Eric Noonan

Recent Posts

Leverage Compliance as an Enabler of Cyber Security

Posted by Eric Noonan on Apr 18, 2016 11:52:54 AM


The cliché “being compliant doesn’t mean you are secure” is repeated in countless articles, blogs, and interviews but it’s rarely followed by any useful advice. There is tangible benefits to being compliant with relevant cyber security requirements like NIST 800-171, PCI-DSS, ISO, HIPAA and many others. Each one represents an opportunity to do more than just achieving compliance.

Compliance should be at the foundation of your cyber security program because it’s easy to explain and measure. The same can’t be said for malware, advanced persistent threats, digital forensics, or how the security information and event management platform works. Too often security teams are mired in explaining the highly technical operational elements of their program to a non-technical audience of executives and rarely is the audience more enlightened at the end of the briefing. Compliance on the other hand could be understood by any business and executives with little explanation.  Leverage that understanding to win support for the program that you are building. Here is how:

Read More

3 Things to Consider When Choosing RSA Archer for GRC

Posted by Eric Noonan on Mar 21, 2016 11:35:42 AM

3_Things_to_Consider_RSA_Archer_Blog_Post.jpgGovernance, Risk and Compliance (GRC) is an all-encompassing term that can cover an array of areas from business continuity through vendor management. Given the range of meaning, it’s important to understand what it means to you and your organization before selecting a platform like RSA’s Archer, which has many modules and even more use cases.

To help narrow down your selection of Archer modules and use cases as well as increase your likelihood of success in deployment and utilization, here are 3 things to consider before making your purchase:


Read More

Topics: eGRC

2 Essential Elements of an Effective Cybersecurity Program

Posted by Eric Noonan on Mar 9, 2016 12:29:57 PM

Erics_2_Essential_Security_Program_Elements_Blog_Post.jpgBuilding, maintaining, or transforming a cybersecurity program is hard work.   But all situations need to begin with a plan.  A plan that addresses the strengths, weaknesses, opportunities as well as threats that will transform into the roadmap guiding you in developing a successful cybersecurity program. 

To help you begin, here are the elements of a cybersecurity program that in my experience are essential to long term, measurable success.

2 Essential Elements of an Effective Cybersecurity Program


1: Annual Standards Based Assessments

Of the many challenges security professionals face, the ability to explain what they do and how well they do it is one of the most persistent. It need not be this way. There are several notable standards or frameworks (e.g., NIST, SANS 20 Critical Security Controls, etc.) readily available for you to baseline your security program, explain your success, and create a vehicle for communicating strategically with the executives in your organization. Before you even select a standard it is important to understand and believe in the need for conducting an assessment on an annual basis.

Read More

Topics: Security Assessment

Security Tool Procurement: 3 Keys To Success

Posted by Eric Noonan on Mar 7, 2016 12:47:21 PM

Erics_Tool_Procurement_Blog_Post.jpgSecurity products, or tools, are an important part of the three legged stool of people, processes, and technology. My experience has been that the technology portion of the equation gets most of the attention and a large share of the budget. There are many reasons for this not the least of which is product vendors spending significant money marketing their tools as solutions to the CISO's problems.

Despite all of the money that swirls around tool procurement, success is elusive. Discarded Data Loss Prevention (DLP) investments, over budget identity and access management projects, and underutilized Security Information and Event Management (SIEM) platforms are common outcomes when the focus is exclusively on the technology without consideration of people and processes.


Read More

Topics: Security Program Development, Security Tool Procurement

3 Reasons a Security Policy Improves Information Security

Posted by Eric Noonan on Mar 2, 2016 10:30:43 AM
Policies_Improve_Security_Blog_Post.jpgProduct vendor's marketing focuses on advanced persistent threats - Stuxnet, China and all of the other fear, uncertainty and doubt (FUD) - that are almost completely out of your control.  So take a step back from the overwhelming advertisements leaving you feeling insecure and spend some time on something that you can actually control, your organization's information security policy.  Exciting right? Maybe not, but a policy represents the foundation upon which your security program can and should be built. Here are 3 reasons why a documented security policy endorsed by corporate executives materially improves security.

3 Reasons Why a Documented Security Policy Endorsed by Corporate Executives Materially Improves Security


1: Corporations Take a Policy Seriously

Corporations tend to take a policy seriously, especially larger companies where policies get reviewed by all functional leaders for input, then the final version goes to the CEO for signature and publication. This executive endorsement gives security practitioners the leverage they need when enforcing a policy, requesting resources and generally executing the mission of delivering security services. When you are challenged on the "why" behind a reduction in administrative rights you now have something tangible to refer to rather than trying to educate one engineer at a time. 
Read More

Topics: cybersecurity, policy

Healthcare Cybersecurity Spend Rises: 4 Steps to a Wisely Spent Budget

Posted by Eric Noonan on Feb 29, 2016 3:52:38 PM

Healthcare_Cybersecurity_Spend_Rises_Blog_Post.jpgPredictably cyber/data security continues to be a rising concern from within the Healthcare industry, according to Modern Healthcare's 26th annual Survey of Executive Opinions on Key Information Technology Issues. That being said the percentage of total IT spend devoted to security is still woefully inadequate if the survey numbers are to be believed. You simply can't be secure on the spend levels highlighted in this survey.

