Why You Should Scroll Further

Welcome to my website, dedicated to helping businesses with cybersecurity and risk management. My name is Todd Hammond, and I specialize in helping businesses understand that cybersecurity is not just a technical issue, but a business risk that can significantly impact success and survival. By investing in cybersecurity, physical security, and risk management, businesses can establish and maintain resilience. My website focuses on providing foundational insights and strategies to help businesses navigate cybersecurity and establish continuity of operations.

My Professional Guiding Principles

Do The Right Thing
Even If It's Difficult

Stay true to values and code of ethics, and always do what is right, especially when it is not easy or popular.

Build & Support
Other People

Build high-performers and support and encourage others in their endeavors, even if only as a small part of their success story.

Maintain Business Velocity Within Risk Appetite

Help companies maintain operational velocity while thoughtfully maintaining safety and managing risk.

People Centric

Being people-centric is key to creating a proactive security-aware culture, and two leadership approaches that can help achieve this are extreme ownership and servant leadership. Extreme ownership means taking complete responsibility for the success or failure of a mission, which in this case is creating a security-aware culture. This approach requires leaders to lead by example and hold themselves and others accountable for their actions. Servant leadership, on the other hand, focuses on putting the needs of others first and empowering them to achieve their full potential. In cybersecurity, this means empowering employees with the knowledge and tools to prevent security breaches and proactively manage risks. By combining extreme ownership and servant leadership, leaders can create a culture where everyone takes ownership of cybersecurity and risk management, and security is integrated into all aspects of the business. This reduces the risk of cyber-attacks and creates a more resilient and successful business overall.

It is best to find and address risk issues closest to when and where they are happening.

  • If a front-line person finds an issue, it is better than your risk team
  • If your risk, people find it.  That’s better than your auditors
  • If your auditors find the gap, it’s better than your regulators
  • If your regulators find a matter, it is better than a judge or jury

Security Aware & Risk Informed

Create a Culture Of Security & Risk Awareness

Promote Risk Awareness

Promote identification and evaluation of threats & risks to the business, and encourage employees to speak up.

Addressing potential issues early in the product or service lifecycle prevents delays, re-engineering and disruptions later.

Inform Decisions

Decision-making processes include an evaluation of threats and risks as well as mitigation costs & complexity.

Understanding risks and the plans to address them helps leaders make better financial, administrative, operational, and technological decisions.

Govern & Oversee

Evaluate risk treatment effectiveness from three perspectives: the front line, risk governance and audit.

Leaders with an aggregated view of risk can better ensure risk levels remain within their appetite, mitigation efforts are cost-effective, and working as designed.

Minimize Disruption

Every day, take steps to make it harder to disrupt the business and improve your ability to recover.

Though not all threats can be prevented, building security and awareness and risk mitigation into your every day will help minimize disruptions when they occur.

Symptom

Immediate achievement is prioritized over the long-term adverse business ramifications.

Solution

Make sure employees understand Security & Risk initiatives are similar to the brakes on a car. They get you from Point A to Point B in the fastest and safest way possible. An accident is sure to happen when to you only accelerate and do not occasionally use brakes, getting you nowhere.
Learn More About Maintaining Business Velocity and Good Risk Appetite

Symptom

An employee's mistake of the mind caused a security breach.

Solution

Avoid creating a culture where security and awareness are compliance requirements or necessary evils seen as business distractors that impede progress and profit.
Learn More About Effective Business Practices to Constantly Reinforce Security & Risk Awareness

Symptom

Employees are Uncomfortable questioning or challenging someone or something out of place.

Solution

Avoid creating a culture where security and awareness are compliance requirements or necessary evils seen as business distractors that impede progress and profit. Instead, engage security and risk experts to integrate security and risk into new ideas, projects, operational procedures, technology implementations and administrative functions.
Learn More About Empower & Engaging Employees

Symptom

Security program enhancements are primarily driven by audit or regulatory findings.

Solution

Identify risk areas and rank them based on level of risk, remediation complexity and business impact and remediation expenses. Higher-risk, low-impact and low-cost issues should be immediately remediated. A risk-based methodology informed by business and IT-aligned remediation should be developed to create a 2 to 3-year strategy and roadmap to reposition the program. Any additional findings should be incorporated strategy & roadmap
Learn More About Building a Information Security Program Strategy

Symptom

Previously identified, accepted or remediated linger, are not re-evaluated at least annually and there is largely no formal discussion regarding their existence and potential lingering impact on the business.

Solution

Implement a board-approved Three Lines of Defense risk governance model that includes a formal executive governance committee, board-level oversight, and clearly defined roles and responsibilities for risk management throughout the organization. Develop a process for formally assessing, documenting, and tracking risk issues over time.
Learn More About Three Lines of Defense Risk Governance & Oversight

Tactical Remediate While Developing Strategic Solutions to These Challenges

Documentation is Not Paper Shuffling

If it is not documented, it will not happen consistently, it cannot be measured effectively, and you can't prove it did happen.

Documentation, including references to authoritative sources, is crucial for building a solid cybersecurity capability. It helps create a methodology for collecting metrics, creating reports, understanding risk, and ensuring risk controls are effectively mitigating risk as desired. 

You can start by prioritizing the documentation of critical business processes.  

This involves establishing policies, setting standards, defining frameworks, programs and service level expectations, establishing recovery time objectives and recovery point objectives, inventorying critical assets, drawing workflows, diagraming data and information flows, recording stakeholder roles and responsibilities, inventorying process dependencies and creating a list of next-level subprocesses and supporting technologies.

Sample Documentation - Click for a Full Screen View

Previous
Next

I Help Bring Rigor & Maturation to Build Evidence Based Cybersecurity & Risk Programs

Todd M. Hammond
CISA, CISM, CISSP, CMC, CDPSE, CFE, CEECS

Let's Chat

Setup a Time to Discuss How I Can Help Your Company Treat Cybersecurity as a Business Risk

Click Here