Pratum Blog

Risk-based cybersecurity decision making.

At Pratum, we talk at great length about solving information security challenges based on risk, not fear. After all, that is our mission. But what do we mean when we say that, and why should you focus on risk?

When people hear about cyber threats or learn of the most recent data breaches, the first thing they often feel is fear. Fear that their personal information may have been compromised or fear that their business may fall victim to a similar attack or maybe a fear that they have no idea what to do about cyber risk.

Fear is a powerful emotion that can distract from real issues and threats. This can lead to poor decision making and wasted resources. Cyber threats are a serious concern, but we shouldn’t allow fear alone to drive our cybersecurity decisions. Sometimes, fear is a nice wakeup call that drives action, but when you act, make sure to check your fear at the door and move forward with a risk-based approach.

Managing Cybersecurity Risk

Organizations should use the knowledge of risk to drive decisions. To properly manage cybersecurity risk, we must understand the likelihood that a security incident (i.e. Ransomware, phishing attack, data loss) will occur and the potential resulting impact. Armed with this information, organizations can determine their inherent risk, prioritize security activities, and make informed decisions about cybersecurity expenditures.

Removing fear from the equation encourages objective, risk-based decision making. This kind of decision making helps guide in developing the right cybersecurity program for your business. It also establishes the foundation for a sustainable security culture for employees and executives.

This may sound like common sense, but fear can disrupt the entire risk-based process. It’s easy to talk about maintaining an objective view, but the only way to stay true to the risk-based approach is by creating a plan before the disaster hits. Don’t wait until you have experienced an incident to focus on risk… at that point it’s no longer a risk, it’s a hazard.

Asking the Right Questions to Properly Manage Risk

According to NIST SP 800-53, there are several key questions that should be answered by organizations when addressing their security and privacy concerns:

  • What security and privacy controls are needed to satisfy the organization’s security and privacy requirements and to adequately manage risk?
  • Have the security and privacy controls been implemented or is there an implementation plan in place?
  • What is the desired or required level of assurance (i.e., confidence) that the selected security and privacy controls, as implemented, are effective in their application?

The answers to these questions are not given in isolation, but rather in the context of an effective risk management process for the organization that identifies, assesses, responds to, and monitors on an ongoing basis, security and privacy risks arising from its information and systems.

Risk-based decisions are informed decisions. Fear decisions are guess work. Business leaders owe it to all stakeholders (employees, customers, and shareholders) to make educated, thoughtful decisions that give the company its best chance for success. Don't let fear get in the way of progress.

If you need assistance with answering these questions or help with your IT risk management process, please contact Pratum. Our team will help you make decisions based on risk, not fear.

Want to learn more? Contact Pratum.
Cybersecurity firm Pratum opens new office in Cedar Rapids, Iowa.

CEDAR RAPIDS, IA - Earlier this month, cybersecurity firm Pratum opened an office in Cedar Rapids to satisfy the growing demands of its services in Eastern Iowa. Pratum president and CEO, Dave Nelson, made the decision to expand due in part to the growing threat of cybercrime and the likelihood of new and updated state regulations. “The Iowa legislature is working to update existing legislation to address cybersecurity challenges. Additionally, throughout the nation, business groups such as the National Association of Insurance Commissioners are calling for state regulations to prevent cybercrime,” says Nelson.

The new Cedar Rapids office, located at 305 2nd Ave SE, is the company’s second in Iowa and fourth in the U.S. For the past decade, Pratum has served businesses throughout the state and across the country, but Nelson feels that we as a nation are just now beginning to understand the severity of cyber threats. Nelson emphasizes, “As awareness builds, companies will act to mitigate the cybersecurity risks facing their businesses. Our new office helps position us for an efficient response to the increased demand for our services.

In 2017 Pratum grew its employee count to fifteen, up 50% from 2016. The company plans to increase that number to more than twenty by the end of 2018. Pratum’s new headquarters in Ankeny, IA is under construction and is planned to open in late summer. Most employees will call headquarters home, but as is the case in Cedar Rapids, both Dallas and Kansas City offices will also increase employee headcount.

