Issue Twenty One

Written By Kenneth Holley

January 2023

As we move into the new year, we carry forward the many lessons learned in 2022. We continue the noble effort of making cybersecurity a foundational business principle, across organizations of every size. We look towards the horizon to ensure the advancements in technology and legislation do not arrive unexpected or unannounced to those we serve.

For over a decade we’ve understood technology alone will not solve the problem. We must continue working to empower our teams to grow and innovate alongside the systems and platforms we leverage – and to do so in a manner that is safe and responsible. Every member of the organization should understand the role they play in creating a culture of security. There is no effective cybersecurity strategy without accounting for and involving our greatest assets, our people.

The business landscape will continue to digitize. Our supply chains will become more complex. The relationship ecosystems we build and depend on will demand we do our very best to protect these communities of commerce. They will hold us accountable with industry standards and best practices – to ensure the reputation and trust we’ve worked so hard to establish are protected.

This month’s issue of Target Lock pulls the past, present, and future of cybersecurity into focus. We do our teams and our business communities a great service by continuing to prioritize the cybersecurity conversation. The first quarter of 2023 will set the tone for the entire year, and we simply can’t afford to be anything but consistent and dependable those that depend on us.

ZEROING IN

What’s On The Agenda for 2023?


Silent Quadrant

The cybersecurity events of 2022 read as if they’re a highlight reel of what cyber criminals are capable of. There was a significant data breach announced every month of last year, to include some of the largest companies in the world.

Uber, Twitter, Meta, Apple, Verizon, American Airlines, Toyota, Samsung, Morgan Stanley, Rockstar, Nvidia, Cisco, DoorDash, LastPass, Cash App, Red Cross, The US Department of Education, The Texas Department of Insurance, and the Costa Rican Government are some of the big names that made the unfortunate list of “lessons learned” for 2022.

It should come as no surprise that our economic outlook is uncertain, at best. We’ve spent the past several years on the Polarized Express, where sound guidance passes like mile markers on a bullet train. It is in these times that we all have the unique opportunity to look internally, face challenges head on, and double down on dependability.

The most encouraging note for 2023 is the fact that cybersecurity will remain at the top of everyone’s agenda, especially in Washington DC. We will see a heightened focus on cybersecurity spending, legislation and regulation, artificial intelligence, cloud security, risk quantification, and data privacy. If looking for a common denominator, look no further than an overarching theme to protect and deliver on the promise of responsible and dependable digital business practices.

“Cybersecurity risks are unfortunately only going to increase but so will the ability of boards and executive teams to deal with these new challenges. What’s key is to ensure that cybersecurity is at the heart of any organization’s digital strategy. It’s an enabler of growth. Those for whom cybersecurity is a strategic priority will be far better equipped to deal with any new risks ahead.”

SQ Insight: Adam Brewer - CEO

Organizational Resilience Requires Strong Digital Acumen

Silent Quadrant

Driven by factors brought about by the global pandemic, organizations worldwide have digitally transformed in massive ways over the past three years.  Technology teams rapidly delivered new and modern operational capabilities, facilitated work from home, moved away from legacy systems, and ultimately saved businesses from obsolescence.

From a cybersecurity perspective however, digital transformation has significantly expanded the attack surface through the introduction of new tools and platforms.  This underscores the importance of digital acumen as a factor of organizational resilience.  Put simply, staff must be able to use their digital tools effectively and securely.

"Accelerating digital transformation requires new digital skills, not just in IT, but across all organizational functions."

Improving the digital skills of all staff across the organization assures greater resiliency against potential - and inevitable - disruptions within a digitally transformed world.  A strong level of digital acumen across the organization also supports a positive culture of cybersecurity; the two are intrinsically tied.

"Strong digital acumen is the foundation upon which a culture of cybersecurity is built.  With it, an organization is able to identify and mitigate potential threats, respond effectively to incidents when they do occur, and ultimately become more resilient to the impacts of a cybersecurity attack."

