ZenGRC

Simply Powerful GRC

Cybersecurity

How To Get Compliant and Stay Agile

· ·

Agile companies do things faster.  When you think about agile regarding the lean startup model, you focus on quick wins, ruthless prioritization, external focus, and continuous improvement. At its core, agile development relies on continuous testing leading to continuous improvement. In cybersecurity, continuous monitoring enables an agile continuous compliance stance.

Agile Compliance Management

What are the lean-agile development methods?

Lean development means a set of principles designed to

  1. Eliminate waste
  2. Build in quality
  3. Create knowledge
  4. Defer commitment
  5. Deliver fast results
  6. Respect people
  7. Optimize the whole.

By eliminating inefficient processes, companies deliver software faster.
Agile development expanded on lean development, establishing twelve principles:

  1. Customer satisfaction
  2. Harnessing change for a competitive advantage
  3. Delivering working software frequently
  4. Bringing business and development departments together
  5. Supporting talent
  6. Conveying information efficiently
  7. Measuring progress by working software
  8. Promoting sustainable development
  9. Focusing on technical excellence
  10. Maximizing the amount of work not done
  11. Using a self-organizing team to build the best architectures, requirements, and designs
  12. Reflecting and readjusting

At their core, both methods focus on efficiency, communication, sustainability, speed, and quality.

How Agile applies to cybersecurity

Agile methods, by focusing on harnessing change, reflection, and readjustment, aligns well to cybersecurity. At their core, malicious actors are agile development superstars. They continuously readjust their attack methodologies to maintain the “quality” of their software, ensuring that they can stay one step ahead of cybersecurity protections.

Thus, for organizations to combat these threats, they need to create a security-first approach that functions the same way. As the old saying goes, if you can’t beat them join them.

What is agile compliance?

Agile compliance focuses on the same 12 principles, but rather than focusing on product creation, it focuses on threat mitigation. However, rather than customer satisfaction being the starting point, agile compliance from a security-first perspective treats customer data security and stakeholder satisfaction as the product.

When looking at governance, risk, and compliance (GRC) in cybersecurity, data integrity and availability acts as the path to customer confidence and satisfaction. With a security-first approach to compliance, you create an iterative process with monitoring, mitigation, and review that aligns your controls to protect your data.

Agile Compliance in Cybersecurity

A security-first strategy for protecting data leads to creating an agile compliance program. Security-first compliance focuses on the quality of your data controls ensuring that even when standards and regulations lag behind threat vectors and methodologies, you maintain a secure data environment.

Bringing business and IT departments together

Risk management begins with aligning business objectives to your IT assets. As your business scales, you need to ensure that your cybersecurity program can withstand the growth without being compromised. Therefore, you need to start by looking at the current technologies that enable business and determine whether you need more and can effectively mitigate the risks of additional vendors.

Using self-organizing teams to build your compliance program

Once you’ve aligned your business objectives to your IT department, you need to bring in leaders from across all departments. Every business unit uses supporting technologies, from Software-as-a-Service (SaaS) platforms to department-specific software. An effective compliance program requires you to create an inter-department team to review digital assets and the data they store, transmit, and process, they gain a holistic view of all software, systems, and networks.

Supporting talent

In agile compliance, supporting talent means understanding that everyone in the organization is responsible for cybersecurity. By creating a cyber aware culture wherein all employees understand how their work relates to the organization’s cybersecurity, you can maintain a more robust information security profile.

Focusing on technical excellence

Your CISO, CIO, and IT departments know how to protect your environment. They possess the technical skills to ensure continued control effectiveness. However, you need to provide them with the appropriate tools to enable their work.

Promoting sustainable organizational development

You want your business to grow. To do that, you need to bring in more business partners. Increasingly, organizations are adding more SaaS systems and migrating data to the cloud to ease the strain on their business processes. Sustainable organizational development, therefore, requires you to create a vendor risk management program that allows you to scale your business while maintaining a secure data ecosystem.

Measuring security by working controls

You need to translate key performance indicators (KPIs) into the language of business to enable a more robust compliance program. For example, a low percentage of critical systems lacking security patches means you’re maintaining working controls. Similarly, if you have a high percentage of network devices that meet configuration standards, you’re keeping your information secure.