Pratum is a cybersecurity consulting and managed security services firm that helps clients solve information security challenges based on risk, not fear. Our goal is to enable every client to securely use technology to meet business objectives.

Please contact us if you have any questions about Pratum.

Contact Pratum
Virtual CISO is an outsourced senior-level security executive.

A virtual chief information security officer (vCISO) is an outsourced senior-level security executive who is responsible for the strategic development and implementation of information security programs. Included in vCISO services is a supporting team of information security professionals who help implement the vCISOs cybersecurity vision.

The vCISO team is responsible for structuring policies and procedures to align with company culture, risk tolerance, and compliance requirements. A tailored approach is integral in the creation of an effective security program. Most vCISO engagements begin with an IT risk assessment, which identifies areas of needed improvement and helps set priorities for the security program. Once deficiencies are identified, a plan is generated to begin addressing security gaps.

Why does the Virtual CISO (vCISO) service exist?

The demand for vCISO services has grown rapidly the past few years. As information security threats increase and businesses remain the primary target, the demand for security professionals will continue to rise. The employment gap between the demand for security professionals and its supply is widening. This drives a competitive market for security professionals and places a major burden on companies seeking to staff for their cybersecurity needs.

This is where a vCISO offers its value. Virtual CISO services provide organizations that would otherwise not be able to hire a qualified security candidate the ability to work with an experienced CISO and security team, without increasing their organization's headcount. Many organizations don't need a fulltime CISO, they need an independent security professional to lead their organization by assessing cybersecurity issues, building a cybersecurity program, and ensuring the achievement of proper security milestones.

5 Reasons to Consider a Virtual CISO (vCISO)

  1. Expertise Across Industries:
    vCISOs work with various clients in unique industries, exposing them to opportunities not available to CISOs working in isolated verticals. The security knowledge gained by a vCISO from each unique client environment ensures continual growth and improved expertise for the security leader, which positively impacts each client the vCISO leads.
  2. Flexibility in Unique Business Environments:
    Virtual CISOs are prepared to begin working immediately with little on-boarding time and can adapt to most any setting. By their very nature, vCISOs can enter a new environment and quickly adjust as business and security demands require. vCISOs first gain a thorough understanding of each organization’s business model, company culture, risk tolerance, and objectives. From there, they gain an understanding of security risks faced by the organization. With a full view of the security landscape, the vCISO will communicate the findings to help clients make the appropriate security decisions for their environment.
  3. Efficiency with Core Competencies:
    A virtual CISO fills in the security gaps where organizations need it most. By focusing on cybersecurity strategy and implementation, vCISOs relieve internal teams of the daunting responsibility. This enables both internal staff and cybersecurity professionals to remain dedicated to their respective core competencies.
  4. Objective Independence:
    vCISOs are not swayed by internal politics or personal career goals. vCISOs are an independent third party with an objective viewpoint and goals of helping clients make the best security decisions for their business.
  5. Economical:
    Pratum’s vCISO programs generally cost a fraction of a full-time CISO and supporting security team. According to SilverBull's May 2016 report, the Median salary for a CISO is $223,000 per year. The base salary doesn't even include the expenses incurred with additional employee headcount. On average, Pratum's vCISO clients pay a fraction of what it would cost to hire an in-house CISO. vCISO clients also gain access to the expertise of an entire team, which eliminates the inherent skills gap of a single employee.

What types of businesses are using vCISOs?

There are organizations of all sizes in various industries that are benefiting from vCISO services. For example, at Pratum we work with businesses in healthcare, manufacturing, technology, analytics, printing, marketing, insurance, retail, and finance. Regardless of the industry, technology plays a major role in operating a business, and with technology comes security risk.

Each business is unique, and every organization handles risk differently. However, the approach is the same with every organization. First, a vCISO helps an organization understand its risk, and second, the vCISO helps organizations make the appropriate security decisions to align with business objectives.

To learn more, follow this link to Pratum’s Virtual CISO service.

Learn More About vCISO
Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.
Privacy Policy Ok