Best-in-breed cybersecurity—when it comes to governance, strategy, and tactical execution— rests on four pillars. At Agio, we’ve coined it ADEPT, reflective of Agio Diligence, Expertise, Process, and Technology.
All four components are vital in and of themselves, and all reinforce each other. If any part is weak or neglected, your entire program suffers. Interestingly enough, we’d like to call out the fact that Technology is last in this equation. This is deliberate – because while many decision makers ruminate over what technology to select when it comes to cybersecurity defenses, the Technology you use is the least impactful when compared to the other pillars – Diligence, Expertise, and Process. Certainly, everyone wants to buy the latest and greatest technology solution, but if you’re seeking effectiveness, you’re better suited spending your time and money establishing a strong governance culture where again, the other pillars are explored and hammered home.
Here’s how it all works…
We mean both diligence in addressing the entire range of cybersecurity challenges in your organization, and persistence in continuing to monitor and look for better ways to address said challenges.
It involves regular, painstaking reviews of data and new business processes to identify new vulnerabilities, including any shadow IT applications employees, may have introduced.
Diligence also means staying the course when internal security initiatives aren’t showing immediate results or getting a sufficient level of adherence from employees or support from managers, who still may not see cybersecurity as a vital part of their job. Rather than throwing up our hands, we look for new ways to engage managers and other employees, raise awareness of the need to follow cybersecurity procedures and encourage active participation where it will make a difference. In other words, get creative in order to get the attention you need for people to care about cybersecurity.
Finally, diligence means going further than just checking the box when testing and monitoring. Instead, we look deeper into potential vulnerabilities when our instincts, born of years of experience in key industries, call for it.
Expertise is closely connected to diligence. You can only persevere in the face of neglect or pushback when you are confident about the level of experience and cybersecurity knowledge you bring to the table.
With our extensive experience in the financial, health care and payments industries, we know how these organizations work, how their systems operate, the information assets they need to protect, the compliance standards they need to meet, and where to look for vulnerabilities. We also stay abreast of new solutions and cybersecurity strategies used by other organizations in the same industry to understand trends on what’s working and what’s not.
But how do you measure the value of a firm’s experience? For Agio, we use the stories we encounter in the field. For instance, our team’s expertise and diligence worked together to discover a critical vulnerability during a comprehensive penetration test for one of our hedge fund clients. This specific vulnerability affected the default installation settings for Bloomberg Professional Client software, and could’ve potentially compromised more than 300,000 Bloomberg subscribers, including the nation’s largest commercial banks, investment banks, hedge funds, private equity funds, asset managers and mutual funds.
Prior to our discovery, at least 1,000 assessments of that software had been performed without anyone uncovering the vulnerability. The problem is that many cybersecurity firms focus on external surfaces or exposures identified by automated scanning tools. Yes, knowing how to use best-in-breed cybersecurity tools is essential, but we use these tools as a jumping off point. Our diligence leads us to dig deeper, and when this approach is combined with years of cybersecurity and industry experience, our engineers pick up on things others miss.
There are many ways to structure an organization’s cybersecurity program, and all of the processes involved need to be laid out and understood, not just by the cybersecurity team but by IT, business unit leaders and executives.
We know what structures and processes work best in different circumstances. More importantly, however, experience has taught us that the critical factor is not the process itself, but adherence to that process, day in and day out. When any element of your cybersecurity process is by-passed or receives only cursory attention, the whole program’s effectiveness is undermined.
So for example, we ask…
- Has our assessment covered all the possible areas of vulnerability?
- Is the cybersecurity team regularly monitoring all data?
- Are new methods and technologies routinely explored?
- Are employees following procedures to minimize risk?
- Are business unit managers fully versed on procedures to follow if a breach occurs, and do those procedures need to be updated?
We consistently test and evaluate technology, specific to your industry, to make sure you’re using the right tools to solve the right challenges. We also determine whether you’re spending more than you need to when other solutions or approaches are available. And we evaluate whether any new technology will be a good fit within your organization’s existing security systems, relevant business processes, anticipated changes in compliance mandates and projected growth.
Finally, when we install best-in-breed technology, we have the expertise to exploit its full functionality.
All together now…
Our ADEPT approach addresses the full circle of cybersecurity risk management – effective today and adaptive for tomorrow.