Today’s security professionals face a myriad of threats and hazards unimaginable just two short decades ago. This dilemma is compounded by advancements in technology and an increasingly complex threat environment from a wide array of natural, man-made, and technological threats and hazards to people, property, the global economy, critical infrastructure, and computer systems, to name just a few. These threats have taken on a global nature with great interconnectivity, interdependency, and an increasing flow of goods, people, and services across borders.
Security professionals charged with analyzing risk and implementing well-considered policies face exceptional challenges in dealing with this complex security environment. In addition, decision-making must comply with their nation’s unique legal, political, and social framework. An understanding of the global dynamics undergirding these issues requires a multidisciplinary approach that explores this reality. This reality has created a demand for a new generation of highly educated leaders in both the private and public sectors of the Homeland Security Enterprise, as well as academics who will teach the next generation of security professionals and conduct innovative research in the field.
You can gain the knowledge, skills, and, credentials to meet these needs, and conduct research more effectively; think both analytically and critically; build and manage teams; and make decisions and apply knowledge to effectively solve real-world security challenges through the Doctor of Professional Studies program in Homeland Security(DPS) at St. John’s University—one of the first nonprofit educational institutions offering doctoral-level studies specifically in homeland security.
This program is designed to qualify candidates to fill mid- to high-level executive positions in government, law enforcement, the public and private security industries, nongovernmental organizations, and academia. Students will research and explore the practice of such collaborative efforts; gain an understanding of the range of local, national, international and organizational security issues faced by public and private actors and entities within the Homeland Security Enterprise; apply this knowledge to issues of policy- and decision-making, organizational design, leadership, and administrative practices; and focus heavily on the practice of emergency and disaster preparedness, including response, recovery, mitigation, and resilience efforts. The program will focus not just on Homeland Security efforts but also draw on lessons learned from abroad.
What Is Sustainable Cybersecurity?
Environmental sustainability focuses on economic, social, and environmental development. By keeping resources from being depleted, we can continue to feed ourselves and expand businesses responsibly.
Sustainable cybersecurity mirrors that in the digital environment. You need to think about your entire data environment the same way you think about the physical environment.
You’re using a recyclable water bottle to prevent non-biodegradable plastics from contaminating landfills. In the same way, you want to protect your data environment from malware, ransomware, and hacker database contamination. Published in 2016, the University of Illinois Law Review Article “Sustainable Cybersecurity: Applying Lessons from the Green Movement to Managing Cyber Attacks” explains the important role continuous cybersecurity monitoring plays for creating sustainable cybersecurity. The article argues that the same way rivers become unusable from overfishing, spam messages an attacker pollutes a data environment either through a distributed-denial-of-service (DDoS) attack or phishing by depleting limited bandwidth.
In other words, maintaining a sustainable environment – physical and digital – requires leadership proactively monitoring the environment to ensure that resources remain accessible.
Why Do Businesses Struggle with Sustainable Cybersecurity?
Sustainability is expensive. Although increasingly affordable, electric cars still average a higher list price than conventional cars. Although they are considered to have a better overall lifecycle cost efficiency, the initial capital outlay means fewer people buy them. Cybersecurity has the same problem.
Protecting your data environment can be expensive. Creating a continuous monitoring strategy for information security means hiring employees to maintain your vision. Most small and mid-sized business struggle to find qualified cybersecurity professionals to protect their data. In fact, the United States currently faces a cybersecurity skills gap crisis. With too few professionals, the demand far outpaces the supply which makes hiring skilled cybersecurity professionals expensive. This skill gap out-prices most small and mid-sized businesses from finding the right people to protect their data.
However, just like with hybrid cars, you need to think about the life cycle of your continuous monitoring strategy. More and more small and mid-sized businesses risk being breached. You might feel as though hackers would target large businesses because they control a vast amount of data. Unfortunately, while large businesses may make the news more often, mall-to-medium sized businesses appeal to malicious actors precisely because they don’t have the money to strengthen their cybersecurity posture.
Small- and mid-sized businesses lose an average of $120,000 per cyber incident. When a small-to-medium sized business experiences a data breach, the continuing costs that occur after the breach can lead to bankruptcy.
In short, the life cycle of a sustainable security program ultimately saves money, similar to buying a hybrid car, despite the initial capital output.