Harnessing change for a competitive cybersecurity advantage

One malware or ransomware infected employee device can change your entire organization’s security profile in the blink of an eye. You need to be willing to seek out new tools to continuously monitor your systems, networks, and software for vulnerabilities. New tools that provide real-time visibility into the evolving threat landscape can help mitigate risks and protect data.

Delivering remediation solutions rapidly

Whether it’s a weak control or a data event, you need to be able to secure your information rapidly. According to Ponemon’s 2018 Cost of a Data Breach Report, the Mean Time to Identify (MTTI) and Mean Time to Contain (MTTC) increased from 2017 to 2018. Additionally, the longer it took to identify and contain the data breach, the more the breach cost. Deploying security automation tools, and harnessing changing technology, lowered those costs by decreasing the MTTI and MTTC.

Reflecting and readjusting

Everyone knows that data events are no longer an “if” but a “when.” You need a process that allows you to reflect upon the breach’s cause and readjust. To engage in this process, you need an audit trail that enables your organizational review. If you need to change how you protect your data, you need to know the location of the weak control.

Conveying information efficiently

You need to be able to share information between departments. All internal and external stakeholders need to be able to share information openly and efficiently. When managing a compliance program, your c-suite, CISO, CIO, department heads, and auditors need access to information necessary to carry out their jobs. Thus, you need a single source of information that allows you to track communications and manage documentation.

Maximizing the amount of work not done

With digital tools, you can automate mundane tasks. Finding tools that incorporate workflow management and document sharing can help you maximize the amount of work not done. If you can assign tasks and automate the task management process, you can save time and do less “work” in the long term.

Stakeholder Satisfaction

When it comes to data, all stakeholders need to be satisfied, not just customers. Customers need to trust that you protect their data. The c-suite and Board of Directors need to be confident that they understand the risks and mitigation strategies that protect data. Internal and external auditors need to be satisfied that you have met all industry standards and regulatory compliance requirements.

How ZenGRC Enable Agile Compliance

Fundamentally, a continuous monitoring program enabling continuous compliance and continuous auditing creates an agile compliance program.

ZenGRC’s System-of-Record makes continuous auditing and reporting easy. By streamlining the workflow, organizations can eliminate emails while tracing outstanding tasks. Additionally, the unified control management feature allows organizations to map controls across multiple frameworks, standards, and regulations to determine whether compliance gaps exist. This mapping capability enables organizations to ensure consistency that leads to stronger audit outcomes.

ZenGRC’s streamlined workflow shows task managers the date on which a vendor provided a response and a status. These details mean that compliance managers no longer need to spend time following up with the organization’s multitudinous vendors.

For more information about how ZenGRC can streamline your GRC process, contact us for a demo today.

What is a Risk Management Plan?

· ·

We live in a world of “what ifs.” When it comes to data protection, the “what ifs” of security control effectiveness can change in a split second. One malicious actor finding a new zero-day exploit, or previously unknown vulnerability, can lead to a domino effect data breach up and down your IT supply chain.

Risk Management Planning

What is the Risk Management Process?

Risk management is the process of moving from risk identification to risk analysis to establishing risk mitigation steps.

Whew, that’s a lot of “risk” there. At its core, the risk management process requires you to make a lot of lists. The risk assessment process starts by taking a holistic view of where you store, transmit, and share information. Then, you look at potential risks to the integrity, accessibility, and confidentiality of that data.

Once you’ve created a list of all the places that someone could access data, you need to make a second list that ranks the importance of that information and incorporates a review of the probability the data could be compromised.

Finally, you need to use the second list to create a third list that explains whether you’re planning to accept, transfer, mitigate, or refuse the risk. However, you also need to document your reasoning to support those decisions and what steps you take to follow through on the decision.
That’s a lot of lists.

How to Analyze Potential Impact of a Risk Event

Within an information security context, several categories of risk event exist. Using information about the most likely events and statistics supporting data breach costs can help you forsee risks and estimate impacts.

Vendor Data Breach

A vendor data breach risk can be devastating. The Ponemon Institute reported that in 2017, 56% of reported data breaches arose from third-party vendors. The same report indicated that the average payout for a data breach was $7,350,000 including fines, remediations, and customer loss.

