HEADLINES IN IT SECURITY & COMPLIANCE
CIO Bulletin Awards 2023 Innovation Excellence To BAI Security
CIO Bulletin has recognized BAI Security with a 2023 Innovation Excellence Award.
“To keep our clients ahead of the ever-advancing tactics of cybercriminals, we continually re-evaluate our methods, tools, and service offerings to address new threats. In the past year alone, we doubled our service offerings to respond to what IT leaders indicate are their three greatest concerns today—ransomware, personnel weaknesses, and vendor breach.” – Michael Bruck, CEO.
Read the full interview on CIO Bulletin.
Congratulations to the entire BAI Security team on continuing to lead the industry from the front!
BAI’s CEO Appointed For Third Time To Forbes Technology Council
For the third consecutive year, BAI Founder and President/CEO, Michael Bruck has been named to the prestigious Forbes Technology Council, an invitation-only community for world-class CIOs, CTOs, and technology executives. for the second year in a row.
As a member of the Council, Bruck has access to a variety of exclusive opportunities designed to help him reach peak professional influence. He will continue to connect and collaborate with other respected technology leaders in a private forum.
We congratulate Michael on his continued appointment to this prestigious council and thank him for his ongoing visionary leadership for our team, clients, and industry!
National Survey Results Are In - I.T. Leaders Share 2023 Security Risks
In January 2023, I.T. security leaders nationwide participated in a survey voicing their greatest security risks coming into 2023. Results of the survey, as well as comparison to concerns expressed in the 2022 survey, are represented in the graphic below.
To assist with these concerns, check out information on our cost-effective, risk-reducing offerings for 2023!
IT Leaders Share Vital Lessons Learned in 2022
Last month, IT leaders nationwide participated in our InfoSec Wisdom for 2023 survey… and one lucky winner from Wisconsin took home a $500 gift card from our participant drawing!
THANK YOU to all who shared their insights. Here’s a sampling of responses to help us all approach the new year a bit wiser:
- Never underestimate the skills or motives of determined threat actors, whether external or internal.
- Move to cloud and have a disaster recovery plan adjusted accordingly.
- Vendor security risk assessment is now a top focus of effort.
- We were ahead with our vision and implementation plan but not having buy-in from C level can prove detrimental when a breach scare hits the organization.
- We need to understand our system to the very depths.
- We learned that people truly are the weakest link and that the desire to do good is extremely taken advantage of.
- Scan enterprise databases for vulnerabilities and misconfiguration;
Know the risks to your databases;
Get recommendations on how to mitigate identified issues.
- The biggest lesson is the questions asked by a cyber insurance underwriter that has a different look at our security posture.
- About End Point Security due to remote working (WFH).
- Don’t miss those opportunities to decommission a legacy system just because there’s a lot going on. Those skeletons you know about can be exactly the ones that bite you one day.
- We get a monthly review of two scans via tenable app. The difficulty of reducing these identified threats in the network is more work than I anticipated.
- Make sure you are looking at the alerts regularly and sharing that information with the group.
- That our team was too small to perform effectively.
- Educate & trained users to stop breach from where it starts.
- DCSA compliance is a lot of work.
- Exterior network protections may not be sufficient, interior protection techniques must be applied as well.
- End users are the source of most malware infections.
- Training Training Training and constant discussions about how breaches happen. Spent hours on emails, personal talks, training, brief updates to keep on the forefront with teams/staff.
- Users are still our weakest link!
- That every end point matters. Anomalous behavior can begin anywhere so you ought to have the appropriate protections in place at every point of entry.
- Business Continuity
- Security at the home workstation level is a must.
- We need to learn how to communicate better and recognize that our messaging needs to be more tailored to the audience.
- Visibility into cloud environments could have prevented a breach.
- My team learned that regardless of how many controls we put into place, risks can only be mitigated when the business understands the impact. Security Awareness and Communication need to be consider as [or more important than] Tools.
- That work of securing the organization is ongoing, never stops, and requires staying up to date on what is coming from the dark side.
- Recovering from ransomware is a process.
- The only way to reduce the risk of a breach, the associated costs of response and recovery, the steep fines, and avoid the damage to business continuity and brand equity, is to make sure that protection is robust and that everyone is adhering to cybersecurity compliance requirements.