Why A Security-First Compliance Approach Ensures Sustainable Cybersecurity
A security-first compliance approach begins by focusing on securing your data and then reviewing what additional controls you need to ensure compliance. Using this approach, you’re working towards continuous monitoring, compliance, and audit over your environment to protect data, document that protection, and prove it meets the requirements established in standards and regulations.
For example, the National Institute of Technology and Standards (NIST) Cybersecurity Framework (CSF) focuses on reviewing the risks to your data environment and then suggests controls. The NIST continuous monitoring requirement means you need to be aware of new vulnerabilities such as ransomware variants or previously unknown vulnerabilities affecting your systems, networks, and software, also called “zero-day” attack.
However, more importantly, security-first’s continuous monitoring approach allows you to create a corporate culture focused on sustainable security. As hackers continue to evolve their attack methods, you need insight into how to maintain a secure data environment. IT monitoring software allows you, as the leader, insight into security weaknesses and gives you control over protecting your data assets. To enable a sustainable security strategy, you need to deploy continuous monitoring tools that provide insight into the threats facing your information environment. For small- and mid-sized enterprises, automation provides a sustainable security solution.
How a Sustainable Cybersecurity Program Using Security-First Compliance Saves on Insurance Premiums
Environmental protection provides another analogy here, as well. In the 1980’s, insurance companies found themselves liable for cleanup costs associated with a variety of environmental regulations. From underground water tables to big spills to asbestos, the insurance community struggled to place a value on premiums for many companies. While large companies posed a clear risk, small companies posed a hidden risk. Zero-tolerance regulatory requirements created a strict liability standard where all companies linked to the physical site were 100% liable and had to negotiate amongst themselves to determine the proportion of their liability. Today’s data regulations mimic this zero-tolerance approach. Your entire supply chain, both upstream and downstream, is responsible for a data leak.
But just like with environmental hazards, insurance companies know that larger organizations like credit card companies and healthcare insurance providers have the resources to protect data. Those firms have the resources to enforce a continuous monitoring policy; and historical data exists to help define potential risk.
Small- and mid-sized businesses do not have the same easy-to-define profile. You’re doing your best to protect your data environment. Your data is just as important to hackers, but your resources are limited. In fact, many small-to-medium sized businesses may think their firewall or encryption protect them but lack the insight needed to maintain secure networks as the corporate technical architecture evolves. Daily, multiple alerts suggest new software or system updates necessary to protecting your information. However, triaging the most important ones can become overwhelming. Insurance companies don’t know how to evaluate that risk appropriately since human error, often the cause of a data breach, is not easily quantifiable.
With the appropriate security-first automation enabling continuous cybersecurity monitoring, you can prove your controls work, even if you can’t afford to hire a cybersecurity professional.
Transparency Helps Create Sustainable Cybersecurity
I know that you are balancing an overwhelming number of tasks and may not have the resources necessary to creating a stand-alone cybersecurity department. I also know that corporate responsibility is important to you and your customers. With a sustainable security program underscored by a security-first compliance approach, you can conserve your resources rather than deplete them.
- Honesty: Creating a sustainable cybersecurity program lets you be honest with stakeholders and customers about data security. Our platform helps you verify your controls to take the guesswork out of continuous monitoring and continuous auditing.
- Clarity: Easy-to-understand dashboards help you monitor threats and triage risks to keep your data secure.
- Simplicity: We help you create a sustainable business by making cyber insurance customized to your needs mitigating the costs associated with a data breach, including loss of customer or employee data and coverage against third party lawsuits.
What are the data breach risks?
The 2019 Data Breach Investigation Report noted several trends.
- 43% of data breaches involved small businesses
- 69% of breaches were perpetrated by outsiders
- 53% of breaches featured hacking
- 33% of breaches included social engineering
- 71% of breaches were financially motivated
- 56% of breaches took months or more to discover
The newest statistics indicate that cybercriminals target small businesses to gain unauthorized access to data that they can sell on the dark web. Hacking and social engineering attacks focus on exploiting weaknesses in systems, networks, software, and people to gain entry.
Many small businesses currently lack the appropriate resources necessary to defend against these attacks, which increases the likelihood that cybercriminals will continue to target them.