Malicious Attacks

The Verizon Data Breach Insights Report for 2018 noted that 73% of cyber attacks arose from organized criminal groups, nation-state or nation-state affiliated malicious actors. 2,216 of the 53,308 security incidents consisted of data breaches. 21,409 incidents arose out of denial of service (hacking) attacks.

Insider Issues

The Verizon report also provided information about the impact of internally caused risk events. End-users and system administrators accounted for a startling number of internal breach activities. Out of 277 total insider issues, these two categories accounted for a total of 134 security incidents. Meanwhile, social engineering accounted for 1,450 incidents and 381 confirmed data disclosures.

Why You Need a Risk Assessment Matrix

Qualitative risk reviews give you a guesstimate. Quantitative risk reviews let you define responses appropriate to not only the likelihood of an event’s occurrence but also the impact it might have. An event might not be very likely, but its impact may overwhelm your financial stability as a business. Therefore, the math doesn’t work out smoothly.

However, if you create a risk assessment matrix, you review data security risks across a spectrum allowing you to focus on essential and impactful risks first and then move through the risk spectrum to address other potential events accordingly.

How to Apply a Project Management Approach to a Cybersecurity Risk Management Plan

Taking a security-first approach to cybersecurity works similarly to managing a project. You need to start by detailing the risks and creating tasks that allow you to develop, test, and operate your data protections.

Using a Work Breakdown Structure (WBS) gives an excellent example of how to create a cybersecurity risk management plan using a project management approach.

A project manager needs to bring internal and external stakeholders together meaningfully so that everyone understands their responsibilities to meet project goals. Similarly, a chief information officer (CISO) needs to bring together the c-suite and department managers responsible for the different tasks inherent in vendor management and cybersecurity monitoring.

A WBS organizes internal stakeholder responsibilities by providing information about tasks and subtasks. Similarly, within information security compliance, you need to review standards and regulations for their part and subparts.

Using Project Management to Create Cybersecurity Risk Mitigation Strategies

Imagine your CISO is a project manager. Your IT department acts as his team members. Whether you’re bringing on a new Software-as-a-Service vendor or looking to become compliant with a new standard or regulation to scale your business, the risk mitigation steps remain the same.

In project management, you name your project. In cybersecurity, you decide what standard or regulation to which you want to align your controls.
In project management, you look at a variety of phases such as acquisition, engineering, testing, and manufacturing. In cybersecurity, you review risks, establish controls, continuously monitor threats, and remediate security events.

In project management, you prepare documentation and create a contingency plan for potential problems.  In cybersecurity, you establish policies and procedures for controls and create business continuity and disaster recovery plans.

Agile software and hardware development requires a continuous approach to reviewing the product throughout its life cycle. Similarly, cybersecurity risk management needs you to continuously monitor the threats to your data environment to ensure your controls remain effective.

How ZenGRC Enables A Project Management Approach To Cybersecurity Risk Management

Just like project managers need to communicate with their teams, your CISO needs a way to enable communication with internal and external stakeholders. Traditional tools like shared calendars for task assignment and emails for discussions take the time that could be better spent monitoring your cybersecurity.

Maintaining an effective information security program requires an efficient workflow tool to coordinate communication and task management across internal stakeholders.

ZenGRC allows you to prioritize tasks so that everyone knows what to do and when to do it so that you can maintain records – up until the time you need to dispose of them.

With our workflow tagging, you can assign tasks to the individuals in your organization responsible for the activities involved in cyber risk management.
Finally, with our audit trail capabilities, you can document remediation activities to prove that you maintained data confidentiality, integrity, and availability as required by law.

For more information about how ZenGRC can streamline your GRC process, contact us for a demo today.

Data Analytics Strategy For Internal Audit Effectiveness

· ·

Annually, Price-Waterhouse Cooper (PWC), the high profile audit firm, releases its “State of the Internal Audit Profession Study.” In 2018, this study focused on the difference between “Evolvers, “Followers,” and “Observers” for organizational approaches to adopting a data analytics strategy for internal audit effectiveness. The research found that those organizations embracing technology more often better aligned internal audit outcomes to their strategic plans – something that cybersecurity standards increasingly require.

