22301:2019 article 25 article 28 awareness bcms breach change management ciso controller cybersecurity data breach data privacy Data Protection data protection by design data protection officer data protection service Data Subject Access Request DPO DSAR GDPR incident management information security leadership management operational resilience Outsourced DPO Privacy processor resilience risk risk appetite risk management ROI security security as a service small business soc strategic strategy Subject Access Request training transparency vciso virtual ciso vulnerability scanning
Talking to a prospective client about their use of InfoSec tools, I asked the CIO how they felt their internal cyber-security resources were doing. The response was as follows:
“I’m sure they’re doing a great job. We haven’t had a major cyber incident since I have been here.”
I went on to ask “but how do you know they are doing a good job?” and the answer came back candidly “Well, I don’t. I have to trust them because we have so much going on at the moment. I don’t have the time to keep tabs on what they are doing. We have a VDI implementation, a WAN upgrade and a new Risk Management platform going in this quarter and that’s where the majority of my time is focussed.“
“I have to trust them”
Can a CIO be too busy for CyberSecurity?
This CIO is not alone, a lot of Fox Red Risk’s clients are facing major transformations. Whether it is a data warehouse migration, playing catchup on GDPR, setting up a new cloud environment, or preparing for new Banking permissions, a lot is facing the CIO that means security may not always be at the forefront of their mind. That said, the CIO is still likely to be the most senior person accountable for the security of their organisation’s infrastructure (a CISO would provide assurance they are doing what they are supposed to be doing). Simply not having the time is not going to cut it in the aftermath of a major incident.
We don’t have to go back too far to see the impact of a major breach on the tenure of a CIO. We only need to look back to the 2013 Target breach. Both the CIO and the CEO resigned in quick succession. The breach also led to the first CISO position being established at Target -albeit a good three months later than the other hires. The delay in hiring is not surprising though given the challenges in cybersecurity recruitment Fox Red Risk sees at both the junior and senior level. That said, perhaps if the incumbent Target CEO had hired a CISO or, perhaps engaged a vCISO service as a counter-balance to the CIO, both might have kept their jobs a little longer – naturally I have a view!
So how can Fox Red Risk Twitter Infosec Tools help the busy CIO?
Many Fox Red Risk clients, as part of their vCISO service, have commissioned a Cybersecurity Strategy tailored to their business needs. Some have also implemented a supporting Security Playbook to give their Security Operations’ teams direction as to their Business As Usual (BAU) activities. The Fox Red Risk Twitter and LinkedIn tools are a free extension of the Fox Red vCISO Service offering.
Fox Red Risk Twitter infosec tools can easily be integrated into IT Management Dashboards or Sidebars which a CIO (or any IT Manager) can have constantly running. The messages are bitesize (no more than 280 characters) and so even at the busiest times can be quickly scanned. A CIO, COO or CRO can easily copy a Tweet into an email and fire it off to the InfoSec team prompting a progress update or, use tweets within a fixed period to form the agenda for the next Ops Committee or Risk Management Committee. Internal Audit could also use the Tweets as the basis for thematic reviews. These are some of the many use-cases the Fox Red Risk Twitter Tools can support.
Because the infosec tools are hashtag based they can also be incorporated into your LinkedIn feed simply by adding the hashtags using the widget on the left-hand side of your main feed. The LinkedIn feeds are a little more verbose but that’s not necessarily a bad thing in certain cases!
So what are the Fox Red Risk InfoSec Tools…and how can I use them?
The Fox Red Risk InfoSec tools are free to use. You do not need to have a vCISO or Data Protection as a Service (DPaaS) with Fox Red Risk. Heck, you don’t even need to have engaged with us at all. All you need to do is go to the Fox Red Risk Twitter Feed and follow @FoxRedRisk. Alternatively, follow the hashtags below on LinkedIn If you don’t want to follow all the feeds simply pick the hashtag of the feed(s) you like and follow them individually. Currently, there are five feeds but more will be coming out in due course. The five that are live are:
This Fox Red Risk Twitter tool is an extension of Fox Red Risk’s Client Security Playbook offering. It provides periodic reminders of tasks within the security playbook on a rolling basis. As each client is different, quarterly, bi-annual and annual tasks will be repeated on a more frequent basis. If you’re reading this and want to commission a Security Playbook for your organisation then get in contact.
This Fox Red Risk Twitter tool is a content hashtag whereby relevant information security content is posted seven days a week. In addition to content from Fox Red Risk itself, content from reputable sources is curated so you don’t have to trawl across the Internet for useful information security news and views. The #FoxRedVCISO Twitter Tool will also include content to support threat intelligence and horizon scanning activities.
This Fox Red Risk Twitter tool is a content hashtag whereby relevant Data Protection and Privacy content is posted seven days a week. In addition to content from Fox Red Risk itself, content from reputable sources is curated so you don’t have to trawl across the Internet for useful GDPR-esqe news and views. The #FoxRedDPaaS Twitter Tool will also include content to support the Data Protection Officer perform their oversight role.
This Fox Red Risk Twitter tool is a content hashtag whereby relevant Resilience, Business Continuity and IT Service Continuity (or ITDR if you’re old school) content is posted seven days a week. In addition to content from Fox Red Risk itself, content from reputable sources is curated so you don’t have to trawl across the Internet for your disaster news fix. The #FoxRedResilience Twitter Tool will also include content to support the Business Continuity Manager in maintaining their organisation’s resilience.
This Fox Red Risk Twitter tool is a content hashtag whereby relevant Enterprise Risk Mangement and Operational Risk Management content is posted seven days a week. In addition to content from Fox Red Risk itself, content from reputable sources is curated so you don’t have to trawl across the Internet for your risk management news fix. The #FoxRedResilience Twitter Tool will also include content to support the Risk Manager in managing their organisation’s risks.
Free Infosec Tools: What’s the catch?
There just isn’t a catch. The tools are free to use and Fox Red Risk is not going to perform user analytics on anyone who uses the tools (we genuinely respect your privacy!). Fox Red Risk is an ethical company, a force for good. We want to be helpful to our clients and we want to support the wider community. These tools are part of demonstrating that ethos. We are even open to suggestions on improving these social media tools so if you have any ideas or positive contributions to make, please do get in touch!
About the Author:
Stephen Massey is the Managing Director of Fox Red Risk, a boutique Cyber Security and Data Protection consultancy, which in addition to offering training, consultancy and advisory services, provides vCISO and Data Protection as a Service. Stephen has also authored the popular book “The Ultimate GDPR Practitioner Guide” which is available on Amazon in both 8×10 paperback and Kindle eBook
About Fox Red Risk:
Fox Red Risk is a boutique data protection and cybersecurity consultancy which, amongst other things, helps client organisations with implementing controls frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.