Requisite Cyber Security Organization

For those of you familiar with management theory, Elliott Jaques and his Requisite Organization may ring a bell.  Generally speaking, Jaques posited that an organization can excel at structure when managers understand each direct report’s growth potential measured in time span & complexity.

Simply stated, when placed in the right roll level, can someone tasked with “boiling the ocean ” break down such a large initiative so they can manage the completion of complex work effort effectively and efficiently.  Moreover, can they do so while using their ability to think into the future so as to avoid predictable barriers while exceeding expectations?

The answer, according to Jaques, is a resounding “no” for most everyone entering the work force on day one and a paltry “not likely” for most of your workforce.

So, how does Jaques and his theory relate to information security and cyber security risk management?

Well, most malicious actors (hackers) develop their exploits using automation coupled with massive compute power with malicious code and intent built at a very high stratum level allowing them to bypass most security controls easily.

The truth is, as good as the security tools and your Stratum I and Stratum II teams may be, your business may have already been compromised by a social network of hackers with Stratum III+ capabilities.  So, compromise should be considered a matter of “when.”

Great, now we know the problem.  What should we do about it?

Simple really, be prepared for when an attack happens by approaching cyber security as a holistic company risk management strategy.  This approach does three things for you:

  1. Compliance – Make sure you know your compliance exposures, analyze those exposures carefully, and build a security program and follow it.
  2. Build a Thick File of Proof – Contrary to popular belief, continuous oversight & visibility of technical AND non-technical actions works great for auditors, cyber insurance claims, legal depositions, and negotiations when you can prove that you are doing what you were supposed to be doing.
  3. Risk Sharing – Spread around the risk of a cyber compromise by makings sure the whole company is prepared to protect, detect, respond, and be accountable when attacks or compromises occur; rolling out an information security assurance program and holding 3rd parties to contractual compliance requirements are a great way to share risk!

Now, I know many of you naturally respond to risk with, “It hasn’t happened to me yet and I’m not really a target so why spend the money?”  Sadly, if you are connected to the internet and do business with companies that do have exposures, you most certainly are a target.

Furthermore, that cyber-insurance policy you purchased that you thought was “covering your assets” only works if you are meeting the subjectivities (fine print) of the policy and continuously keeping yourself self secure. Additionally, the leading insurance business master minds like Warren Buffett are certainly going to go out of their way to avoid being held accountable for a cyber insurance market that is likely to collapse.

Moreover, that cyber insurance application you filled out had a lot of questions about how you are handling your IT and my guess is that you guessed at a lot of the answers and have no proof that you are doing what you said you were doing.  Result = claim denied.  Make sure you are working with a reliable and knowledgeable broker, like Clinton Polley, who can help audit your policy with our help.

With that, I encourage you to accept the fact that more than half of all cyber security compromises originate from malicious attacks  (ref: Ponemon Institute 2017 Cost of Data Breach Study) and recognize that compromise is now a matter of when.  You can be prepared for “when” a compromise happens and SACTECH has the answer for you.

So, call us now at 916.484.1111 and ask for us to help you sort out your hot mess of cyber security risk management with our Omnistruct Cyber Security Maintenance Platform.


Eureka! New Site Blog Launch

Welcome to the launch of the new and improved SATCECH website and my first blog post. My name is George Usi and I am so excited to explore how we can improve your entire organization’s cyber security posture using cyber compliance enforcement methods, written policy maintenance, and compliance solutions designed with governance and simplicity so you can be prepared for when digital deviants succeed.

With the new cyber security framework v1.1 draft from NIST headed to formal publication, we urge you to visit the NIST Cyber Security Framework Page to learn more about this new guideline that we believe will be the future standard of US based cyber compliance.

Long gone are the days of wondering “if” a cyber attack happens and “if” a compromise will be successful. We now live in a world where those attacks have shifted to a discussion of “when” with an expectation that attacks will be continuous as artificial intelligence and attack vectors expand due to automation and machine learning advancements. We believe cyber security regulations coupled with more frequent compromise outcomes have introduced a measurable risk position and that proper governance and compliance enforcement offer the best return that will prepare your entire company and workforce for “when” a compromise happens in your business (let’s face it, there are likely a high number of security events that are neglected or assumed as “resolved” that will likely result in your next compromise; just ask the folks at Sonic and Whole Foods).

Moroever, we have been delivering cyber security services to our Clients for many years here at SACTECH and are lucky enough to have enjoy the unique privilege of being involved with traditional brick and mortar companies throughout our market here in the State of California.

Our organization focuses intently on traditional businesses and public sector organizations operating in California and we are regularly impressed by our clients’ engineers and technicians who are responsible for keeping your businesses safe in this fast moving Internet Delivered world in spite of the budget cuts and cost reduction initiatives that make their IT jobs considerably more difficult.  The goal for this blog will be to serve them and I will do this by communicating unique methods, acquisition strategies, calculators, security policies, and strategies that will help simplify their jobs and spread around the cyber security accountability risk throughout the rest of their organization so they can operate more efficiently and effectively as a security first responder without having to worry about whether they are using the right approach, standard, guideline or if their actions align with executive expectation or perception.