Haight Bey & Associates provides “Cybersecurity Empowerment ℠” services to small- to medium-sized businesses, particularly US Defense contractors. This means we help organizations bootstrap a cost-effective internal cybersecurity program, as opposed to providing an expensive and less efficient externally managed security service. Our approach to “Cybersecurity Empowerment” is three-fold:
1. Continuous self-assessment: The organization will develop the ability to self-identify and self-correct cybersecurity deficiencies. The executive leadership will gain an understanding of the cybersecurity standards the organization is subject to, and implement a culture of honest assessment and realistic risk mitigation. Too often cybersecurity is a black hole that executives have no visibility into; consequently it is viewed only as a compliance exercise. Through practical explanation and reduction of paperwork overhead, we help engage executives to promote efficient discovery and corrective action.
Example empowerment concept: Why not integrate the system security policy, plan, and assessment into one document? Better yet, ditch the document and manage the information with an assessment management tool! We offer just such a tool, at a fraction of the cost of typical governance, regulatory, and compliance (GRC) tools.
2. System administrator and user training: The organization’s information system administrators will learn the tools, techniques, and procedures required to configure and operate the system in a low-risk manner. The organization will also transform its users from its greatest weakness to its greatest strength, reversing roles from adversarial prey into cyber-threat Hunters. Many resources exist to ease cybersecurity policy implementation, but it can be hard to find the signal in all the noise of fear, uncertainty, and doubt. We’ll help expose organizational staff to the concepts and technology that they’ll use to build a robust cybersecurity infrastructure from the inside out.
Example empowerment concept: Phishing exercises are fun, easy, and informative for the administrators to set up, and great teaching tools for users. You can kill two birds with one stone: Administrators learn DNS threat indicators; users learn email-hygiene. We can teach administrators how to execute and evaluate the exercises, using free tools.
3. Leverage free and open-source technology: The organization will adopt a risk-based approach to technology, assuring tech selections provide realizable return on investment. The organization will not necessarily be pigeon-holed into single-vendor solutions simply for the sake of homogeneity. For every $100,000 one-size-fits-all magic bullet enterprise-level security appliance, there are dozens of order-of-magnitude cheaper or free alternatives that are better suited to the small- to medium-sized organization. We understand many organizations can’t afford to operate a 24/7/365 security operations center (SOC); our watchword is “Something is better than nothing.”
Example empowerment concept: Designate an internal IT staff member as a Hunter. This Hunter spending one hour a day baselining and investigating network traffic using a free tool, such as the Security Onion suite, can spot all types of network misconfigurations and anomalies. Like, why is port 80 open to the outside world on this internal server? We can help teach your staff how to integrate a set of free tools, targeted to the specific threats faced by your organization.