1. Home
  2. News & Resources
  3. Part 1: Cybersecurity Threats - Do you know if your data is safe?
4THBIN News:CyberSec Michael Marrano

Part 1: Cybersecurity Threats - Do you know if your data is safe?

Cybersecurity Q&A Series with Michael Marrano

published
January 28, 2021
News

Welcome to the first installment of a three-part series on Cybersecurity.  Protecting your sensitive data from theft or unintentional leaks continues to be a top risk to companies and governments alike. But where should you start, and what steps should you take to ensure your data is safe?

To explore this topic further, we sat down with Michael Marrano, the founder of Riskigy, a Certified Information Systems Security Professional (CISSP) and a member of 4THBIN’s advisory board, to talk about the importance of conducting a cybersecurity audit. 

Q:  What is a cybersecurity audit?

A:  A cybersecurity audit, also known as a cybersecurity risk assessment, is the process of identifying the threats facing an organization and conducting steps to bring risks to within a level determined to be acceptable to the organization's leadership's risk appetite. Risk Assessments are not about eradicating all risk completely (which is not possible) but identifying and managing it in a proactive, reasonable, and knowledgeable way. Risk management is a never-ending process. Managing risk is an ongoing exercise and must be continuously performed as the organization and threats evolve and change over time. A Risk Registry or Risk Tracking Matrix is utilized to track known risks and the efforts to resolve, mitigate and accept the risks.

Q:  How often should you do a Cybersecurity Risk Assessment/Audit?

Organizations must perform risk assessments to comply with regulatory requirements and demands from clients. Financial regulators such as the SEC, FINRA and NYDFS, require member firms to perform an annual cybersecurity risk assessment. Services organizations aiming to demonstrate a mature security posture to clients and prospects will perform the SOC-2 Audit annually. To comply with SOC-2 requirements, an annual risk assessment, vulnerability scans, and other security testing are necessary.

Q:  Who is responsible and should be involved in these risk assessments/audits?

A:  Cybersecurity is critical to any company, and support must start with the executive team and awareness of its importance by everyone inside the organization in order to combat the scams, hacks, and cyberattacks that have become commonplace in today’s headlines.  Therefore, it is crucial to expand risk assessments beyond Technology and Cybersecurity teams. A holistic assessment of the organization is necessary to identify security gaps and weaknesses throughout the organization.  Including Human Resources, Finance, Accounting, Facilities Management, and Marketing in the risk assessment is a must. During the COVID-19, digital transformation, and move to cloud services, many teams have adopted platforms and services that IT and Cybersecurity teams have not vetted for security.

Q:  What tools are available to companies to help navigate this assessment?

A:  These assessments are so critical the United States Cybersecurity & Infrastructure Security Agency (CISA) provides no-cost evaluation tools so organizations can perform self-assessments.  The National Institute of Standards and Technology (NIST) has also developed a Cybersecurity Framework to provide best practice for organizations.  And the FTC produced a more user friendly cybersecurity risk assessment resource which follows the NIST Framework.

For organizations without resources and knowledgeable staff capable of accomplishing a cybersecurity self-assessment, there are other options available that utilize technology and third-party consultants to assist with the audit.

Q:  There are lots of risk management platforms and web-based software services being offered, what should we know about these solutions?

A:  Yes, the market is inundated with technology that promises to simplify the complex, time-consuming, and resource-intensive audit process.  Claims of automating a lengthy audit such as the AICPA’s SOC2- SOC for Service Organizations and collecting evidence faster than you can read this is good for a quick laugh while attempting to figure out the difference between Governance, Risk and Compliance (GRC) and Integrated Risk Management (IRM), the many types of audits as well as the alphabet soup of cybersecurity framework acronyms.   The key to successfully accomplish any audit is having skilled people to do the job.

Q:  What other trends are you seeing in this area?

A:  Instead of engaging a third-party consultancy focused on cybersecurity auditing and testing, some organizations are starting to take advantage of a more cost-effective solution by utilizing a cybersecurity subject matter expert (SME), often called a Virtual Chief Information Officer (vCISO), to lead the audit program. A vCISO often reports to the executive management board, quickly fills the gap in resources and internal skill sets. They assist with pre-audit readiness as well as the audit, support ongoing maintenance, and compliance between audits.

Q:  What have been some surprises or lessons learned that you have seen when conducting these audits?

After 20+ years in the industry, I wish I could say I have seen it all, but even veterans like myself still get surprised. Surprisingly and unfortunately, cybersecurity is still an area that is allocated limited resources until the worst happens. For some organizations it takes an event such as a cyberattack or data breach before cybersecurity receives the necessary resources. As you can imagine, a data breach is a very expensive learning experience that could be avoided by proactively focusing on cybersecurity.

Q: And what about the data on old electronics or devices?