- Two additional team members were added.
- Third party network penetration testing of all networks.
- Multi-factor authentication and centralized identity/access/privilege management
- The establishment of an INFOSEC department, including the hiring of a new CISO.
- Spent ~$12kUSD on a purple team exercise that gave us a completely different perspective of the inner workings of our SOC provider. Also identified what we considered to be, “fatal flaws.”
- Zero trust strategy –concentrating on end point tools.
- Assessments that provided us results of where our risk lies.
- Hired a vCISO.
- We added switch level event and log analysis. This helped find SO many slight misconfigurations that opened holes for attack.
- Engaged with a 3rd party to run a cybersecurity assessment and a adversarial assessment
- Complicated Phishing Scams with near real time identification for my team. WE could immediately see what someone did or did not do and use it as a training opportunity.
- Modern anti virus, Anti-Malware, monitoring & logging and incident response services.
- EPP and ERP implementation.
- Additional layers of monitoring and alerting. Enhanced monitoring tied to logdna and reporting to internal and external teams through Slack platform.
- Assessment of personnel, systems and procedures.
- Okta. Filled the MFA/SSO hole in our security layers.
- Changed EDR solutions
- Multifactor authentication.
- Active log monitoring and realtime alerts.
- Continuing the deployment of Identity Access Management to include privileged management.
- Cloud security.
- Upgrading our MSSP as well as taking time to teach my personnel how to be proactive and watch the industry.
- Breach Attack Simulation (BAS). However, the most valuable “impromptu” purchase we made was an enhancement to our Password Management/Vaulting solution.
- Double-down on hiring for the right skills and working with the best partners.
- Adding an annual review and testing program with reporting back to managers.
- Focus on Zero Trust IAM implementations.
- Continued advanced implementations of firewall automation.
- 1. We will spend more time planning and measuring the results of risks being addressed.
2. We will spend more time aligning training and development with our long-term security vision.
3. We will continue to focus on automating of repeatable tasks.
4. There will be more cross-training so the operations within the team can be more effective and less isolated.
- Need to rethink SIEM strategy and increase 2 factor for more than just remote login.
- We will be selecting vendors for PAM and two to other services. Our vendor evaluation process will incorporate our learnings AND we will push a little harder on reference checks.
- Continued internal phishing and monthly training. Adding an annual review and testing program with reporting back to managers.
- Continue to invest in Identity management and vendor management to more automated and mature technologies.
- As we continue down this road, we all need to understand that we have security enforcement that protects us, but shouldn’t hinder us.
- Will likely outsource for other compliance programs as well.
- Big impact on assessments and tabel top exercises –being prepared and add resiliency on our current infrastructure.
- Add more phishing awareness and employee incentives.
- The journey towards compliance is long! The buy-in from stakeholders, service line leaders and back office departments is critical and it only gets more involved with the # of locations you’re looking to protect. Continue to invest and equalize the organizational-compliance profile across every location.
- We have a solid infosec plan for 2023 based upon the results of the assessments.
- It’s a journey. We are still on ours and we will continue to add layers as well as working to implement a SOC.
- We are becoming more agile and using threat intelligence and incident data to more quickly adjust our security.
- Be better prepared for NCUA IT Audit.
- Less tolerance for EOL assets than ever before -> budget to deal with all tech debt over a two year period Issues with scripted attacks against web applications -> configuration of a cloud-based WAF in front of all customer-facing applications MFA fatigue -> increase awareness among end users and increased exploration of password-less authentication systems.
- Allowing the definition of MFA requirements based on organizational membership or on access to specific applications. Administrators can also implement adaptive MFA by combining dynamic and static policies such as user behavior, device, and location.
- We will be growing the team and expanding our capabilities.
- Consolidate security tools under the Azure security framework.
- Our 2023 strategy (and beyond) for full cloud will have much more of an impact on how we approach security strategy, investments, architecture and partners than any lesson learned in 2022.
- We need to spend time improving the services already in place. Stop implementing new things and improve what you have.
BAI Security Celebrates 15 Years With Innovative New Services
This month, BAI Security celebrates 15 years as a rare pure play security assessment firm!
