4 step

A 4-Step Process to Achieve True Cybersecurity Success

Varciti IT Solutions

CompTIA 4 phases to cyber security

June 02, 2022 | By Wayne Selk

Cybersecurity phases blog

Where are you in your security journey? As a cybersecurity practitioner for the past quarter century, this is a question asked of many in the managed services provider community. The answer to the question varies. Some believe they have reached cybersecurity nirvana—that they are experts taking a leadership role; others don’t know how to get started. Some have started and are stalled. Wherever you are in your own cyber journey—or wherever you think you are—you might need help getting to the next step.   If that’s the case, view and download the infographic below to help you continue on your way.

The four phases outlined in the infographic were adopted from a ConnectWise whitepaper and video. The goal was to help managed services providers better understand the NIST Cybersecurity Framework and how they could mature their organizations in cybersecurity. The NIST framework is a risk-based framework, not maturity-based. This distinction is very important since most MSPs understand maturity yet lack the understanding around risk.

Download the Four Phases of Cybersecurity Infographic:
Vertical (mobile friendly)  / Horizontal (desktop friendly) 

1. Learn to Walk Before You Can Run

As you review the infographic the maturity model becomes very evident. Phase 1 is about getting started on your security journey. This is the most important phase and one many MSPs overlook. By skipping items in this phase, or the entire phase, MSPs could find themselves very unprepared for the subsequent phases and exposed to a cybersecurity incident.

It is important for all organizations, regardless of size, to have policies documented that are aligned to both business objectives and to the risk tolerance of the organization. Most MSPs feel they are too small for documented policies. Yet they also say they want to grow their business. Having policies documented when the organization is small allows leadership to focus attention on growing the business.

Another important item in this phase is understanding where sensitive and business-critical data are stored, processed and transmitted—both in and out of the company. This requires a complete inventory of all systems and devices, the software and applications, and who has the ability to access the data on each of those components. Once the inventory is complete, assign a risk severity to each of the data items identified. Your critical and high-risk items are the elements in need of the most protection and security controls.

Hopefully, you are not surprised to find sensitive or business critical information not under your direct control. If this is the case, focus your attention on resolving this issue quickly. The last thing you want is a severe negative incident that puts you in danger of losing your business. As you move into Phase 2, please keep an eye on the items from Phase 1. As you grow or as change happens within the organization, you may need to review your policies to ensure they are keeping pace with your business objectives. The same is true for your inventory.

2. Investments, Training Will Pay Off

Phase 2 is all about investing in your people, making your processes better, and solving for gaps with technology when appropriate. This is the opportunity to strengthen the security in your organization and really start developing your cybersecurity practice and culture. With your security skills and solutions inventory complete and keeping it up to date, you have set the business up for success. Instead of wasting precious dollars and time wondering if you have everything protected, you have created the ability to quickly find and assess whether or not the controls you have are able to best protect your business

If you find the controls are not adequate or a gap exists that has the potential for exposing your business data, then determine if a change in personnel or a process may solve or reduce the impact before investing in a technology solution. According to the latest Verizon Data Breach Investigations Report, the human element accounted for 82 percent of data breaches in 2021. Also, 42 percent of data breaches were accomplished using stolen credentials, according to the report.

Technology is not going to solve for the human element and training alone is not enough either. Organizations need to take a very hard look at the security culture within the business. This is one of those top-down items and “do as I say, since I am doing it too” necessities all businesses need to work on regardless of size. Creating a security culture takes time and patience. The reward for doing so will pay dividends every day.

To that end, documented policies can have a direct impact on creating a security-first culture in the organization. Find new ways to increase awareness and understanding for the entire company. Perhaps engage your people to read about a topic or gap in the organization and write a paper or give a brief presentation during a staff meeting. Discuss the topic or gap and uncover ways to solve or mitigate any risk which may exist. Encourage your people to embrace security rather than have them find ways to avoid the controls in place. Reward positive behavior and encourage those who slip to try harder.

