone along that chain can be a target.

BBJ: How does a customer pick the right type of help? How do they know what their needs are and how do they continue to scale? As you mentioned they need to make the investment before the breach hap-pens.

FA: We see customers today buying a product to fix a specific problem. And then they buy another product to fix another problem and so on. We have talked to many customers and companies out there that basically have 50 plus devices that they now can’t manage and can’t take care of. Vendors, like Bradford, need to not be siloed and need to work on integrations and making more of a platform or a solution for the end customer. And show how they can integrate with other companies and vendors to do that.

BBJ: Don’t just look to solve today’s problem.

FA: Correct. And that’s typically what people do.

BBJ: Lisa — how do you choose the right vendor?

LP: Understanding your industry and your particular vulnerabilities based on where you operate can help. Our solution is really about solving for people. It’s about helping folks under-stand and contextualize secure cod-ing best practices so the applications that they’re building are safe. And of course, training. We have an immer-sion simulation exercise where devel-opers and testers can actually go and hack. They can act like the hacker and understand how it happens on the other side. I think when selecting a vendor to solve issues you want to understand what are your compliance needs. What are the needs of your application teams and your devel-opment teams? Are you building in for cloud applications or for mobile and make sure that you’re picking a solution that fits the roles that you’re looking to serve.

BBJ: Robert?

RH: A vendor has to look and under-stand your business. They have to understand what business problem are you trying to solve? Where are your gaps? How are you building that common operating picture so you can truly understand your envi-ronment? And only after a vendor understands that can they begin to have deeper conversations around products, around creating that com-mon operating picture and ultimately solving those business problems.

AS: Putting my auditors hat on when I go to an organization I usually recom-mend a risk based approach. First as you said you need to know what your business problems are. You need to know where your risks are. Then figure out which product that would fit best to try and address most of my risks. Who’s going to guide you through the whole process of what your risks are and what you need to do to address those risks. Then comes the product. So based on that which are the vendors that you would want to pick, what kind of a product. Go with the consultant and a vendor that you feel you can trust; who has got your best interest in mind.

BBJ: Well thank you all so much. I think you’ve given us some really good basic points in terms of what companies need to do. I think under-standing that the need for the invest-ment is key. Looking out further than that breach. And understanding the fact – it’s not if it’s going to happen, it’s when. And if you have that mind-set you start out with people being at least more prepared. Thank you all for your time and we’ll see you again soon, and hopefully not when we have a breach.

The only way to protect your business, your client relationships, and your reputation is to develop an on-going, comprehensive security strategy. That is precisely what RoundTower’s Cybersecurity Capability Maturity Model (C2M2) is designed to do. It assesses your entire enterprise by scoring each of 10 key categories, providing a plan that helps you strengthen areas of vulnerability, establish priorities within budget, and maintain a desired level of security throughout your IT systems’ life cycle.

www.roundtower.com

Copyright © 2017 All Rights Reserved by RoundTower Technologies, LLC

Do you have a plan to stop them?

Cyber criminals have a plan for your business…

Pantone Blue 2935CCMYK 100 52 0 0 RGB 0 87 184Hex 0057B8

Pantone Blue 3258CCMYK 59 0 30 0 RGB 73 197 177Hex 49C5B1

The BBJ will have more Table of Experts programs on other topics and if you are interested in participating, please contact the BBJ advertising department at 617-316-3220.