Tag Archive for: Compliance

3 Reasons to Focus More on Cyber Resilience than Compliance

/in


To say our country is at war with cyber criminals is an understatement.

The onslaught of attacks is relentless, and the numbers are staggering. Last year, 800,944 cybercrime-related complaints – or nearly 2,200 per day – were reported to the FBI’s Internet Crime Complaint Center. While the number of complaints dipped by five percent, the dollar value of potential losses skyrocketed 48 percent to $10.2 billion. 

It seems that each day we hear or read about a new breach at some of our country’s most venerable private and public sector institutions. In mid-June, for example, Russia-linked criminals breached several federal agencies. Among those agencies was the Department of Energy, which oversees our country’s nuclear weapons – and whose cyber defenses were breached two years earlier. 

Recognizing that our country is in an unending war, lawmakers have proposed more funding for cybersecurity for fiscal year 2024, earmarking $13.5 billion for the Pentagon and another $12.7 billion for other agencies. The recommended funding package includes $3.1 billion for the Cybersecurity and Infrastructure Security Agency, which would represent a modest $145 million bump in the agency’s current budget. 

That is a positive step forward, but here is the problem: Our federal government has a long history of being obsessed with compliance-related rules and regulations. That mindset thwarts progress for a couple of reasons.

  • First, our adversaries do not have compliance standards to meet. They only care about winning each battle and causing maximum harm.
  • Second, a compliance mindset is reactive rather than proactive. With each successful breach, policymakers seek to “fix” the problem through improved compliance. It is a slow and ineffective approach because by the time new standards are approved and implemented, threat actors have found other ways to bypass the new safeguards. There is a long and growing list of organizations that met compliance standards, yet fell prey to criminals.
  • Compliance is the lowest rung on the cybersecurity ladder that also includes maturity and, at the top, effectiveness. The obsession with compliance has another negative consequence….

Source…

How Christina Cacioppo Built Startup Vanta Into A $1.6 Billion Unicorn To Automate Complicated Security Compliance Issues

/in


The Stanford graduate built a fast-growing software company to automate what had previously been a manual process. She’s now one of America’s richest self-made women.

About five years ago, Vanta CEO and cofounder Christina Cacioppo received a message from one of the customers of her nascent security and compliance automation company that something was wrong. The automated email the customer received each morning detailing what had happened in their Vanta account in the past 24 hours had the wrong company name in it. Cacioppo responded: “There’s a bug, we’re so sorry. We’ll fix it.”

What the customer didn’t realize was that the “automated” email was actually one that Cacioppo had sent early that morning. Cacioppo, who had founded Vanta just months earlier, set her alarm each day for 5:45 a.m. and crafted the emails by hand. She did this to make sure customers liked the emails before spending time writing code that would automate them. Once she knew what customers wanted, she and Vanta’s founding team sat down and wrote the code—and didn’t need to change it for a year and a half.

It’s just one example of the Ohio native’s scrappy approach—which also included everything from buying coffee in bulk from Costco to running Vanta without formal executive or staff meetings for its first two years. That hustle has helped her company land an estimated 5,000 customers including Quora, Autodesk and payments software firm Modern Treasury, with 600 new customers signing up each quarter, according to Vanta. Cacioppo has also helped score $203 million in funding to date from such venture capital firms as Craft Ventures and Sequoia, including $110 million raised in June 2022 that values the company at $1.6 billion. That’s enough to earn Cacioppo, 36, a spot on Forbes’ list of America’s Richest Self-Made Women with a $385 million fortune based on her stake in Vanta.

“Prior to Vanta, the way security and compliance was done was entirely with spreadsheets and screenshots of information that were collected in folders and shown to [certified…

Source…

Security Experts Roundtable coming January 25, 2023

/in



2023 Federal Tech Trends: Device Lifecycle Management Is Helping with Compliance

/in


 

Establish a Holistic View of All Devices

Device lifecycle management helps agencies by cataloging minute details of each device in the agency’s environment. Device lifecycle management also can be part of a larger IT asset management system that involves software and networking equipment.

It is a key tool for IT leaders to know where each device is in its lifecycle and when it might be time to refresh or retire the asset.

As far as compliance is concerned, device lifecycle management is a way for IT leaders to know where the agency’s information lives and how it’s secured.

“One of the biggest things is taking security into account in the entire lifecycle,” Frazier says. “We still think of things as secure after the fact. We put it out there and oh, by the way, let’s make it secure. We can’t do that.

“As IT leaders, we have to be thinking for everything we build, from the time that we have it as a thought in our brain, we should be planning what the security is for that architecture,” he says. “We have to be thinking about the security implications.”

Conversations on device lifecycles often revolve around software because, as Frazier notes, “device lifecycle is software lifecycle,” and keeping both up to date is “a never-ending prospect.”

Process and policy are foundational to IT asset management, write David Comings and Randi Coughlin of CDW in a blog post. “They can ensure that unapproved or malicious downloads are discovered on the network and help automate security and compliance practices.”

EXPLORE: Federal agencies lead other industries in zero-trust adoption.

Consider the Costs of Managing Devices

Finances can be a limiting factor when establishing a device lifecycle management system. The agency must consider the cost of acquiring new devices and the cost of managing them, including efforts to maintain security and compliance.

On one hand, keeping devices in use for a longer time lowers the overall cost of ownership, but it extends the energy and resources of the IT team to manage them.

“The longer you’re hanging on to devices, the more types of things you’re likely to be supporting — the more varieties of desktop models or…

Source…