Best Practices for Cybersecurity Awareness Month with Stephen Boyer

Alex Campanelli | October 31, 2018

October was Cybersecurity Awareness Month, which gave companies the opportunity to thoroughly examine their security and risk programs and identify where they can strengthen security practices. A BitSight, we talk about risk management every day. We sat down with our Co-Founder & CTO, Stephen Boyer, to talk about the significance of having a risk-aware organization and proactive ways security ratings can help with risk management.

Q&A with Stephen Boyer

When we think about cybersecurity awareness, where do security ratings fit into the picture?

At BitSight, we know that responsibility for cybersecurity belongs to everyone, from our executives to our sales team. The process of proactively mitigating cyber risk within your organization isn’t something that happens in a day; it requires of a culture of cyber risk awareness at your company where every employee takes responsibility for their security practices.

Security ratings help address this problem — they are objective, quantifiable assessments of your company’s cybersecurity performance based on externally observable risk factors. Ratings give an organization visibility into its security posture by examining specific risk vectors like machine compromises, patching cadence, and exposed vulnerable services. Once the measurements are made and communicated, specific investments and action plans can be put in place to make improvements.

This month focused on cybersecurity awareness. As a starting point, where can organizations begin when laying the groundwork for a successful risk management program?

Security awareness starts with creating a culture of cyber security responsibility within your company. Employees need to be able to see the results of their actions or non-actions, and there needs to be some level of visibility into the effects of security awareness training. Without some sort of understandable metric, employees may not always see the negative impact or benefits of adhering to best practices. Security ratings can help provide that visibility by showing security progress and emphasizing transparency within the company.

Moving forward, what are some best practices organizations can put into effect to make sure they are proactively mitigating risk within their business?

There are several things that companies can do to help reduce risk across their business ecosystem. I wrote about many of them here.

  1. Double down on the basics
  2. Invest in employee training
  3. Watch and secure the supply chain
  4. Work as a team

Historically number 3, securing the supply chain and managing third-party, or vendor, risk, hasn’t had the importance that it has today. Given the growing attack surface and the increasing dependence on service providers, the risk profile has changed dramatically in the past three years.

Businesses partner with and rely on hundreds or thousands of vendors for critical business functions. These partners are an extension of their business and in many scenarios the security performance of those partners needs to be as good as their own. We are observing that attacker target larger organizations through smaller and often lower performing vendors. Attackers have learned that going after the weakest link is often the most effective and easiest route into a company that has implemented its solid security controls.

As more organizations become increasingly dependent on service providers to do business, they must account for the increased risk exposure that those relationships present. These risks are dynamic and complex must be continuously monitored, mitigated and managed. BitSight Security Ratings help organizations gain the visibility and capability required to take action and move at the speed of business while effectively managing the risks. Get your free security rating and find the gaps in your security program.

Download our ebook for more tips on how to create a culture of cyber risk-awareness in your organization.

New Call-to-action

Suggested Posts

Zerologon: BitSight Observations on a Dangerous Vulnerability

New vulnerabilities emerge daily... but not every vulnerability is being actively exploited by nation state actors. Zerologon (CVE-2020-1472) is one such vulnerability.  Zerologon was recently identified by the National Security Agency...


BitSight’s View into the NSA’s Top Vulnerabilities

In a highly unusual move, the National Security Agency released research on October 20, 2020, highlighting 25 common vulnerabilities that are being actively exploited by Chinese state-sponsored actors.  The NSA issued the alert in order to...


Market-Changing Research Reveals Link Between Strong Cybersecurity and Stock Price

One of the biggest questions in cybersecurity now has an answer… and the implications are significant for investors, policymakers, corporate executives, and cybersecurity professionals alike. 


Subscribe to get security news and updates in your inbox.