Internal Audit Data Analytics Strategy

What is an Evolver?

PWC defines Evolvers as organizations advanced in their technology adoption. Meanwhile, Followers lag behind and adopt these technologies at a slower right. Finally, Observers take no notice of technology use to enable their internal audit functions.

Problematically, the report only defines 14% of organizations as Evolvers. However, it’s important to note that 75% of Evolvers highly value their internal audit function.

How Evolvers use Collaboration Tools

74% of Evolvers and 43% of Followers currently use collaboration tools. As your audit program matures, more stakeholders need to be included in the audit process . For example, shared drives and intranet sites enable cross functional communication between internal stakeholders.

However, these tools still require you to manage the conversations and reminders. As you increase the number of stakeholders, you also increase the number of administrative follow-up tasks. The creates a burden for the internal auditors limiting their ability to effectively and efficiently carry out audit tasks. With time allocations being a key performance indicator for many audits, workflow struggles can diminish the effectiveness of the internal audit function.

Supervision and gathering audit documentation remain primary reasons for audits to take longer than their allocated time. The Chartered Institute of Internal Auditors explains that conversations between the audit manager and internal auditor eases the time management burden. Moreover, gathering audit evidence often increases the time allocated as risks not being appropriately controlled need additional investigations.

Using dashboards with effective workflow task management functionalities enables audit teams to not only communicate effectively but to share documentation that diminishes the time spent on audits.

How Evolvers use Risk Assessment and Audit Planning Tools

Evolvers focus on having an analytics strategy that enables stronger risk management to focus audit testing procedures on prioritized risks. As part of the enterprise risk management process, you need insight into the continuously evolving risks that threatening your organization. A primary directive of governance, risk, and compliance (GRC) program objectives includes not simply moment-in-time risk evaluation but continuous monitoring of the environment.

In cybersecurity, this continuous monitoring becomes more important. Zero day attacks, attacks that use previously undiscovered vulnerabilities, can undermine controls at any moment.

Since cyberseccurity risks can change in a heartbeat, big data that reviews threats as they arise can enable a stronger security, compliance, and audit stance. Open source intelligence (OSINT) has been around for more than fifty years, but big data collection and analysis allows for more organizations to incorporate it.

For example, malicious actors review vulnerabilities across the internet to try to gain unauthorized access to your information. Public facing systems, like customer portals, offer insights to hackers that you might otherwise miss. The Google Hacking Database allows insights into your systems without actually touching them. Using these types of publicly available OSINT services allow you to better evaluate risks so that you can more appropriate target the highest risks for auditing purposes.

How Evolvers use Reporting and Ongoing Monitoring Tools

The same tools that enable stronger risk management strategies also enable you to continuously monitor and report your security, compliance, and auditing effectiveness.

Taking a security first approach to compliance and audit requires automation and, increasingly, artificial intelligence. To better enable you internal audit department, you need tools that help you look at what has happened, what is currently happening, and what may likely happen.

Utilizing analytics capabilities, you can incorporate predictive outcomes that are likely to threaten your data environment. For example, the PWC “What to expect from artificial intelligence” report explains that AI is enabling malicious actors to more rapidly advance malware.

If you’re using similar predictive technologies to advance your analytics maturity level, you’re less likely to have a security breach. Fewer security breaches, even with the advent of new risks, allow you to maintain the appropriate level of security that mitigates outdated standard and regulatory required best practices. The required control may fail under a zero-day attack, but with analytics capabilities, you can maintain effective data protection.

How Evolvers Maintain Continuous Auditing Capabilities

Reviewing risk is the first step. Maintaining a strong cybersecurity control system is the second step. Proving that you’ve mitigated risks as part of your internal audit procedures is the third, and final, step.

Evolvers incorporate not only data analytics to manage and mitigate cybersecurity risks, but they also incorporate dashboard and Software-as-a-Service (SaaS) tools to continuously document their compliance stance. A traditional audit approach focuses on a single moment-in-time glimpse at your IT security. However, increasingly you need real-time insights to prove a continuous compliance approach to data protection.

With that in mind, you need a told that not only eases communication between stake-holders but that enables continuous documentation and insight.