With Founder/CEO Michael Bruck at the helm since day 1, BAI has significantly expanded its innovative services every year in order to address constantly emerging security challenges. “2022 has been a particularly banner year for new offerings thanks to our visionary and talented team devising ransomware services, new compliance audits, red team options, and more,” shares Dr. Michele Bruck, Chief Strategy Officer.
BAI has also extended the number of high-risk industries it serves, as cybercrime increasingly targets those with the most valuable sensitive data and ransom-worthy operations.
“Our original mission—to make cutting-edge services accessible to all types of organizations regardless of size or budget—has served us well from the start,” says CEO Bruck. “What I never could have predicted was how our dedication to continuous innovation would become so central to delivering timely services, given the pace and scale at which such aggressive cybercrime is unfolding.”
Lear more about BAI Security’s team, qualifications, and accolades here. Consider a career with BAI here.
Congrats to Team BAI for 15 years of service & excellence — here’s to the next 15!
BAI Named Most Trusted Cybersecurity Solution Providers of 2022
BAI Security has been named among the Most Trusted Cybersecurity Solution Providers in 2022 by IndustryWired. President/CEO Michael Bruck is featured on the cover of the February issue.
Congrats to Team BAI for this latest recognition!
National Survey Results Are In - I.T. Leaders Share 2022 Security Risks
To assist with these concerns, check out information on our cost-effective, risk-reducing offerings for 2022!
BAI’s CEO Appointed Again To Forbes Technology Council
Employee Engagement Continues to Fly High at BAI!
Once again, BAI Security’s Employee Engagement beat global benchmarks significantly and across-the board!
From appreciating BAI’s culture, flexible work model, and internal communication, to feeling respected and having input, BAI employees rated their engagement in all dimensions of employment as significantly higher than their professional counterparts, according to SurveyMonkey’s Global Benchmark data for 2020-2021, which examines the engagement results of thousands of organizations worldwide to draw comparisons.
Here are a few comments employees shared about working at BAI Security:
- “…a wonderful, fun/safe working environment. The company culture is superb.”
- “I like the open door policy. I definitely feel my input is valued here.”
- “Excited about my future here and to be come a leader…”
- “Keep up the positive vibe, great hires, teamwork, recognition, and growth.”
- “BAI is a great place to work…”
- “Your support and enthusiasm and hands-on in the ‘trenches’ really matters. Thank you.”
- “I feel very welcomed and valued here.”
- “I like where we’re going and am excited to be a part of it.”
Thank you to all our employees who took the time to share their perspectives on the survey – we look forward to continuing to provide a highly engaging work environment as we head towards 2022!
BAI Security CEO Named Among Best Security Leaders
C Level Focus has named BAI Security’s President/CEO Michael Bruck to the 10 Best Security Leaders for 2020.
C Level Focus – Leaders That Matter is a strategic research practice whose purpose is to share leadership and management expertise through the lens of respected corporate business leaders. CLF has principal bases in London, New York, Berlin, Shanghai and Tokyo, and other cities worldwide.
Congratulations to our very own Founder and CEO on this recognition!
Red Team Readiness Survey Results Are In
We heard from IT leaders from across the country on our recent survey, “Are You Red Team Ready?”
The results speak to a significant need for organizations to engage in Red Team-type evaluations, as well as significant interest in doing so. Leaders indicate barriers around lack of understanding of the assessment itself as well as related costs.
Check out the results in the infographic.
For more information on our affordable, expert Red Team Assessment, visit our Red Team webpage and contact us for a proposal and pricing.
Forbes Appoints BAI Security's President/CEO To Technology Council
Bruck was vetted and selected by a Forbes review committee based on the depth and diversity of his experience. Criteria for acceptance include a track record of successfully impacting business growth metrics, as well as personal and professional achievements and honors.
To this esteemed appointment, Bruck responded:
“Being selected for Forbes Technology Council is quite an honor and opportunity, particularly in its capacity to help me reach a far larger audience with whom to share hard-gained wisdom from decades in cybersecurity. Perhaps even more importantly, the Council provides a global platform from which to impart pressing guidance that organizational leaders and the public need to defend digital assets against an increasingly aggressive threat landscape. I look forward to collaborating with and learning from Council peers who lead in other areas of technology, as well as bringing back new perspectives to my cybersecurity network and our slice of the tech sector.”
