It really is about who you know

We all know that entering into a relationship entails a certain amount of trust. This is not only true in personal relationships but also in business. Today, businesses are linked in more ways than ever before as businesses focus on doing what they do best and develop relationships to outsource the rest.

It’s good to get to know a cyber security professional.

The cyber security field changes rapidly due to the constantly changing threats. To keep up with these changes, every business requires a professional that remains current, keeps up with the threats and provides solutions or strategies to reduce the likelihood of a successful attack. This skillset does not come cheap. The cost of hiring an employee for this role is typically something that only medium-size and larger organizations can afford. Not only do you have to hire a cyber security professional (which is difficult to do due to high demand), but the cost of the software (vulnerability scanners), hardware (network security monitors), and necessary training (e.g. $5000+ for a typical cyber security course, and another $600 for the certification) is high. This goes above and beyond what most consider cyber security… anti-virus, anti-malware.

So… why shouldn’t businesses just use their IT service provider for their cyber security requirements? Although IT professionals know the systems and software, they know them from the point of doing what is necessary to make them work. Cyber security professionals require an understanding above and beyond that of an information technology professional/provider. A cyber security professional looks for areas that a business can improve its cyber security to allow it to get to a state of – to borrow a phrase coined by the cyber security evangelist Michael Santarcangelo – minimum viable cyber security and beyond.

Minimum viable cyber security is the point to which a business, organization, or municipality can provide a basic defense that will allow for detection and some prevention against internal and external threats to information. For any given organization, this minimum viable level must be able to support an effective incident response in the event a breach does occur.

At the same time, it is a good idea that your cyber security professional is also not your IT provider. This separation of responsibilities is key to good information security. Outsourcing cyber security is an economical approach that businesses of all sizes, in particular the smaller ones, can take advantage of. Earlier I mentioned minimum viable cyber security, most small organizations do not require a constant cyber security presence, so a reduced presence on premise may be all that is required. Additionally, a good consultant will be able to take advantage of licensing agreements necessary to spread the cost across multiple clients while providing nearly the same level of service available to the larger organizations.

A cyber security professional should develop a relationship with you and your business, not only as a matter of trust, but to really get to know your business. A one size fits all cyber security solution may not be right for your business. Each organization has its own identity, culture, and so on that have to be taken into account. The best solution is the one that is customized to how you do business, not just the fact that you are a business.

During National Cyber Security Awareness Month, get to know a local cyber security professional consultant. Look for one that is certified by the cyber security industry. These experts subscribe to set of honorable ethics and have worked hard to learn the areas that are outside of information technology management. Often you will see certifications listed after their name (ie CISSP, CEH, etc.). For example:

• CISSP – Certified Information Systems Security Professional – A person with this cert is considered knowledgeable and experienced across all areas of cyber security.
• CEH – Certified Ethical Hacker – Yes, there is such a thing as an ethical hacker. This person subscribes to a set of ethics that guide how they perform penetration tests. They know how hackers think.
• CSX-P – Cyber Security Nexus-Practitioner – This individual has demonstrated the experience necessary to implement cyber security tools and software as well as provide incident response.
• CCFE – Certified Computer Forensic Examiner – This individual has demonstrated the knowledge and skills to perform forensics on computer systems.

When you think about it, it is good to get to know a cyber security professional. And it is even better if that professional gets to know you and your business. They can provide you with a sense of security and comfort when you call and ask “is my business vulnerable?”

About the author

Chris Wolski is the owner of 360° Cyber Security (www.360cybersec.com), a cyber security consulting firm, based out of Smyrna, Delaware. 360° Cyber Security provides small businesses, non-profit organizations, and municipalities across the central Atlantic region with a single point of contact for cyber security issues by providing cyber security training, risk and vulnerability assessments, systems and software analysis, digital forensics, penetration testing, policy development, and intrusion detection monitoring.