Why you need continuous documentation for continuous assurance
Security is the act of protecting your information. Compliance is the documentation of those actions. While you may be protecting your systems, networks, and software, you cannot prove control effectiveness without documentation.
Documenting your continuous monitoring and response activities provides your internal or external auditors with the information necessary to prove governance. Moreover, the documentation process eases conversations with business leadership and enables the Board of Directors to better review cybersecurity risk. Since compliance requirements focus on Board governance over the cybersecurity program, documenting risk, monitoring, and remediation in an easy-to-digest way enables you to meet these compliance requirements.
Why you need a single-source-of-information
With the number of stakeholders involved in cybersecurity compliance activities, maintaining shared documents leads to a variety of potential compliance risks. Shared documents can be updated without the document owner’s knowledge. People can make copies which leads to multiple versions which leads to lack of visibility.
A single-source-of-information allows all stakeholders to track and review compliance activities while maintaining compliance data integrity.
What is compliance?
In general, compliance is defined as following rules and meeting requirements. In cybersecurity, compliance means creating a program that establishes risk-based controls to protect the integrity, confidentiality, and accessibility of information stored, processed, or transferred.
However, cybersecurity compliance is not based in a stand-alone standard or regulation. Depending on the industry, different standards may overlap, which can create confusion and excess work for organizations using a checklist-based approach.
Most common security regulations, standards & compliance:
- CIS Controls (Center for Internet Security Controls)
- ISO (International Organization for Standardization)
- HIPAA (Health Insurance Portability and Accountability Act) / HITECH Omnibus Rule
- PCI-DSS (The Payment Card Industry Data Security Standard)
- CCPA (California Consumer Privacy Act)
- AICPA (American Institute of Certified Public Accountants)
- SOX (Sarbanes-Oxley Act)
- COBIT (Control Objectives for Information and Related Technologies)
- GLBA (Gramm-Leach-Bliley Act)
- FISMA (Federal Information Security Modernization Act of 2014)
- FedRAMP (The Federal Risk and Authorization Management Program)
- FERPA (The Family Educational Rights and Privacy Act of 1974)
- ITAR (International Traffic in Arms Regulations)
- COPPA (Children’s Online Privacy Protection Rule)
- NERC CIP Standards (NERC Critical Infrastructure Protection Standards)
- ISACA SSH Audit Practitioner Guidance
- ISO/IEC 27001:2013
- NIST (National Institute of Standards and Technology)
- NIST Cybersecurity Framework
- NIST IR 7966 on SSH Keys
- NIST SP 800-53 / FISMA Law
- PCI DSS Compliance
- SANS Top-20 Critical Security Controls
- Sarbanes-Oxley Act (Sections 302, 401, 404, 409, 802)
- EU GDPR
- BASEL Accords for Banks
- SSAE-16 Statement on Standards for Attestation Engagements No. 16
- AT-101 auditing standard
- FedRAMP is a standardized way for government agencies to evaluate the risks of cloud-based solutions
- Privacy Shield Framework
- Regulatory Compliance
- Horizon 2020 Directive
- 2015/16 German Security Act
- Bundesdatenschutzgesetz 2017
- Audit ability regulations
- Data protection
- Privacy and identity theft regulations
- ISO 27001
- Triple-a
- German Security act 2015
- Telecommunications Act
- International Financial Reporting Standards (IFRS)
- Law of pension communication (BWBR0036645)
UAE
- cyber security regulations uae
- National Electronic Security Authority (NESA / SIA) – Information Assurance Standard
- Dubai Electronic Security Center – Information Security Regulation v2 (ISR)
- Saudi Arabia Monetary Authority (SAMA) – Cyber Security Framework
- Abu Dhabi Department of Health – Healthcare Information and Cyber Security Standard
- National Cybersecurity Authority, Saudi Arabia – Essential Cybersecurity Controls
- Abu Dhabi Data Management Standard – ADSIC / ADSSSA
- Abu Dhabi information security standards
- Dubai Data Law – DDE
- ISO27001:2013 Information Security Management System
- PCI-DSS v3.2 Payment Card Industry – Data Security Standard
- NIST CSF – Cyber Security Framework
- IEC62443 / ISA99 – Cyber Security in Industrial Control Systems
- SWIFT Customer Security Controls Framework