How ZenGRC Creates Evolvers

ZenGRC’s System-of-Record makes continuous auditing and reporting easy. By streamlining the workflow, organizations can eliminate emails while tracing outstanding tasks. Additionally, the unified control management feature allows organizations to map controls across multiple frameworks, standards, and regulations to determine whether compliance gaps exist. This mapping capability enables organizations to ensure consistency that leads to stronger audit outcomes.
For example, as part of the System-of-Record dashboard, organizations have at-a-glance insight into the percentage of controls finalized and a portion of controls mapped to a particular framework.

ZenGRC’s streamlined workflow shows task managers the date on which a vendor provided a response and a status. These details mean that compliance managers no longer need to spend time following up with the organization’s multitudinous vendors.

GRC automation enables organizations to focus on the fundamental issues of compliance while eliminating the tedious tasks that often make compliance feel like a burden. Not only does this help compliance officers feel more effective at their jobs, it also makes organizations more efficient at the ongoing task of governance and continuous monitoring.

For more information about how ZenGRC can streamline your GRC process, contact us for a demo today.

Top Issues Facing Compliance Managers in the Oil & Gas Industry

· ·

With malicious actors targeting critical utilities. the top issues facing compliance managers in the oil and gas industry revolve around cybersecurity. A single intrusion to a power grid or energy source provider can cripple global economies. Regulatory compliance for the energy sector needs to be viewed through a “security-first” lens to ensure ongoing protection of systems that power the world.

Regulatory & Compliance Issues in the Oil and Gas Industry

What is the security status of the oil and gas industry?

According to the Department of Energy 2018 multiyear plan, Nation-state actors increasingly target the energy industry infrastructure. According to a 2015 Director of National Intelligence report, cybercriminals were working to find ways to remotely access industrial control grids. The focused cyber attacks on critical utilities include probes, data theft, and new malware.

According to the Department of Energy, the 2015  average annual cost of cybercrime to the energy and utility industries was $27.62 million. In February 2017, the Ponemon Institute released The State of Cybersecurity in the OIl & Gas Industry: United States. The key findings, based on 377  individuals responsible for security in the oil and gas industry, included:

  1. 35% rated operational technology environment as cyber ready.
  2. 68% had operations with at least one security compromise.
  3. 59% felt operations technology was at greater risk than information technology.
  4. 67% believe industrial control systems risks increased over the past few years.
  5. 61% felt their industrial control systems protection and security was inadequate
  6. 65% felt insider negligence posed the largest security threat.
  7. 15% felt malicious or criminal insiders posed a risk minimizing the importance of advanced monitoring.
  8. 41% continually monitor all infrastructure.
  9. 46% of operational technology cyber attacks remain undetected.
  10. 68% felt security analytics helped achieved a stronger security posture.

What exploits and security breaches threaten the oil and gas industry?

New trends in digitizing the energy sector also increase the likelihood of cyberattacks. For example, the industry increasingly connects smart gas, water, and transportation using the Internet of Things (IoT). Simultaneously, the oil and gas industry supervisory control and data acquisition (SCADA) systems use outdated, insecure software.

Attacks to the operational technology environment remain undetected thus disrupting operations for longer periods of time. Lack of awareness directly correlates to the infrastructure security tasks remaining incomplete. Organizations lacking awareness leads to a vicious cycle of non-investment in infrastructure security. Overall, the data most at risk seemed to be exploratory information and production information.

How digitization of the oil and gas industry increases security risks

From an IT security standpoint, increased digitization is a primary reason that most oil and gas companies are at risk. Although they need to update operating technology to integrate with IoT, many use insecure legacy systems. The movement to digitize also increased the number of vendors integrated into the supply chain, increasing the risks.

Integrated into operations in the 1960’s, supervisory control and data acquisitions systems (SCADA) enabled the oil and gas industry to efficiently manage process production. The SCADA systems enable companies to control and monitor their operational technologies by using sensors to collect and transmit data.  SCADA systems remain embedded in the oil and gas industry due to historical use.

However, SCADA systems which work well to enable operational technologies were not intended to connect to information technology networks. Thus, they often do not incorporate the needed security features to protect against external intrusions.

What are the security problems with connecting operational technology and information technology?

