Ask not what your country can do for you...

Today I got pulled into a conversation with an old friend and mentor of mine.  In the conversation he mentioned John F. Kennedy and how he was able to pull in the world when he gave a speech.  I wasn't even born when JFK was president and would have loved to had the chance to hear him live over the airwaves.

I am sure you are starting to wonder if Eric has lost it by now or where is he going with this.  Well in JFKs inaugural address  the country was pulled together and motivated to build itself up.  I feel like we could use that motivation these days.  It is different times now, but the technological seeds that were being planted in the early 1960's have grown and we have harvested many times from them.  This technology now drives our commerce and our booming economy.  This technology keeps growing faster every day.  With this growth we will have challenges to go with the advantages that new technology gives us.

As we all know, technology today can help build even small business up to levels never reachable 50 years ago.  This enablement of the cyber economy allows small business owners to reach around the world to markets they never would have dreamed of.  The connectivity allows you to form partnerships and share information instantly.  Your business is open as long as it is online; it is NEVER closed.  It is here where your business becomes vulnerable to every notorious organization around the world.

The Internet was built on technologies funded by our government. Most of the advances in processing and communications in the last 50 years have all been heavily driven by our nation's budget, either for defense or managing our federal infrastructure.  Our economy and businesses have benefited heavily from these initial investments from our government. The one thing that hasn't caught up with our ability to use the technology to run our businesses, is our ability to deploy it securely. 

It's pretty simple: small business owners do not have the resources that mega large enterprise organizations have.  But the federal government has stepped up in this area as well.  The push by the current President Barack Obama to fund the development of the Cybersecurity Framework by NIST is the first step in this direction.  The next step is now up to YOU the small business owner.  You should now be asking yourself "what can I do for my country?" and begin using the framework to help protect your company, your customers and the safety of the nation's economy that is relying on you.


Eric McWilliams is the founder of FINSECTECH and the guy behind the NIST Cybersecurity Framework as a Service (FaaS).  Eric has worked in the IT Security Industry for the past 20 years. Before that, he got his start in the United States Marine Corps.  These days he loves spending time with his daughter and turning technical ideas on napkins into products for the world.


SEC Fines Adviser for Failing to Adopt Proper Cybersecurity Policies

This week was the FIRST time the SEC has fined a company for not properly securing personal information, by going after the company for not applying proper cybersecurity policies and processes.  The SEC’s order finds that R.T. Jones violated Rule 30(a) of Regulation S-P under the Securities Act of 1933.  We are sure many more issues like these will follow.

This rule is from 80 years ago and so old that Cyber anything wasn't even an idea in anyone's mind.  This rule require registered investment advisers to adopt written policies and procedures, reasonably designed to protect customer records and information.  Looks like this law written 80 years ago fits pretty well into the industry we have today. 

According to the SEC’s order instituting a settled administrative proceeding:

  • R.T. Jones stored sensitive PII (Personally Identifiable Information) of clients and others on its third party-hosted web server from September 2009 to July 2013.

  • The firm’s web server was attacked in July 2013 by an unknown hacker who gained access and copyrights to the data on the server, rendering the PII of more than 100,000 individuals, including thousands of R.T. Jones’s clients, vulnerable to theft.

  • The firm failed entirely to adopt written policies and procedures reasonably designed to safeguard customer information.  For example, R.T. Jones failed to conduct periodic risk assessments, implement a firewall, encrypt PII stored on its server, or maintain a response plan for cybersecurity incidents.

  • After R.T. Jones discovered the breach, the firm promptly retained more than one cybersecurity consulting firm to confirm the attack, which was traced to China, and determine the scope.

  • Shortly after the incident, R.T. Jones provided notice of the breach to every individual whose PII may have been compromised and offered free identity theft monitoring through a third-party provider.

  • To date, the firm has not received any indications of a client suffering financial harm as a result of the cyber attack.

As far as I can tell the firm handled the breach as best they could after it was noticed.  The issue the SEC found, was that the firm had failed to adopt any written policies or procedures to protect its data systems.  The usage of the NIST Cybersecurity Framework, which the SEC and other regulators have been directing firms to utilize the past 2 years, would have put the firm in better standings with the SEC and not ended up costing them $75,000 in fines. 

If your firm is looking for guidance on implementing the NIST Cybersecurity Framework and being able to prove to regulators that you are keeping up with best practices across your firm, please contact us at FINSECTECH today.

FINSECTECH at US Chamber of Commerce Cybersecurity Summit

It is a great pleasure to be a sponsor of the US Chamber of Commerce Cybersecurity Summit in Las Vegas next week.  The Chamber is putting on the conference to spread the word and knowledge about the NIST Cybersecurity Framework. After attending the Minneapolis Cybersecurity Summit, Andrew and I noticed there was a huge crowd of businesses that were all interested in NIST, but none of the vendors at the conference or the sponsoring booths outside of the US Department of Homeland Security were pitching their usage of the NIST Framework, or anything to do with NIST.  All of the vendors seemed to be offering the same thing that every IT vendors offers: consulting services, rack space, hardware, etc... 