A:  Often cybersecurity focuses on the high-tech networks, clouds, and internet security controls, leaving physical technology assets such as hard drives, laptops, mobile phones as a lower priority, especially at the end of lifecycle.  Data breaches can happen when companies are retiring old electronics or devices.  Secure handling of the data on your end-of-life electronics is just as critical as your online data.  It requires the same level of discipline and safeguarding. You need to ensure you are working with a certified e-recycler who complies with the highest standards for data erasure, NIST 800-88 data compliance, provides proof of data destruction with a certificate of data erasure or destruction, and is audited annually by third parties like e-Stewards and NAID.

Stay tuned for part two of “Cyber Security Threats” where we talk to Michael about the challenges of remote working

-------

About Michael Marrano:

Michael Marrano is the founder of Riskigy and a cybersecurity professional focused on providing Virtual CISO and Cybersecurity services for clients. With his boutique cybersecurity consulting and advisory firm, he provides high-quality services to organizations of all sizes. Michael has been honing his skills as a real-world technology and information security practitioner over the last three decades. Michael is a Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), and Certified Information Systems Auditor (CISA) with extensive experience in consulting, audit and business leadership roles. Michael is the author of “The Human Firewall Builder – Weakest Link to Human Firewall in Seven Days”, a Cyber and Homeland Security master’s scholar at Fairleigh Dickinson University (NJ) and previously held roles such as Senior Principal Cybersecurity Consultant, Managing Director, a former Chief Technology Officer (CTO) and Chief Information Security Officer (CISO).Connect with Michael today on LinkedIn.

More News

4THBIN 4GOOD - Up Transport
News

4THBIN 4GOOD - 4THBIN Partners with Up Transport to Redefine Logistics and Community Betterment

In a significant stride towards environmental sustainability and community betterment, 4THBIN is proud to announce our partnership with Up Transport! Up Transport is a Fine Art shipping and crating company that has been providing services to galleries, artists, and museums since 2012. This collaboration not only underscores our shared commitment to excellence and sustainability but also opens doors to innovative solutions that redefine industry standards.

Read More
4THBIN 4GOOD with MOMI - Auriea Harvey
News

4THBIN 4GOOD - Auriea Harvey: My Veins Are the Wires, My Body Is Your Keyboard at The Museum of the Moving Image

We are excited to announce our sponsorship with the Museum of the Moving Image (MoMI) for the exhibition of "My Veins Are the Wires, My Body Is Your Keyboard," a survey of the pioneering net-artist and sculptor Auriea Harvey! The exhibition will be on display from February 2, 2024 - July 7, 2024 and will feature more than 40 of Harvey’s works, including her groundbreaking net-based interactives, video games, and augmented-reality sculptures from a career spanning nearly four decades.

Read More
4THBIN - Data Privacy Week 2024
News

4THBIN’s Role in the e-Stewards Performance Verification Program during Data Privacy Week

As we observe Data Privacy Week, 4THBIN takes center stage in championing environmental responsibility while prioritizing data privacy. Our active participation in the e-Stewards Performance Verification (PV) Program not only underscores our commitment to the highest standards of environmental health and safety but aligns seamlessly with the principles highlighted during Data Privacy Week.

Read More
4THBIN and Ecotech Management Unite to Redefine Sustainable Solutions
Media Alert

4THBIN and Ecotech Management Unite to Redefine Sustainable Solutions

We are excited to announce the merger of New York City’s first e-Stewards Company (The 4THBIN, Inc.) with Long Island’s first e-Stewards company (Ecotech Management, Inc.).

Read More
4THBIN 2024 Navigating E-Waste Recycling and Data Destruction
News

Navigating E-Waste Recycling and Data Destruction with 4THBIN in 2024

In the rapidly advancing world of technology, the demand for responsible e-waste recycling and secure data destruction has never been more urgent. As we step into 2024, the need for secure and sustainable e-waste recycling has become not just a choice but a necessity. As a leading e-waste services provider, 4THBIN is here to provide innovative solutions for a more ecological and secure digital era in 2024 and beyond. 

Read More

Event

4THBIN's sponsorship of Climate: Make That Change at St. John's University
December 2, 2023
Event

Climate: Make That Change at St. John's University

We are excited to announce our sponsorship with St. Johns University for Climate: Make That Change, an event dedicated to understanding climate change issues and the impact they have on the community in Jamaica, Queens.

Learn More
4THBIN-BGA-Event E-Waste Recycling Fall 2023
November 15, 2023
Drop-off Event

4THBIN and Broadway Green Alliance Team Up for a Fall 2023 E-Waste Drive

We are excited to announce our collaboration with environmental innovators, Broadway Green Alliance (BGA), for a Fall E-Waste Drive. We aim to provide members of the Broadway community and beyond with the opportunity to securely and sustainably recycle their old electronics. 

Learn More
4THBIN -PS 29 Rummage Sale Fall 2023-Neighborhood Recycling Event
October 22, 2023
Drop-off Event

PS 29 Rummage Sale Fall 2023 - Neighborhood Recycling Event

We are excited to announce our collaboration with PS 29 again this fall for an Electronic Recycling Event. We aim to provide members of the PS 29 community and beyond with the opportunity to securely and sustainably recycle their old electronics. 

Learn More