onShore Security

Because Security Gives Us Freedom.

SEC’s Rule 106 Creates Confusion Instead of Standards

By

SEC’s Rule 106 Creates Confusion Instead of Standards
-Stel Valavanis

One of the main purposes of the SEC is to ensure that the investing public receives all the information they can and should have to make informed investments. As technology and business practices evolve, so too must the SEC and their latest attempt to adapt to changing times has led to new SEC rules involving cybersecurity and cyber operations. New SEC regulations that went into effect on September 6th (with compliance reporting to begin 90 days later, this December), garnered much attention and comment while they were under consideration and revision, and have continued to be examined since. The SEC, in responding to comments made during the consideration process for amendments to the rules, did listen to the critics of the new rules, citing their concerns that overly prescriptive laws would dictate cyber security operation, and removed many aspects of the proposed law that touched on requirements. However, by specifying aspects of the operation, the “processes” and the degree to which those processes influence other board-level decisions, the SEC merely creates a hazy set of standards by which companies will attempt to comply and will use as a template by which to make their cyber security operation “public facing”.

Much of the attention around this new set of SEC rules has focused on the breach disclosure rules, but another new regulation that will affect all SEC registrants is being mostly ignored by media and thought leaders. New Regulation S-K item 106 will require registrant organizations to “describe their processes” for assessing, identifying, and managing cyber risk. By asking for descriptions of “processes” rather than policies and procedures, the SEC is attempting to walk the line between requiring enough information to satisfy the investing public, but not so much that it can aid threat actors. Organizations will need to account for the public nature of the information divulged in their cybersecurity and public relations strategy, and this new reporting requirement will have a direct effect on cyber operations.

The SEC can avoid being prescriptive in their reporting requirements, but any requirement to report can and will have the effect of setting a standard. If a question is asked on a form, there will be answers that are favorable, or at least acceptable, to the public, even if only answered in the affirmative (or negative). Cyber operations will be tailored to make sure that the reporting to the SEC gives a favorable impression to the investing public. Security operations will be driven by the optics of what their operation is reporting and this will create a competition of security theater, rather than security. While changes to cybersecurity regulation can help raise the level of maturity across the industry and encourage best practices, they can also leave gaps and create new problems outside of cybersecurity operations.
Another aspect of the rule will now require registrants to disclose the role their board takes in making cybersecurity decisions and management. Boards will be expected to be taking an active role in this part of their organization and the reporting will show their involvement (or lack thereof). To meet this new expectation, organizations will want to show that their board is aware of and managing cyber risk and must establish a process by which the board is informed. This can take the form of briefs from the cybersecurity team or updates from the CISO, or something else, as it is not prescribed, but will be reported.

While this changing situation may cause confusion for the near future, working through the complications of regulating cybersecurity will ultimately make us all more secure. The hazy set of standards that will be created, and then tested against practice and public opinion, will likely lead to clearer rules and regulations in the future, as the trials and errors that occur will enrich the conversation had between public and private entities on the changing role of cybersecurity in business.

onShore Security Named to MSSP Alert’s 2023 List of Top 250 MSSPs

By

onShore Security, a leading provider of enterprise-grade cybersecurity solutions nationwide, ranks among the Top 250 Managed Security Service Providers (MSSPs) for 2023, according to MSSP Alert, a CyberRisk Alliance resource. The company rose in the rankings to 146, compared to 192 in 2022.

“We are honored to continue to be included in the MSSP 250 list, and are pleased to have moved up in the ranking yet again this year,” said Stel Valavanis, CEO of onShore Security. “I believe our pure-play approach and our own Panoptic Cyberdefense platform are what make onShore Security stand out. No other company has network detection and response (NDR) integrated directly into their platform.”

The 7th annual list and report identifies and honors the top MSSP, managed detection and response (MDR), and managed security provider (MSP) companies. The rankings are based on MSSP Alert’s 2023 readership survey combined with the site’s editorial coverage of MSSP, MDR and MSP security providers. The research also highlights key MSSP business, security and market trends. The complete list and research report are available online at https://www.msspalert.com/top-250.

Key findings include:

  • MSSP Revenue Growth & Financial Performance: MSSP honorees, on average, expect to generate $56.3 million in revenue for 2023, more than double the number from our 2022 report.
  • Geography: Honorees are headquartered in 37 different countries.
  • Profits: 87% of MSSPs surveyed expect to be profitable for fiscal year 2023.
  • Security Operations Centers: 67% have in-house SOCs, 23% are hybrid, 8% completely outsource their SOCs, and 1% are reevaluating their SOC strategies.
  • Cyberattack Trends: The most frequent attacks targeting MSSP customers in 2023 include phishing (95%), vulnerability exploits (91%) and ransomware (86%).
  • Cybersecurity Solutions: Larger MSSPs were more likely to run their SOC entirely in-house (85%) while just half of our smaller segment MSPs ran their SOCs in-house.
  • Key Managed Security Services Offered: Almost all of the larger MSSPs (90%) provided 24/7 security event monitoring and response for threat detection use cases on their own.

“MSSP Alert and CyberRisk Alliance congratulate onShore Security on this honor,” said Jessica C. Davis, editorial director of MSSP Alert, a CyberRisk Alliance resource. “The Top 250 MSSPs continue to outperform the overall cybersecurity services market in 2023. It’s an indication of the strength of managed security services provided by these specialists at a time when cybercrime has accelerated and threatens businesses of every size and from every industry.”

