By Greg Schaffer, Owner and Founder, vCISO Services, LLC
Contracts. Bids. Partner lists. Client information. Blueprints. These are all examples of information likely to be considered confidential to all construction firms. Yet, many firms do not have a comprehensive information security program in place. While cybersecurity may be handled in-house, firms that entrust their confidential information to small and midsize businesses (SMBs) should understand that SMBs often have specific information security challenges.
Know the Difference Between Information Security and Cybersecurity
Cybersecurity involves securing technical assets that process and store information. Information security is broader and involves protecting information. Therefore, cybersecurity is a subset of information security.
The danger comes when firms incorrectly equate the two. They assume their information is secure since they have some solid cybersecurity controls in place, such as firewalls, endpoint detection, and response, and Security Incident and Event Monitoring (SIEM) systems.
Breaches often occur, sometimes to the surprise of executive leadership, despite having these controls in place and operating effectively. That’s because there may be gaps in their information security protective processes, such as policies, governance, risk management, and business continuity.
A better way to understand this difference is to apply the three lines of defense model. The first line encompasses information technology security management as described above.
The second line is risk management, ensuring that risks to information security are identified, understood, and treated within the risk tolerance of the organization. The Chief Information Security Officer (CISO) is tasked with understanding and conveying those risks – in business, not technical terms – to the C-Suite and the Board of Directors. They then make risk-informed decisions in line with the enterprise risk management plan and strategy for the company.
The third line, audit, checks to ensure the first and second lines are operating correctly and independently. Collectively, all three lines make up information security.
It’s not enough to have an extensive cybersecurity program. It’s essential to identify and fill all information security gaps, including any challenges that may exist for small and midsize service suppliers or partners.
Third-Party Information Security Risk Management
Another unwelcome executive surprise is when a breach of a partner or supplier occurs despite having a third-party attestation as to the effectiveness of their security program, such as a SOC2 (Service Organization Control 2).
SOC2 is quite limited for two primary reasons. First, it is a snapshot in time and does not guarantee that what worked well one month will be effective the next. Second, distilled down it measures what the company says it does, not how well the company adheres to an information security framework. Indeed, a SOC2 is not a framework. While I don’t want to give the impression that the SOC2 has little value, companies should understand its limitations. It is a starting point of third-party due diligence, not the end.
What is third-party due diligence, or more precisely third-party information security risk management (TPISRM)? It is the assurance that your partners and suppliers have, by reasonable industry standards, an effective information security risk management program. It begins with reviewing their third-party attestation (if they have one), whether it be a SOC2 or an audit against an actual framework – such as the National Institute of Science and Technology Cyber Security Framework 2.0 (NIST CSF 2.0).
But the wise evaluator will want to look at other aspects of the information security program, such as business continuity tabletop exercise results, penetration testing and vulnerability scans, level of liability and cyber insurance, information security policy suites, security awareness training programs, and governance meetings minutes.
Why the additional actions? Because compliance does not equal security. A holistic and well-managed information security program will meet compliance. It is your information; you do not abdicate responsibility for its protection just because you contract with another.
What To Do?
For our clients, regardless of industry, we begin by choosing and aligning to an information security framework. Remember, SOC2 is not a security framework. Usually, we will begin with NIST CSF 2.0; the Center for Internet Security Critical Security Controls version 8.1 is also a good place to begin. Companies, regardless of size, should begin with a foundation of an applicable framework.
From there, examine the elements of your information security program against the framework’s requirements. This is not a place to be tricky with word choice. If you employ Multi Factor Authentication (MFA) on some of your systems that involve confidential information but not all, do not give yourself a pass to meet the MFA requirement. Playing word games here will end up with a false sense of security, pun intended.
Once you’ve found gaps (and you will likely find many), risk-rate those gaps. Which are the most critical for securing information? Create a plan that addresses those first. Do not put in place an artificial goal date for completion; you want to be sure this is done right, not fast.
While going through this process, you will likely realize that aspects of your information security program are inadequate. That could mean insufficient TPISRM, little or no vulnerability scanning or patching, an untested or even unwritten business continuity plan, and so on. Start creating these as you assess, recognizing that it’s best not to strive for absolute perfection and complete detail. A basic business continuity plan is better than none, and you can enhance it during each year’s review and testing.
Finally, if you do not have the experience in-house to lead such a program, consider hiring a full-time CISO or at least a part-time consultant. In either case, make sure they have the deep and necessary information security risk management experience to guide your program’s development and growth. This is not a place you want to go cheap on; your information literally depends on it.
Greg Schaffer has been in the information technology industry for more than three decades. He is owner and founder of vCISO Services, LLC, an information security consulting business, and author of “Information Security for Small and Midsized Businesses,” available on Amazon.