| | October 20189CIOReviewGet the executive support, have a good partner in IT who is aligned with you, diagnose your business and fully understand itand center" and to also make it clear how many more exposures needed to be addressed, lest the organization believe that our initial actions solved all of our problems.Creating an On-going ProgramAs we entered year two of our program, we also adopted the NIST Cybersecurity Framework to guide our tactical efforts. It is important to note that the steps in this framework are concurrent and continuous; it is not a serial path.In year two, we made aggressive progress on both IT Systems and Enterprise Risk Management. Some of our key actions in each domain included:Additionally, we established a cybersecurity assessment process to include annual penetration tests, quarterly vulnerability assessments, bi-annual advanced persistent threat detection engagement, weekly anti-virus efficacy review, and vulnerability assessments on new server builds.Cybersecurity InsuranceAfter the conclusion of our May Board of Directors meeting I was tasked with the duties of buying our companies first ever Cyber Insurance. Not an easy task especially considering that I was 1) not well versed in the world of Cyber Insurance 2) we were just beginning to look at how we were going to get the cyber program initiated and started. Again, I leaned on my partners from ITS to help engage what we needed to do. I knew that I could handle any of the insurance market dynamics however how would I present the technical aspects of explaining routers, servers, and anything else IT related? The answer was simple­IT would present the technical aspect and I would explain the operational functionality of our business. This ended up being quite the success story although our first year rates were not favorable. It gave us a starting point, we had insurance and now the bigger task at hand was implementing what we had told our Board and carriers what we were going to do.Following the first years implementation of more than 30 projects we entered the insurance markets in 2017 with solid roadmap that had been implemented along with the additional efforts for 2018. We saw drastic reductions in our premiums after year one as we finally had all stores on one POS system and were operating at a more sophisticated level. Current State and Go-forwardToday, we are in a cyber risk management position that is approaching the higher end of the maturity model, but we would not, by any means, say that our journey or efforts are complete. Alone in 2017-2018 we have more than 37 initiatives that we will be rolling out to the organization including aggressive training, more robust monitoring tools and an even more adequate business continuity and disaster recovery plan.My advice to readers of this article is simple, get the executive support, have a good partner in IT who is aligned with you, diagnose your business and fully understand it (be honest with yourself and organization), put together a robust strategic plan, know that the road to success is a jog before a sprint, and most of all have fun with the implementation. It can sometimes be frustrating and overwhelming starting a new program but for the benefit of the organization it is well worth the while. IT SystemsEnterprise Risk Management· Integration of Human Resource systems into network security· Established formal IT security function· Identify resources for automated server patching· Established formal security awareness program· Implemented single sign-on/two factor authentication for specific apps· Selected outsourced SOC vendor· Rolled out thin clients to stores eliminate 1,000 of PC's as endpoints· Assigned CIRT team and coordinator to support incident response and recovery· Implemented sandboxing of email attachments and URL's· Established process for all employees to attest to cyber policies on annual basisMaurice Edwards
< Page 8 | Page 10 >