I'm always skeptical of survey numbers because you can't qualify the data or responses and there is no right answer as to how much to spend on security. However, there are best practices and industry standards that will ensure your organization is spending the money you have wisely.

4 Steps to Ensure a Wisely Spent Cybersecurity Budget

1: Make Security a Line Item in the Budget, Separate from IT

There is no right metric for security spend but you should at least be able to articulate what you are spending annually. With a defined security budget you can slice and dice anyway you want, as a percentage of IT spend, cost per employee, as a percentage of revenue, etc.

Read More

Topics: Security Assessment, cybersecurity

Four Presidential Priorities for Cybersecurity

Posted by Eric Noonan on Feb 24, 2016 11:37:34 AM

Erics_4PrioritiesforCybersecurity_Blog_Post.jpgIn a recent Wall Street Journal article President Obama announced a new "Cybersecurity National Action Plan" which would increase federal cybersecurity funding north of $19 billion. Although, it is unclear if any of this spending will actually be funded as House Budget Committee Chairman Tom Price (R-GA) and Senate Budget Committee Chairman Mike Enzi (R-WY) have already declared that both committees will not hold a hearing to review the president’s FY 2017 Budget. Politics aside, it's encouraging to see a dialogue happening at the highest levels of our government on such an important topic.

The Four Major Priorities that are Being Proposed

1: $3 Billion Fund to Kick-start an Overhaul of Federal Computer Systems

First, the President is proposing a $3 billion fund to kick-start an overhaul of federal computer systems and going forward, agencies will be required to increase protections for their most valued information and make it easier for them to update their networks. Additionally he's proposed creating a new federal position, Chief Information Security Officer, a position he notes that most major companies have already established. Of course the devil is in the details as to how the money is spent but in general the government, like most corporations, needs to invest more in cybersecurity. In our experience the investment should prioritize people and process rather than the short sighted rush to procure more tools supported by an already overworked staff following undocumented processes. 

Read More

Topics: cybersecurity

Does Passing a PCI Audit Guarantee Effective Operational Security?

Posted by Eric Noonan on Feb 10, 2016 11:43:29 AM

Erics_Hyatt_PCI_Blog_Post.jpgYou may have heard about the  recent breach involving payment card data from cards used onsite at certain Hyatt-managed locations.  According to Dark Reading, the "at-risk window" may have existed as early as July 30, 2015, with identified fraud being documented from August 13, 2015 to December 8, 2015. The malware responsible captured cardholder data while being transferred from the onsite processing location to the compromised system.

Post breach, Chuck Floyd, global president of operations for Hyatt, said "...we want to assure customers that we took steps to strengthen the security of our systems in order to help prevent this from happening in the future.” While we can't know for sure that statement implies that operational security controls were enhanced as a result of the breach, the question is, beyond the routine PCI-DSS assessments, were operational controls proactively reviewed and strengthened?

Read More

Topics: Security Assessment, PCI

Improve Healthcare IT Security: 5 Actions You Should Take Now

Posted by Eric Noonan on Feb 3, 2016 12:22:45 PM

Erics_Healthcare5Actions_Blog_Post.jpgModern Healthcare recently reported that "Health insurer Centene Corp. is hunting for six computer hard drives containing the personally identifiable health records of about 950,000 individuals..." While this potential data loss doesn't come close to the monumental data breaches suffered by Anthem, Blue Cross and Blue Shield and others in 2015; it highlights 5 actions that companies of any size in the healthcare space should be taking now to optimize security.

Read More

Topics: Security, eGRC, Privileged Accounts, Security Assessment

FDA Outlines Cybersecurity Recommendations for Medical Device Manufacturers

Posted by Eric Noonan on Jan 21, 2016 12:47:42 PM

Erics_Medical_Devices_Blog_Post.jpgThe FDA recently issued a draft guidance entitled "Postmarket Management of Cybersecurity in Medical Devices" and once again NIST is setting the standard as a recommended framework, specifically the NIST "Framework for Improving Critical Infrastructure Cybersecurity." The draft guidance issuance date is January 22, 2016, CyberSheath has expanded on what this guidance means for medical device manufacturers in a recent blog post, below you can review the FDA press release and draft guidance.

Read More

Topics: Security, Security Assessment