How to hire a CISO – for HR and IT executives

Hiring a CISO is like hiring the top general for an army just before a war. Some generals stay in history as the greatest military leaders of all time, leading their armies from victory to victory and putting any attacker to shame. Others cause loss after loss. In this article, we will expand on the […]

7 risks of working with a part-time CISO

2 am on a Friday night with all your servers and desktops encrypted by ransomware is not the best way to start a weekend. A security incident is just a symptom of a deeper underlying problem – usually that problem starts with the lack of security leadership. Most small firms of up to 500 employees […]

How to write your own SSP (System Security Plan)

How to prepare and write an SSP (System Security Plan) for business cyber continuity The CMMC 2.0 certification process requires that you generate and follow an SSP (System Security Plan). But that is not what you should start with! Look at the graph below. Your first step is to identify all risks as per NIST […]

Is your Active Directory in urgent need of attention?

ad-security-assessment-technical

Image credit: https://github.com/Orange-Cyberdefense/arsenal Active Directory is responsible for authorisation, authentication and privilege control as the core of most organisations’ IT infrastructure. And the image above is how a hacker sees it – the mind map is specifically called “Pentesting Active Directory,” created by an organisation specialising in attacking Active Directory the same way a hacker […]

How to obtain a SOC 2 Type 1 or Type 2 report for SaaS companies

This article clarifies some of the terminology and processes around getting your SOC 2 Type 1 and Type 2 reports if you are a SaaS company. What is SOC 2? SOC stands for “service organization controls.” SOC 2 is a reporting framework developed by AICPA. It is not a security framework; AICPA sets the criteria, […]