This site has some foundational cybersecurity & risk insights to address issues many businesses struggle with.
My name is Todd Hammond, and I created this webpage to share security and business resilience insights with other business leaders. Whether a physical threat, financial position or cybersecurity issues from a business perspective, it all boils down to one thing. It is a risk to the business.
Often cybersecurity is viewed as a complex technical problem that IT must solve. I could not disagree more. Navigating Cybersecurity can be technologically complex, which is the challenge’s IT and IT Security piece. However, cybersecurity solutions address business risks, and business leaders must pay attention to IT.
The cybersecurity conversation must extend beyond deep-dive complex technology discussions. Business leadership must require those discussions be brought to a business-oriented level and include the board, executive leadership, business management, day-to-day contributors, risk managers and even third parties. Cybersecurity, like any other threat to the business, is a business risk that can have an incredibly high adverse impact on business success and, in some cases, survival. I help organizations understand cybersecurity from a business perspective as a critical aspect of risk management to help establish and maintain business resilience.
Business resilience refers to the ability to maintain the continuity of operations and fully recover after a disaster or crisis. Businesses that invest smartly in cybersecurity, physical security, and risk management as part of business operations nearly always perform better after a crisis or incident and demonstrate a clear differentiation from their competitors, providing the consumers of their products and services greater confidence and trust.
I have an extensive background in law enforcement investigations and fire & rescue services, bundled nicely with crisis and emergency management. I specialize in process corporate governance for cybersecurity and information risk. I developed and improved Information Security Programs, Risk Governance & Oversight Models across many industries, including highly regulated global Fortune 100 financial services firms.
I am completing an MBA in Information Assurance, have a BS in Computer Information Systems, and a multitude of professional certifications (CISA, CISM, CISSP, CDPSE, CCE, CFE, CEES, CMC) as well as dozens of emergency management and response certifications.
There is no reason a business should have to sacrifice velocity to have risk visibility and maintain appropriate risk appetite.
My goal is to help businesses grow sustainably at velocity while differentiating themselves from their competitors by providing products and services their customers can trust.
Effective risk management in cybersecurity starts with good people. Lapses in employee behavior can defeat even the best technology. This often stems from a culture prioritizing achieving compliance over addressing and managing risk. For example, many organizations treat cybersecurity awareness and training as a periodic requirement that can be met and checked off with some sort of periodic online training session and a signature acknowledging receipt of a policy.
As opposed to nurturing a proactive security-aware culture that is focused on preventing business disruptions, financial losses, and negative publicity by incorporating security and risk into the everyday business environment. This is achieved when leadership from the board down establishes the expectation that security and risk conversations are part of all areas of the business like strategy sessions, project management, operational procedures, and financial discussions.
It is best to find and address risk issues closest to when and where they are happening.
Symptoms of a Compliance Mindset:
An employee’s mistake of the mind caused a security breach
Immediate achievement is prioritized over the long-term adverse business ramifications
Business and technology initiatives have unforeseen control weaknesses after their completion
There is no process to anonymously raise security or ethical concerns
Employees are Uncomfortable questioning or challenging someone or something out of place
Security program enhancements are primarily driven by audit or regulatory findings
Risks accepted in the past are not subject to re-evaluation over time
Avoid creating a culture where security and awareness are compliance requirements or necessary evils seen as business distractors that impede progress and profit.
Instead, engage security and risk experts to integrate security and risk into new ideas, projects, operational procedures, technology implementations and administrative functions.
Identify and assess threats and treat or knowingly accept risks as part of your everyday business process.
Promote identification and evaluation of threats & risks to the business, and encourage employees to speak up.
Addressing potential issues early in the product or service lifecycle prevents delays, re-engineering and disruptions later.
Decision-making processes include an evaluation of threats and risks as well as mitigation costs & complexity.
Understanding risks and the plans to address them helps leaders make better financial, administrative, operational, and technological decisions.
Evaluate risk treatment effectiveness from three perspectives: the front line, risk governance and audit.
Leaders with an aggregated view of risk can better ensure risk levels remain within their appetite, mitigation efforts are cost-effective, and working as designed.
Every day, take steps to make it harder to disrupt the business and improve your ability to recover.
Though not all threats can be prevented, building security and awareness and risk mitigation into your every day will help minimize disruptions when they occur.
Documentation, including references to authoritative sources, is crucial for building a solid cybersecurity capability. It helps create a methodology for collecting metrics, creating reports, understanding risk, and ensuring risk controls are effectively mitigating risk as desired.
You can start by prioritizing the documentation of critical business processes.
This involves establishing policies, setting standards, defining frameworks, programs and service level expectations, establishing recovery time objectives and recovery point objectives, inventorying critical assets, drawing workflows, diagraming data and information flows, recording stakeholder roles and responsibilities, inventorying process dependencies and creating a list of next-level subprocesses and supporting technologies.