The primary security issue arising out of these connections lies in the number of vendors used to enable business solutions. The increasing sophistication of ransomware combined with the cybersecurity gaps make the Industrial Internet of Things (IIoT) and its connection to Industrial Control Systems (ICS) problematic.

As evidenced by 2017’s WananCry and the continued evolution of ransomware through 2018, malicious actors will likely focus on industrial ransomware attacks. Nation-state actors look to control global politics through fear while the rise in daily technology use makes the energy sector more critical overall. For example, as more individuals and businesses use smart home technology to control heat, the oil and gas sector becomes a greater target.

While traditional IoT remains a security issue, even more risks face IIoT. Media outlets increasingly put pressure on smart home technology but do not incorporate the same level of responsibility for IIoT, likely because they do not know it exists. Therefore, as IIoT technologies connect the operational industrial network to the IT landscape, they create a weak point in the cybersecurity protections, effectively a backdoor for hackers.

How to secure effectively secure the IIoT and IT environment connection within the oil and gas industry

The first step to better securing the oil and gas industry comes from engaging in a risk mitigation strategy. Increased vendors and technology use add to the complexity of securing the operational and information technology environment.

Understanding the vulnerabilities and risks allows oil and gas companies to begin the process of risk mitigation. IIoT vendors who enable information sharing across and between the operational and information technology environments access critical data and systems. Their vulnerabilities and risks translate directly to the oil and gas sector’s stability. Some suggestions to help secure the IIoT, IoT, operational and information data landscapes, however, include:

  1. Create a list of information assets
  2. Create a list of all applications and systems that connect to your IT network
  3. Create a list of all vendors
  4. Define risks to the IT environment, including software, systems, networks, devices, and vendors.
  5. Review Service Level Agreements to maintain supply chain security
  6. Establish controls that protect systems, networks, and applications to mitigate risks.
  7. Continuously monitor the IT environment to ensure ongoing control effectiveness

How ZenGRC Eases Security-First Compliance for the Oil and Gas Industries

Taking a security-first approach to compliance enables the oil and gas industries to better protect their operational and information technology environments. However, documenting continuous monitoring efforts remains a pain point. After establishing controls to mitigate threats to the data environment, companies need to map those controls across the various frameworks and regulations. For example, mapping controls to both NIST and ISO 27001 becomes time-consuming if done manually.

ZenGRC’s System-of-Record makes collecting audit information easy. By streamlining the workflow, organizations can eliminate emails while tracing outstanding tasks. Additionally, the unified control management feature allows organizations to map controls across multiple frameworks, standards, and regulations to determine whether compliance gaps exist. This mapping capability enables organizations to ensure consistency that leads to stronger audit outcomes.
For example, as part of the System-of-Record dashboard, organizations have at-a-glance insight into the percentage of controls finalized and a portion of controls mapped to a particular framework.

ZenGRC’s streamlined workflow shows task managers the date on which a vendor provided a response and a status. These details mean that compliance managers no longer need to spend time following up with the organization’s multitudinous vendors.

GRC automation enables organizations to focus on the fundamental issues of compliance while eliminating the tedious tasks that often make compliance feel like a burden. Not only does this help compliance officers feel more effective at their jobs, it also makes organizations more efficient at the ongoing task of governance and continuous monitoring.

For more information about how ZenGRC can streamline your GRC process, contact us for a demo today.

Why International Women’s Day Matters to Information Security

· ·

International Women’s Day, celebrated on March 8 every year, focuses on women’s hidden contributions to society. In the information security space, women remain outnumbered.  While in 2013, women represented 11% of the global cybersecurity workforce, the number increased to 20% for the first quarter of 2018. However, this percentage continues to be less than the representation of women in other fields. Focusing on diversity and inclusion means more than hiring people; it means raising voices and boosting those voices.

Why It Matters to Celebrate International Women’s Day in Information Security

What is International Women’s Day?

International Women’s Day, observed since the early 1900’s, represents a collective call for gender parity. With women still earning less money and notoriety than men in many workplaces, the day raises voices to help promote women’s continued contributions.

Why is Discussing International Women’s Day Important to Cybersecurity?