We saw this as a huge problem and decided to join the conference next week as a sponsor.  We think this will help the businesses that are interested in implementing the Cybersecurity Framework and also get our product out there.   The Chamber listed the following reasons to attend the seminar:

  • You've heard something about a cyber framework--you're not exactly sure what it is--and want to learn more.
  • You have cybersecurity or risk-management responsibilities for your organization--whether private or public.
  • You have a cybersecurity program for your business and want to strengthen it.
  • You're a large company looking for ways to communicate about cyber with your small and midsize supply chain partners.

All four of their reasons are the very reasons we have formed FINSECTECH.  Our Framework as a Service is THE solution for anyone attending this Cybersecurity Summit without a doubt.

Anyway, once again we are super excited to be attending this conference.  Here is the conference agenda from the Chamber of Commerce.



NIST Cybersecurity Framework Why

Andrew and I have been busy getting the Cybersecurity Management Platform built to be usable by the masses. While working on the application and doing demos for several people, the question wasn't "how to use the application?" You see, Andrew built things so user friendly and uncomplicated that you do not have to be a seasoned IT Security Manager to manage your security profile.

The questions that comes up over and over again, is usually based around "why do I need to use the NIST Cybersecurity Framework" and "why do I need to use your Framework as a Service (FaaS)  to do it?"  Let me break them apart so I can show the value of each.

Why do I need to use the NIST Cybersecurity Framework?

Many of the reasons are documented on the NIST Cybersecurity Website and their FAQs cover many topics.   Let's start off with this: if you are a private business, you are not required to use the framework; it is completely voluntary.  No laws are in place saying "you must map your controls to the framework".  Before you stop reading here you may want to keep going.

If you work in the trading industry, you should know by now that the Securities and Exchange Commission, FINRA, and SIFMA are all leveraging the NIST Framework as their method of reviewing firms.  All of the industry regulatory groups are beginning to take cybersecurity very serious.  This started in April 2014 (shortly after the Framework 1.0 was published by NIST) when the SEC issued their first questions to the industry.  These questions were put together to help compliance personal assess their firms' cybersecurity preparedness. The NIST Framework was referred to in the introduction and also in the questions themselves.

One year later (April 2015) the SEC issued "Guidance Update No. 2015-02 - Cybersecurity Guidance". In this update a new reference to NIST made an appearance.

"OCIE’s Cybersecurity Initiative contained a sample list of requests for information, which included questions that tracked information outlined in the “Framework for Improving Critical Infrastructure Cybersecurity.” See OCIE Cybersecurity Initiative, supra note 1. Funds and advisers may wish to consult this Framework when considering a strategy to mitigate exposure to cyber attacks. See National Institute of Standards and Technology, “Framework for Improving Critical Infrastructure Cybersecurity,” (Feb. 12, 2014), available at http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf"

I think you can see where we are going here.  These references from FINRA and SIFMA also referenced the NIST Framework. All of the regulators across the trading industry are heavily referring to the framework over and over again.  With this happening, it is accomplishing one of the core goals of the framework: "to provide a common language to address security risk."

At this point in the post the "WHY do you need to use the NIST Cybersecurity Framework" becomes obvious.

Now onto the "WHY do you need to use FINSECTECH and our Cybersecurity Framework as a Service (FaaS) to manage your security profile."

Not only was the framework built to be a common language for discussing security risk,  it was also built to be cost-effective.  There are other security and IT management frameworks across the industry but NIST was developed by the US government to help protect the industry and it is FREE to use.  All other management frameworks products are costly to implement.

When we started looking at the NIST framework, we designed an application with the following key features:

  • The application had to be user friendly and simple.  After working in the industry for a multitude of years, we grew frustrated with tools that are overly complicated, hard to navigate and cumbersome to use. So we created an application that was different.
  • The application had to help people from a variety of different roles in an organization to work together towards an organization's risk management process. The communication features in the FINSECTECH FaaS glue together the tiers of the NIST Risk Management Framework.
  • The application had to provide the means for self assessment.  The NIST Framework recommends a rating system, using Tiers.  The Tiers characterize an organization’s practices over a range, from Partial (Tier 1) to Adaptive (Tier 4).  We have built this rating system into the FaaS.
  • The application had to be responsive. Security is a process that involves many people. An app that doesn't allow multiple people to work together quickly, doesn't allow them to work together at all. Our app is built to be fast and to scale across thousands of users.
  • The application had to adapt to the future. Threats and their responses are constantly evolving, so FINSECTECH is monitoring the NIST framework and updating the application with the latest changes.
  • The application had to help address the talent gap in the security field. With regulators starting to push the usage of the NIST Framework into new areas of business, the demand for security management surpasses the supply in the workforce.  By using the application, organizations can spend less time and resources trying to understand complex security regulations, managing documentation and spend more time on actual security related matters.
  • The application had to give insights into historical information and preserve information throughout a company's changing structure. We understand that keeping a CIO or IT Director for more than a couple of years in this market can be a challenge.  We wanted to provide their successor with a view to what your company's current profile is and the direction that it was moving in.  This will also decrease the amount of time for your new staff to get acclimatized to your environment and allowing them to set new direction quickly.

Now you can see WHY the usage of the FINSECTECH FaaS is a no-brainer for your company.