The effective and ongoing measurement of organizational digital acumen and cybersecurity culture - and their impact on overall resilience - is an imperative for every business leader going forward.  In today's business landscape, having a team that is proficient in digital technologies is essential for success.  By investing in the digital skills of their staff, leaders can ensure that their organization is well-equipped to securely meet the challenges of the digital age.

"Building digital acumen fortifies the ability of businesses to remain relevant and competitive going forward."

SQ Insight: Kenneth Holley - Chairman

Cybersecurity Supply Chain Risk Management (C-SCRM)

Silent Quadrant

Third-party vendor risk accounts for more than half of all cyberattacks, and globalization has obscured visibility into product and service supply chains. Every party to a supply chain has responsibility for protecting it, and businesses must hold accountable their supply chain partners for proper cybersecurity risk management.

In order to combat the mounting supply chain threats and better protect themselves, organizations should integrate cybersecurity supply chain risk management (C-SCRM) into their risk program. This is growing increasingly relevant not only as the threat landscape expands, but also as third-party liability intensifies. Notably, a recent cyber insurance victory for T-Mobile offers incentive for companies to pursue recoveries from third-parties for lapses in cybersecurity practices. As SolarWinds and Log4j among others have taught us, cyber risks can be introduced anywhere along the supply chain, and companies up and down that supply chain are under greater scrutiny for failing to have reasonable cybersecurity controls in place.

While “reasonable” remains undefined, there are a few points to consider:

  • Establish a cybersecurity third-party risk management program.

  • Know who your third parties are and what systems, applications, or data each can access.

  • Classify your third parties based on risk, and establish minimum information security, assessment, and monitoring requirements.

  • Update contract documents to include information security requirements, evaluation criteria, and obligations to report security vulnerabilities, incidents, or breaches.

  • Collaborate with critical third-party partners and incorporate them into incident response, recovery, and resilience activities.

  • Require your third parties to manage their third-party relationships, and so on.

In short, ensure that your third parties take cybersecurity as seriously as you do. Integrating C-SCRM into an enterprise risk management program (inclusive of cybersecurity and data privacy) elevates risk awareness so that leaders and decision-makers are in touch with critical organizational issues, and therefore able to make informed and reasoned decisions.

Organizations, regardless of size, must improve visibility and control of their third-party relationships to enhance overall cybersecurity and address growing liability issues. Additionally, helping to protect the supply chain benefits the broader economy and aids national security efforts, which seem both responsible and reasonable.

For a deeper dive, the National Institutes of Standards and Technology (NIST) Key Practices in Cyber Supply Chain Risk Management (NISTIR 8276) offers additional industry insights and outlines practices and recommendations for implementing C-SCRM in any organization.

SQ Insight: Tony Ogden - President, GRC

Kenneth Holley

Kenneth Holley's unique and highly effective perspective on solving complex cybersecurity issues for clients stems from a deep-rooted dedication and passion for digital security, technology, and innovation. His extensive experience and diverse expertise converge, enabling him to address the challenges faced by businesses and organizations of all sizes in an increasingly digital world.

As the founder of Silent Quadrant, a digital protection agency and consulting practice established in 1993, Kenneth has spent three decades delivering unparalleled digital security, digital transformation, and digital risk management solutions to a wide range of clients - from influential government affairs firms to small and medium-sized businesses across the United States. His specific focus on infrastructure security and data protection has been instrumental in safeguarding the brand and profile of clients, including foreign sovereignties.

Kenneth's mission is to redefine the fundamental role of cybersecurity and resilience within businesses and organizations, making it an integral part of their operations. His experience in the United States Navy for six years further solidifies his commitment to security and the protection of vital assets.

In addition to being a multi-certified cybersecurity and privacy professional, Kenneth is an avid technology evangelist, subject matter expert, and speaker on digital security. His frequent contributions to security-related publications showcase his in-depth understanding of the field, while his unwavering dedication to client service underpins his success in providing tailored cybersecurity solutions.

Previous

Issue Twenty Two
Next

Issue Twenty