Inclusion in the list follows several 2023 highlights for onShore Security. In April, onShore was one of more than 150 private sector companies to endorse principles developed by the Cybersecurity Tech Accord to curb the growth of cyber mercenaries. onShore executives presented at industry conferences including Inventures Canada, Blue Team Con and the ISACA Chicago Convergence Conference, and CEO Valavanis will present at the upcoming CornCon. In addition, the company launched the second season of its popular cybersecurity podcast, onSecurity.

onShore Security Press Release

Implementing the Cyber Workforce and Education Strategy in your organization

By

Implementing the Cyber Workforce and Education Strategy in your organization
– Josh Eklow

The Biden Administration recently released another cyber strategy document: the National Cyber Workforce and Education Strategy. While parts of the document focus on how the Federal government will work to further the cyber education of potential government employees and to grow the cyber workforce available to the public sector, they also outline a strategy that strives to raise the general level of cybersecurity awareness and training of all organizations and citizens, enrich the workforce for the private sector, and close the cybersecurity employment gap in the US in both public and private sectors. There are several tactics laid out in the strategy that can be implemented in your organization to manage the cybersecurity workforce gap. Much of the Biden Administration’s strategy is focused on long-term planning and many of the goals will not be realized for many years. In the meantime, businesses should position themselves to be part of the solution, both in their own organization, but also in their industry and national economy.

One tactic that the government plans to use in its efforts to close the cybersecurity gap is to work more closely with private entities to fill positions and ensure protection. This is something businesses already do: working with vendors and outsourcing to partners. Integrating third parties and private companies in the public sector will mean a great opportunity for practitioners and organizations to contribute to public and Federal cybersecurity efforts. These efforts will benefit from the experience and knowledge developed within the private sector. They also will try to benefit by doing something many businesses have already done: reform and rethink their hiring requirements and strategy. By looking more widely at the skills and experience of potential practitioners, they not only access resources they previously eschewed, but they also widen the knowledge base and diversity of their own organization.

Another tactic that can be implemented in private organizations at any level is to integrate cybersecurity and best cyber practices into the design, management, and operation of all parts of an organization. The government will make the cybersecurity of the organization the responsibility of all and will develop this culture across all departments, beginning with training and education. Instilling a similar understanding in your team will greatly raise the cybersecurity maturity of your organization. Employees must understand that every position at the company holds a vital role in cybersecurity, not merely the IT or IS staff. All staff should receive training on cybersecurity, especially as it relates to their positions. Management should consider cybersecurity issues in team meetings, planning, and assessment. By making everyone at the company a stakeholder in the cybersecurity of the organization, you greatly increase the digital resilience of your organization and employees. Much as the Federal strategy includes measures to generally educate the public in order to create a safer ecosystem for all, the efforts an organization takes to create more secure employees will mean that they bring this higher level of awareness and best practice home and to other parts of their life online. This indirectly helps your organization by raising the general level of security around you, but also will directly impact your organization. The line between personal and business is often fuzzy online, and bad security practices at home can lead to vulnerabilities in your business. 

Part of the strategy touched on in Pillars 2 and 3 is to integrate with the greater cyber ecosystem, specifically in the area of education and training. Time and energy spent developing the cybersecurity climate of tomorrow will pay dividends to your organization for many years. There are many ways that your company can do this today and you can start however makes the most sense for your team. Many industries have cybersecurity groups that are focused on their particular businesses. Attend events, as a company and as individuals, and get involved in boards and information-sharing groups. Incentivize your team to get involved in areas relating to their particular role, in CISO groups for example. Sponsoring events is a great way to show that your company is a stakeholder and to build culture at your company. Get involved with local colleges and educational and training programs. Attend cybersecurity events that are tailored to students or hosted at universities.

As the National Cyber Workforce and Education Strategy is put into practice, it will be to the benefit of all to consider how these ideas and tactics can be enacted in our own organizations. The hybridization of the workplace, accelerated by the COVID pandemic, is not slowing, and the future of the workplace itself is online. It is the American way to innovate and take advantage of the opportunities new technology presents. With this strategy, our leaders have laid out a plan to do so, while also acknowledging that they will need to adapt and change.

onSecurity Podcast – Episode 19: Inclusion and Community Engagement

By

Episode 19: Inclusion and Community Engagement


In cybersecurity, teamwork is everything. Every part of the practice is about being part of a team, from playing your part in your organization to being part of the larger community and ecosystem. Cybersecurity conventions, such as the upcoming Blue Team Con, are a focal point for team building at every level, with knowledge sharing and training, networking, and volunteering. Many cybersecurity events are run by volunteers, seeking to learn more about cybersecurity and organizing, meet active and involved members of the community, and take part in building the culture. 

This episode, onSecurity is joined by Phoenix Fier, security analyst for Funko and volunteer coordinator for the upcoming Blue Team Con. Phoenix discusses the importance of inclusion in cybersecurity events, the opportunities that volunteering at an event presents, and why getting involved is a critical step in your career.

onSecurity Podcast – Episode 18: Securing IoT and Operational Technology

By

Episode 18: Securing IoT and Operational Technology


In an interconnected world, the rapid proliferation of IoT (Internet of Things) devices and the integration of Operational Technology (OT) into critical infrastructure have unlocked tremendous opportunities. However, these technological advancements have also exposed us to unprecedented security risks. To counter these risks, businesses can quickly and efficiently turn to the practice of maintaining a comprehensive asset inventory. By identifying and cataloging all IoT and OT devices, organizations can better understand their attack surface and implement targeted security measures to safeguard their networks.

Huxley Barbee, CISSP and CISM of RunZero, joins onShore Security CEO Stel Valavanis on this episode of onSecurity as we delve into securing IoT and OT systems, exploring the significance of asset inventory in fortifying these vital networks against potential cyber threats, and identifying common pitfalls.

312-850-5200

216 W. Jackson Blvd.
Chicago, IL 60606

info@onShore.com