Security is much more than just firewall and antivirus — we can all agree on that, can’t we? If you’re not in agreement with that statement, then we encourage you to read through this article. There is still some misunderstanding or underestimation of the level and different types of cyber-threats out there. Especially for smaller companies, the number of various liabilities for you would perhaps surprise you. Maybe not. Either way, “you deserve to be protected,” says the latest Intivix staff member Mark Simmerman.
“Good security governance starts with a risk assessment,” says Simmerman. “There is this old school thought that if you got a firewall and if you got antivirus on the endpoints you're good to go. But, what we're finding is the world has gotten a lot more complicated, and small and medium-sized businesses that thought they could forego taking security measures because they were ‘too small to be noticed’ are finding that they may be the primary targets of some of these attacks and breaches”.
“Because of the limited resources in business, security always takes a backseat. And, when we talk about security, I'm also including disaster recovery and business continuity in that in that area because your ability to recover is a key part of the security model.”
Liabilities Even for the Managed Service Provider?
A question has arisen in conversations with Mark regarding the fact that certainly managed service providers may opt not to take on a client who refuses to acknowledge certain security risks. So, in putting your company at continued risk of a catastrophic breach and refusing to remedy it, you are not only endangering your enterprise, but you are also reducing the chance, in some cases, that a competent managed service provider will even take you on.
The remedy for this?
In Mark’s eyes, it’s better communication — letting small and medium-sized outfits know exactly what their risks are, and what consequences there will likely be should they refuse proper remediation. And yes, this can include security pros walking away, or perhaps bolstering a service level agreement (SLA) with language that basically says, “We have assessed your security risks, and they need [such and such done to remedy them], and because you refuse to make the expenditure, we ask that you hold us harmless if we are to provide this [lower level or other] level of IT services in case of a future security breach.”
Mark Simmerman and company like to get to the heart of the security matter with the most probing, in-depth security assessments in the industry. They may uncover things during the risk-assessment process that SMB owners don’t want to see. They may not want to allocate for expenditures in this area, but, in Simmerman and Intivix’ POV, this is foolhardy.
“The bottom line is, security is not a profit center for us. We’re trying to protect the value of the company. It’s about prevention, and helping companies reduce or mitigate disasters in some fashion,” explains Simmerman. “Equifax lost six billion dollars in value between September 7th and 15th of last year [due to security breach]. There was no [preventative security] step they couldn’t have taken that would not have helped them save some of that value,” Simmerman notes.
Simmerman goes on to discuss many other aspects of IT security that may have a direct or indirect effect on the average business, including the new NIST requirements, the bias currently held towards a technology-based solution as opposed to written policies of security awareness, and more. He speaks of how his expertise and that of the Intivix team is helping to make better SLAs and client relations by being more comprehensive. He speaks of some of the complex nuances involved in conveying what clients need versus what clients will agree to, involving things like more comprehensive acknowledgment regarding compliance.
“Ultimately the human link is probably the most vulnerable link in the security equation. And, although we can’t expect everybody to become a security expert, there's a certain level of awareness and so about ‘what services can I deliver’ to enhance all three of those areas: people, processes, and technology,” says Simmerman.
To get the whole scoop on Mark and his thoughts on better computer network security in San Francisco, watch the entire interview with Mark Simmerman and MSP marketing pro Stuart Crawford of Ulistic LP.
CISSP Qualifications – Bettering Your Computer Network Security “Threat Defense”
The current requirements to be a CISSP include:
- A minimum of five years of direct full-time security work experience in two or more of the (ISC)² information security domains (CBK). One year may be waived for having either a four-year college degree, a master's degree in Information Security, or for possessing one of a number of other certifications. A candidate without the five years of experience may earn the Associate of (ISC)² designation by passing the required CISSP examination, valid for a maximum of six years. During those six years, a candidate will need to obtain the required experience and submit the required endorsement form for certification as a CISSP. Upon completion of the professional experience requirements, the certification will be converted to CISSP status.
- Attest to the truth of their assertions regarding professional experience and accept the CISSP Code of Ethics.
- Answer questions regarding criminal history and related background.
- Pass the multiple-choice CISSP exam with a scaled score of 700 points or greater out of 1000 possible points.
- Have their qualifications endorsed by another (ISC)² certification holder in good standing?
The CISSP credential is valid for three years; most holders renew by submitting Continuing Professional Education (CPE) credits. There is also a yearly membership fee required to maintain certification.
A Value-Added Thing
In 2005, Certification Magazine surveyed 35,167 IT professionals in 170 countries on compensation and found that CISSPs led their list of certificates ranked by salary. A 2006 Certification Magazine salary survey also ranked the CISSP credential highly and ranked CISSP concentration certifications as the top best-paid credentials in IT.
In 2008, another study concluded that IT professionals with CISSP certifications (or other major security credentials) tend to have salaries $21,000 higher than IT professionals without such certificates. However, there's no proof that there's any cause-and-effect between the certificate and salaries.
As of 2017, a study by CyberSecurityDegrees.com surveyed some 10,000 current and historical cybersecurity job listings that preferred candidates holding CISSP certifications. CyberSecurityDegrees.com found that these job openings offered an average salary of $17,526 more than the average cybersecurity salary.
ANSI certifies that CISSP meets the requirements of ANSI/ISO/IEC Standard 17024, a personnel certification accreditation program.
Ulistic Can Get Your MSP Company More Visibility and Better Security Personnel
Are you an MSP looking to outsource a CISSP expert, as an addition to your company team? We promote managed service providers online throughout North America – contact a Ulistic agent today at (800) 460-2142 to by email at email@example.com to get started with our MSP marketing services!