What You’ll Learn From This Episode:
- Why investing in security is a MUST
- How to make sure not to focus on compliance but on good practice
- Why leadership and governance are the solutions to most security problems
Related Links and Resources:
My free gift is a community gift. There is an organization called 'The Center for Internet Security', they're a global organization, they have well-defined practices, it’s www.cisecurity.org. To get to me directly, they can email me at [email protected] or you can go to the website www.class-llc.com
Keyaan Williams is the Founder and Managing Director of Cyber Leadership and Strategy Solutions (CLASS-LLC), a professional services firm that helps global clients with cybersecurity strategy risk management, and workforce development.
His reputation for leadership was established when he led the operational transformation of the Information Systems Security Association (ISSA) as the President of the International Board of Directors, and he has also been recognized for his service in the U.S. Army Chemical Corps.
Keyaan has contributed to many books and publications including The Language of Cybersecurity, Using Security Metrics to Drive Action, CISO Magazine, the ISSA Journal, and the Crisis Response Journal.
Here are the highlights of this episode:
1:32 Keyaan’s ideal Client: You read my bio, and it sounds like we're only working with very large companies but my ideal client really is a small to medium size business. 66% of SMBs fail after having a data breach or a cyber-attack. So, my personal preferences are to work with those smaller businesses to help them stay in business.
2:03 Problem Keyaan helps solve: All businesses struggle understanding what security means, part of that is the security industry. People in this profession talk in technical terms and they have a hard time transitioning or translating that information into a business decision. So, one of the things that I help do is, it goes back to the old school decision support systems; where I tell people what they need to know so that they can make informed decisions as one to benefit your organization and lead them to success.
2:51 Typical symptoms that clients do before reaching out to Keyaan: What's interesting is that industry research says that it takes 9 months, 270 days for a mature organization to determine or to identify that they have a breach, or that they have some kind of cyber-attack. Because the attackers are very stealthy and their intention is not to get caught unless you're dealing with a ransom seeker. The objective of the business owner, regardless of the size of the business, is to make sure that they don't focus on compliance but they focus on good practices that are going to protect the organization. And then they invest in 'incident response' so that when a problem is found, they fix it as quickly as possible and get back to normal.
3:45 What are some of the common mistakes that folks make before finding Keyaan and his solution: There're two categories that answers the question. If the company is investing in security, most companies only invest in obligations that are defined by a regulation or a contract. If you go back two years, 90% of the data breaches that have happened were in companies that were compliant with their regulations. So, it highlights that compliance is not the answer to the problem, it's the bare minimum. The other problem is that some companies don't invest in security or whatsoever. The National Association Corporate Directors identified that 61% of corporate executives will ignore security concerns to achieve a business outcome. But security concerns and failures in that area put 66% of companies out of business, so there's a mismatch between what's driving the business owner and the things they need to put in place to stay in business.
4:53 Keyaan’s Valuable Free Action (VFA): One of the best things that you can do is understand your environment. I've talked to scientists, I've talked to educators, I've talked to professionals, the confusion is that most people have no idea what they have. And so, doing an inventory and knowing what you have is the start, because the inventory is going to allow you to make sure that you patch, that you update, and that you secure the things that are important to the organization. And that doesn't require a consultant, it doesn't require a third party. That's just due diligence and managing your business.
5:38 Keyaan’s Valuable Free Resource (VFR): My free gift is a community gift. There is an organization called 'The Center for Internet Security', they're a global organization, they have well-defined practices, and instead of forcing something that's my bright idea, I thought it would be valuable to share with the audience. It's cisecurity.org; it has critical security controls that they document, that they explain, that every organization should at least look at the first six, and work to put them in place. Where we come in, is we help people when they don't understand some of the controls that they're looking at. To get to me directly, they can email me at [email protected] or you can go to the website class-llc.com and the website describes the services and it also have a 'contact us' page and it is a great way to get in touch with us and categorize your request so that we know how we can best to provide support.
7:16 How do we build a governance framework that focuses on risk management? I am one of the founding members for the Private Directors Association for the Atlanta chapter. And within the association, one of the things we talked about is leadership and governance. Most organizations struggle to get the leadership of the organization to understand what security means, how it works and how we do it. The answer to most of your questions is really developing a policy at the Board of Directors or the Corporate level, and then the policy influences all of the actions that you take for security. Where me and my cohorts in the company are a good partner is that we can help organizations define the policy and the approach, and tailor it for the company and how you operate. So that you can solve the problem without getting distracted by all of the buzzwords, by all of the industry language, and by all of the things that people are selling. We're really strategic advisors and through our advice, we're pointing people to the right direction. And I think starting at the top, focusing on governance and leadership is the solution to most of the security problems that the organizations are facing.
“I think starting at the top, focusing on governance and leadership is the solution to most of the security problems that the organizations are facing" – Keyaan Williams