Truvantis Blog

Cybersecurity Maturity - One Size Does Not Fit All – Rick Folkerts

Written by Truvantis | Mar 7, 2024 4:47:33 AM

It's common knowledge that enterprise organizations need effective security, privacy and compliance programs to survive and grow. There are a handful of generic best practices but beyond that, cybersecurity programs must be tailored to the individual organization. 

In this article, Rick discusses why your cybersecurity program is unique, his use of CIS Controls Version 8 and his general approach to new clients.  

Your security program should be defined by your industry vertical, your business mission and the critical assets that make your organization unique. 

A healthcare organization for example has a completely different mission and priorities than say a financial organization which will be completely different from say a sports team and so on. This is because they're completely different fields, and the data that's important to them is completely different.  

For say a sports team, we begin by asking what exactly is it they need to do? Are we doing their full security suite, or just making sure that they're compliant with PCI DSS v4.0, for selling jerseys and tickets?  If it’s selling jerseys and tickets, we ask how they handle credit card information?  Are they selling it through their website, or a third-party website? The answers change the project scope. 

Whereas with a healthcare organization, you're dealing with patient information. Maybe you have 2 clinics. Maybe you have 27 clinics. Maybe you're a huge HMO. Maybe you're a small clinic within the HMO, and it depends on what you're trying to scale into it.  

For medical, you're generally going for HITRUST and HIPAA compliance. So, typically we start with a HITRUST gap assessment or a HIPAA risk assessment for you depending on the size and scope of what you need. 

For a financial organization, it is going to be your customer data, your financial data, and stuff that's not released publicly. A global financial organization is worried about customer data, things like GDPR, Sarbanes-Oxley, and all the different privacy regulations that go with customer data.  

Startups and CIS Controls Version 8 

But if you're a startup, what's important is your customer information, financial information, and the things that make your business unique. The priority of most startups may not be cybersecurity. But sooner or later, the ability to demonstrate sufficient security, privacy and compliance in your products, services and operations becomes a business necessity.   

While security experts generally recommend planning for cybersecurity at the concept phase, it’s not always the practice. Typically, a startup is worried about keeping the lights on while getting its products and services off the ground. Often, they don't think about security except for perhaps, the very basics. 

For startups looking to move forward with their cybersecurity program, we often use the CIS Controls. 

CIS Controls has 3 different implementation groups representing 3 levels of security maturity.

For a younger company, that first implementation group IG1, gets you basic modified security specifically customized for your company, and starts you off on your security maturity journey. 

Using the CIS Controls framework also provides a good foundation for the pursuit of industry certifications you may need including ISO 27001, SOC 2, NIST CSF, PCI DSS, HITRUST, HIPAA and GDPR. 

A clear benefit of this approach is that it is scalable. You can start with the basics and then build upon that foundation as the business grows, legal and regulatory requirements change and the threat landscape evolves. 

The CIS Controls framework can be a foundation for your other industry certification requirements. 

Cyber-regulations by Industry 

Healthcare

Finance

Insurance

Publicly Traded

IT Services

Retail

Defense

International

HIPAA/HITRUST 

FFIEC, GLB 

NAIC 

SOX 404B 

SOC 2 Type 2 

PCI DSS v4.0 

CMMC 

ISO 27001, GDPR 

 

Rick’s Approach to New Clients 

When I start with a new client, I usually go intentionally somewhat blind. I don’t want to have too many preconceived notions about their business. I go in and you start to pull on threads to find out their critical mission, specific weaknesses and vulnerabilities, and what they would like to accomplish with their security program. For example, I’ll ask questions like what's your what's your overall output? Are you just managing clients? Are you managing their finances? Are you managing their healthcare? How are you doing that? Is it mental health? Is it physical health? Is it Prescriptions? You run into all kinds of weird stuff, and it's a lot of fun. 

Use Clear Business Language 

I don’t get caught up in industry buzzwords. There are way too many and are often meaningless when talking about real business issues with our clients. I try to stay focused on the mission at hand and use straight talk and clear business language. Cyber is often run by technical people who at times struggle to speak with their finance executives about their investment needs. Part of what we do at Truvantis is help translate techie-speak into business terms understood by the managers and finance executives.  

“You avoid using jargon and avoid specific technical terms. You just say this is what should be happening, this is what's not happening in plain English. “ - Rick Folkerts 

 

Rick Folkerts

CISSP, CRISC, CDPSE, PCI QSA 

Rick Folkerts is a Principal Security Analyst, specializing in Governance, Risk and Compliance including Data Privacy.  

He has implemented security, risk management, and privacy systems; developed information security, PCI DSS, and privacy training; and authored and implemented policies and procedures across the whole spectrum of information security.

 

About Truvantis 

Truvantis is a security, privacy and compliance consulting firm providing best-in-class services to secure your organization's infrastructure, data, operations and products. 

We specialize in helping our clients improve their business resilience and manage their risk by implementing, testing, auditing and operating information security programs. 

Our world-class services include security testing and a wide range of flexible compliance and vCISO programs. Truvantis is also an authorized PCI DSS Qualified Security Assessor (QSA) Company.