Fractional Chief Information Security Officer (Ciso)
CurrentThe CFO of a well-established company, with about 400 employees, had just lost $65,000 and the full confidence of an important customer to an email scam. This CFO was shocked. And furiously angry at the attacker.He needed to make sure they weren’t sitting ducks for another cyber-attack, whether it was another business email compromise or ransomware. Or something else.This CFO reach out to his company’s attorney, who referred him to me.After listening to his story, I asked a few more questions and then said: “It sounds like you want to manage cyber as a business risk. Is that right?”He didn’t immediately know what I meant.Simply put, it means that treating cyber as a business risk will be more effective than relying mostly or completely on technological fixes. Treating it as a business risk will let them bring more of their existing resources into the fight: Their people, processes, technology, and management. These four resources are like the engine in a powerful car helping them get up the steep “cyber risk hill”.He agreed, so we created a Cyber Risk Management Action Plan (CR-MAP) that prioritized their limited resources so they could reasonably manage their unlimited cyber risks. Here's how we did it:We first determined their top cyber risks. Then we created their prioritized mitigation plan and implementation road map.For one of the mitigations, we worked with their Human Resources department to add role-appropriate cybersecurity behaviors to everyone’s job descriptions. For another mitigation, we re-wrote their money transfer SOP so large funds transfers that are requested by email or text message need to get verification from another authorized signer prior to processing it.Once we had the mitigations prioritized, we created an implementation roadmap along with several plans and templates from our deployment kit. Then we handed over everything in an Excel workbook with built-in project management tools.Contact me to learn more...