“We are honored to welcome Michael Bruck into the community,” said Scott Gerber, founder of Forbes Councils, the collective that includes Forbes Technology Council. “Our mission with Forbes Councils is to bring together proven leaders from every industry, creating a curated, social capital-driven network that helps every member grow professionally and make an even greater impact on the business world.”
As a member of the Council, Bruck has access to a variety of exclusive opportunities designed to help him reach peak professional influence. He will connect and collaborate with other respected technology leaders in a private forum. Bruck will also be invited to work with a professional editorial team to share his expert insights in original business articles on Forbes.com, and to contribute to published Q&A panels alongside other experts.
Congratulations to our very own!
BAI Security Celebrates Women In Tech History
This month, BAI Security is celebrating women in technology history – including the unsung pioneers who “paved the path to modern computer science.” For the ENIAC Project during World War II, six women, featured in the documentary The Computers, programmed the first all electronic digital computer used to compute ballistics tables – with no programming languages, tools, or manuals. They established the first sort routine and software application, and became the first teachers of modern programming.
Results Are In - I.T. Leaders Voice 2021 Security Risks
In January 2021, I.T. security & compliance leaders from across the U.S. & beyond answered our survey about what they consider their greatest security risks for the year ahead.
Results are presented in the graphic HERE.
Thank you to all who participated (and CONGRATS to our $200 gift card winner!).
BAI Security Named 2021's Most Influential Leaders in Security!
IT Expert Tracy G. Stewart Joins BAI Security!
Tracy has served in key industries that BAI Security serves, including finance, healthcare, insurance, and energy. Tracy has worked for the Allstate Insurance, Health Care Service Corporation (BlueCross BlueShield in 5 states), CNA Insurance, KPMG, Rose International, the Tribune Company, and most recently, PLS Financial Services.
- Project Management Professional (PMP)
- Certified Financial Services Auditor (CFSA)
- Certification in Control Self-Assessment
- Certified Internal Auditor (CIA)
- Certified Information Systems Security Professional (CISSP)
- Certified Information Systems Auditor (CISA)
- Certified Computing Professional
- Certified Netware Administrator (CNA)
- ERC Standards of Conduct
- NERC CIP Certified
- Agile Project Methodology
- Information Technology Infrastructure Library (ITIL) v3 Foundations Certified
- Six Sigma Training (Process Improvement – Green Belt)
- Capability Maturity Model Release 2.0 Certified
- Internet Scanner Certified Engineer: Internet Scanner SafeSuite (ICE)
- Certified NetGuard – Raptor Eagle Firewalls
In addition to his extensive career, Tracy is also a former Captain in the United States Army, where he served in various command and staff positions as an Airborne-Ranger Qualified Infantry Officer, which culminated in his command of a 300-person Infantry company assigned to the 2nd Infantry Division along the Demilitarized Zone in the Republic of Korea. While in the military, Tracy was decorated with the National Defense Service Model, Armed Forces Expeditionary Medal (with Arrowhead), Army Commendation Medal (two oak leaf clusters), Joint Service Achievement Medal, Army Achievement Medal, Korean Defense Service Medal, Good Conduct Medal, and the Presidential Unit Commendation, Valorous Unit Commendation, and Superior Unit Commendation Ribbons. Tracy is also authorized to wear the Combat Infantryman’s Badge, Expert Infantryman’s Badge (superseded by CIB), Ranger Tab, Senior Parachutist Badge, Pathfinder Badge, and Air Assault Badge.
At BAI, Tracy will serve as Senior IT Compliance Auditor/Project Manager. In this role, Tracy will lead the Compliance Audit team, as well as serve as a member of BAI’s Extended Leadership Team, helping to define and drive organizational strategy, continuous improvement, and mission fulfillment.
Welcome to the BAI team, Tracy!
Employee Engagement at BAI Security Soars!
BAI Security’s 2020 Employee Engagement Survey was taken by 93% of employees and featured high ratings across all categories. From clear job expectations and feeling connected to our mission to leadership/employee trust and communication, we significantly and across-the-board beat global benchmarks for employee engagement.
We thank our employees for their participation in this important survey, and we can’t wait to keep the high engagement and employee satisfaction going into 2021 and beyond!