3. It’s Time to Start the Conversation

Reaching Phase 3, you are ready to start taking your security show on the road to customers and prospects. Armed with knowledge on how policies help a business and putting your best foot forward around security culture, you’re now prepared to help customers start on their security journey. You may find having conversations around security are easier and less stressful, since you can speak from experience; practice wheat you preach, as it were. Understanding your customer’s needs and helping them align their business objectives raises their awareness and understanding around cybersecurity. Showing clients and prospects that you understand their business helps gain trust, which is the cornerstone for any business relationship.

4. It’s Never the End of the Road

As you move into Phase 4, you begin to realize your journey is all about continuous improvement and helping others succeed. The feeling comes naturally as word of your success spreads across the industry and your client base. It is at this moment you realize the entire organization is hitting on all cylinders; business is booming, and questions are being asked like ‘How did you do this?’ At this point, you’re capable of giving back to the community and your peers. Your community includes your vendor partners and your customers too. Please remember that this is a journey, not a destination. The threat landscape is always changing and evolving, each and every day.

CompTIA is here to help you achieve your goals and objectives as a service provider regardless of where you are in your security journey. We have content to help your people better understand cybersecurity, as well as membership in the CompTIA ISAO to keep you up to date. The CompTIA ISAO is your one-stop shop for threat information and intelligence. Wherever you are on your security journey, the goal should always be for continuous improvement.

Wayne Selk is vice president of cybersecurity programs at CompTIA.

IT Career

Changing Career

Mainly (but not only) for my students in the Edmonton area, attending the ITC program at MCG Career group. You are attending a course that will propel you into a new career, an IT career, and one that you should be excited to be part of. The following tips may help you move forward and enjoy the ride.

1. Don’t just step, but jump out of your comfort zone.

2. Don’t worry too much about the first test, “IT Fundamentals”. Just focus on the content being covered each day and keep moving forward.

3. You are in a class that has various levels of IT competence, but don’t compare yourself to these. The only person you have to compete with is yourself. Attend classes at all costs and concentrate on learning something new each day.

4. One thing, don’t be afraid to ask for help from your instructor / mentor or teammates. Peer learning is always an essential skill builder for today’s technology workforce.

5. Know your 30-second “About Me” by heart and be able to give it at a moment’s notice. This statement requires that you know exactly where you want to be and what it takes to get there. I will post more about this next week.

6. Have a short term career plan ready to discuss during interviews, and consider how potential managers and other company leaders might serve as mentors and role models to get to your goals.

7. Connect and build relationships with co-students from the current class and if possible past classes to. Building a professional network should begin on the first day of class or as soon as possible thereafter.

8. Technical skills are essential to a good IT career but mastery of soft skills like communication and active listening are just as important. The critical soft skills for any IT professional are communication, collaboration, critical observation, problem solving and leadership. Possessing any or all these will set you up ahead of the crowd.

9. Great interviews begin with research, so start with the companies website and document their strong points and vision statement and work around them. The interviewer wants to know that you will fit in with the current employees and not disrupt the status quo.

10. Professional organizations and networking events are a great way to network and meet potential employers. This informal environment will be less pressure to discuss potential opportunities than a formal interview.

11. Great interviews are a conversation that is the result of planning and questions prepared ahead of time.

12. You are in the ITC program for a reason, so as soon as possible set goals for yourself, both short and longer term. This will help give you direction, and help you ask the right questions ahead of time.

13. LinkedIn is a great career tool while climbing the IT ladder. Get a head start on establishing an online presence by setting up an account. Do remember that past achievement will be an asset no matter what industry it comes from. Recruiters are always scouring here to find new clients. Connect with others and professional groups. Be there when the recruiters or companies post or search for professionals in your area.
Reflecting on the above, you have to start somewhere, so keep calm set yourself a goal and a task list, work through it one step at a time and you will be amazed how soon your actions will get you to where you want to be. You have to remember the golden rule! you control your own destiny, if you wait on others for direction, you will never be able to really go out and have fun in your new career.

We Share Knowledge

Intake 2

The last day of the CompTIA Security + course with our intake 2 students at McBride career group in Edmonton. They have now completed their technical training part of the program and only have a few more weeks to go to complete their job search phase. All of them have work terms arranged and are eager to get into the IT field. Wishing each and every one the very best success.

The pictures show a group photo below and the 5 top achievers on the left. These amazing students did not miss a single day during the entire program. Here they are with their prizes.