When Compliance Doesn’t Stop with Your Company: Managing Third Parties
The modern corporation is less a single entity as it is a constellation of third parties, vendors, suppliers, and outsourced workers. These arms-length business arrangements…
This post is part of our Partner Spotlight Series, where we let our partners describe their companies, backgrounds, and experience with LogicGate. This month Jason Gutierrez-Pinho, Market Development Manager and Cybersecurity Consultant for Abacode, sits down with us to answer some of our questions.
LOGICGATE: Can you provide an overview of your company and how you work with your clients?
JASON: Abacode is an industry-recognized Managed Security Service Provider (MSSP) experienced in providing holistic cybersecurity and compliance services to customers throughout the Americas, Europe, and the United Kingdom. With current clients in over 10 countries, our visibility into global threats adds incredible insight and value to our customers.
What sets you apart from other companies in your field?
We address company risk from a business strategy perspective first and cyber-technology perspective second. Our methodology ensures technical and non-technical leadership are able to make unbiased strategic decisions that positively impact the entire organization. Our team regularly speaks at national and international cybersecurity, business, and compliance conferences and has been recognized as one of the fastest growing MSSPs by empowering companies to have a Cyber Capability Maturity Model (CCMM) and consolidate all cyber-risk and regulatory compliance initiatives under one roof.
How do you see client needs evolving over the next year? Next 3 years?
The biggest evolution we see is that privacy and security laws are spreading worldwide, changing organizations from wanting to be secure (or not) to having to be secure. Pretty soon, cybersecurity will not be optional for anyone. In the past few years small and mid-size companies also seemed to have the impression that these regulations came with empty threats or that only the Facebooks and Googles of the world would get hit with substantial fines. This has not been the case. TikTok was fined $5,000,000 by the FTC in the U.S. for privacy violations (March 2019), a hospital in Colorado got fined $111,000 (Dec. 2018) for a HIPAA violation, a hospital in Portugal got fined $450,000 (Dec. 2018) for a GDPR violation, and a Taxi Company in Denmark got fined $180,000 (March 2019) for a GDPR violation, just to name a few.
What trends have you noticed in the IT Risk or Cyber Security industry in the last few years?
Cybersecurity attacks have risen drastically, and will continue to do so.
What is the greatest pitfall you see people face when tackling Cyber Security processes?
Budgeting. This stems from two issues. First, for the past 30 years or so, cybersecurity has been an extra weight thrown on top of the IT teams in organizations. That might have been relatively acceptable in the far past, but there are simply too many cogs in the cybersecurity machine for IT to juggle on top of their already-demanding jobs. Whereas IT serves as an organization’s central nervous system, ensuring everything is connected and functioning properly, cybersecurity is the immune system, ready to engage harmful actors. They’re simply different skill sets. Second, people seem to look at cybersecurity as an afterthought. Organizations will budget for every other need, and whatever is left they’ll put towards cybersecurity. However, cybersecurity is a core necessity and fairly expensive, especially due to the world-wide shortage in knowledgable resources.
What is the best advice you would give someone who is charged with leading a new InfoSec program or IT process deployment?
Don’t try to start a privacy and cybersecurity compliance program with half measures. We hear it all the time: the organization just wants the cheapest thing they can do to check the box and pass the audit. We strongly advise against this approach. You might barely be able to pass a normal audit, but good luck in court if you have a breach and an in-depth investigation demonstrates cursory attempts to achieve compliance. Be thorough; your CFO will thank you later.
In your opinion, where should someone start when creating an InfoSec program?
Policy (and procedures) is the backbone of any InfoSec program. You need a framework to be able to build out your program, whether it’s NIST, ISO, PCI-DSS, etc. Find a framework that suits your organization and start from there. Then you’ll know what you need to budget for in order to comply.
In your experience, how have your clients fostered executive awareness or support for investment in their program (for services or technology investment)? Do you think this is always necessary?
The sad truth is that most of the time it’s reactive. Unless there’s a regulation or a need to comply for a certification in order to win business with larger clients, the reason we get a phone call is because something went wrong. Companies with Intellectual Property (IP) might be a bit more inclined to have their environments secure, but even on that end we see a lack of support. That said, one of the best ways clients can foster executive support is by letting them know they can use their cybersecurity implementation efforts as a differentiator against their competition.
Why did you select LogicGate as a trusted partner?
Abacode’s core services are heavily incorporated into compliance frameworks such as HIPAA, FEDRAMP, PCI DSS, NIST, GDPR, SOC 2, and ISO 27001/2. When helping customers through the implementation process, keeping track of all the controls and their relative artifacts and documentation can be troublesome. LogicGate allows Abacode to provide continuous compliance and security control effectiveness tracking for organizations before, during, and after assessments. This supports management through clear oversight of all compliance efforts in real time, not just during an assessment.All posts
This month messaging service WhatsApp pushed a significant security patch to each of its 1.5 billion users worldwide. The patch was in response to a…
The LogicGate team is excited to announce the launch of our very own podcast, GRC & Me, on Thursday, May 23. Hosted by Kelley Spakowski, the show…