FedRAMP strategy, red teaming, NIST privacy standards, evolving Federal acquisition rules, Ohio’s new cybersecurity safe harbor law – these are some of the Sera-Brynn staff blog topics from 2018. We wrote about GDPR (but are still digesting PIPEDA, the Canadian privacy law). We continued to talk about the FAR Reform. We published a guest blogger’s article on how a business should plan to minimize reputational damage following a data breach.
In general, we wrote about how to help businesses increase cyber resiliency — because that is what we do every day. So, from our 2018 archives, here are 5 blogs worth a read as you plan for 2019:
In September of 2018, the Assistant Secretary of the Navy issued a memo imposing heightened requirements on Navy contractors. The DoD contracting community must already be in full compliance with DFARS cybersecurity clause 252.204-7012 that requires implementation of NIST SP 800-171. This memo raised the bar. Our Chief Strategy Officer Heather Engel writes about how select contracts may be subject to additional requirements. This directly impacts Navy contractors.
Tone: serious. Jokes: none.
Our senior security analyst Crystal Silins deftly answers this question. She explains why a business would benefit from a CISO. She provides practical recommendations on what skillsets to look for in a CISO. In light of the fact that many companies lack a CISO who is solely responsible for managing the risks to critical information, there is much to be gained by understanding the significance of this key position.
Fun fact: Since Crystal’s article, Sera-Brynn onboarded several new clients under our Fractional CISO program.
In this blog, our CSO did something that our sales team hated. She wrote an article on when a business would NOT want to buy our FedRAMP assessment services.
She makes the case for when pursuing FedRAMP authorization does not make sense, i.e., (1) when an organization doesn’t have a federal sales strategy; (2) when there are significant resource constraints; and (3) when the organization is just not equipped to handle the “intense” process of FedRAMP authorization. Despite all this, if you want to know about whether becoming “FedRAMP Ready” is a good strategy for your business, send us a note and we will arrange a conversation.
Favorite line: “Just like pickles and peanut butter, the FedRAMP process and authorization is not for every CSP.”
One of our penetration testers and leader of our offensive operations group, Dave Snell, wrote about red teaming. If you don’t really know what red teaming is, read Dave’s blog. He writes about how his group works together to conduct multi-layered attacks. “Thinking differently” is key. Some businesses should consider this option to stress test their organization’s security.
Bonus: The red team debrief will be one of the least boring meetings of your entire year.
Lastly, I think this blog on data privacy is significant to nearly all U.S. businesses. Why? Because nearly every organization handles personal data of either employees, business affiliates, customers, or people we wish were customers. Also, data privacy was a very popular news topic in 2018. In past years, cybersecurity news was dominated by major data breaches (Target in 2013, Sony in 2014, OPM in 2015, Russian hacking in 2016 and so on). However, 2018 put corporate data privacy practices in the spotlight.
Maybe it was because of “breach fatigue.” Maybe it was becauseBig Tech’sdata-sharing practices were publicly scrutinized. Maybe it was GDPR. Maybe it was because of California’s new consumer data privacy law. Whatever the reason, data privacy became highly relevant. Thankfully, NIST is creating a voluntary Privacy Framework. Much in the same way it developed the Cybersecurity Framework (CSF), NIST is designing a framework that is both robust and flexible. Businesses should take note.
This blog summarizes one of NIST’s first public meetings on the framework. It discusses some of the challenges, like how to write optimal security controls for privacy, and how to deal with the value judgements that are a fundamental part of any discussion on privacy.
Big thought: We’re going to have to talk about who we are protecting, and why.
By Colleen H. Johnson, Sera-Brynn.