The movie Hidden Figures increased public awareness regarding women’s role in creating computers. Celebrating Dorothy Vaughan, Mary Jackson, Katherine Johnson, and Christine Darden provided the first step in sharing women’s contributions to computing. Within the smaller niche of cybersecurity, however, women remain woefully under-recognized.

On March 5, 2018, the new Our Security Advocates Conference (OURSA) announced its April 7 inaugural conference as a response to the woefully deficient representation of women at the annual RSA Conference. With only one female keynote speaker out of twenty, the RSA Conference’s 5% representation fell short of industry representation by a full 15%.

Therefore, promoting women’s roles in the information security and cybersecurity space becomes even more critical. When industry-standard conferences ignore women’s value in this space, female workforce members remain sidelined and ignored. However, their contributions have been many and valuable through the history of the information and cyber security spaces.

How One Woman Pioneered the Information Security Space: Becky Bace

In March 2017, the cyber security family lost one of it pioneers and first Founding Mothers, Becky Bace. Her career began in the 1980’s working at the U.S. Department of Defense with the NSA’s National Computer Security Center as an early information security program manager.

As prominent as her security work, Bace’s work as mentor and friend led many to refer to her as “Mama Bear.” Her email handle “infomom” testified to her desire for nurturing start-up companies and new entrants to the security space.

While people often use the word “pioneer” indiscriminately in the technology world, many agree that Bace’s impact defined the term. In August 2017, O’Reilly Media commemorated Bace’s active, emotionally powerful career by creating the Rebecca Bace Pioneer Award for Defensive Security, presented at its annual conference.

How One Woman Helped Establish Information Security Training: Judy Novak

Everyone in the cybersecurity and information security recognizes the SysAdmin Audit Network and Security Institute (SANS) as the premier training organization in the industry. SANS certifications continue to represent the highest standard in ongoing information security education.

What many new to the industry may not realize is that Judy Novak has been working with them since 1998. Over her twenty years with SANS, she has instructed at camps, written courses, and earned the 2010 Lifetime Achievement Award.  She also holds patents for target based TCP timestamp reassembly, TCP reassembly, and IP fragmentation devices and systems. With this background, she developed a majority of the SANS TCP/IP course that analysts use for certification.

As a Founding Mother in the information security space, she worked as a founder of the Army Research Labs Computer and Incident Response Team.

How One Woman Broke Security Barriers: Michele Guel

As a woman working in information technology since 1983, Michele Guel epitomizes the definition of Founding Mother. In 1983, not only was IT a new field, but women faced a lower glass ceiling than today.

In 1985, she transitioned to the National Aeronautics and Space Administration (NASA) where she founded the information security program for the Numerical Aerodynamic Simulation (NAS) facility. Her work there included testing and installing new security tools and responding to security events while also providing training to workforce members.

In March 1996, she moved to Cisco Systems to work in what later became the Security and Trust Organization. In 2010, she became one of ten female Distinguished Engineers at Cisco. She continued to inspire women by co-founding the Cisco Women in Cybersecurity Community in 2014.  

How One Woman Created Bug Bounty: Katie Moussouris

Founder of Luta Security, Katie Moussouris created Microsoft’s bug bounty program in 2008. A frequent speaker at conventions, Moussouris recently addressed the U.S. Senate about data security and bug bounty programs.

Her career began in the mid-1990s as a genotyping data manager at MIT. By 1999, she was developing initial security response teams which later allowed her to transition to creating automated test suites for intrusion detection software.

A Founding Mother in the security realm, she continues to advocate both for women and information security on Twitter where she has over 49,000 followers.

How One Woman Focused on Legal Protections in Cybersecurity: Christina Ayiotis

Christina Ayiotis began her legal career working with toxic tort and environmental insurance law during the heavily litigated late 1980’s. Alway at the cutting edge of legal issues, Ayiotis transitioned from protecting the physical environment to safeguard the information environment during her time at Ernst & Young International in the late 1990’s where she was responsible for the Global Knowledge-Sharing Agreement documentation process focusing on data protection, privacy, and copyright.

In 2011, she established an independent consulting business focusing on legal issues in the cybersecurity and information security field. Her work includes strategic and operations consulting for cyber risk management and preparedness as part of her variety of services and expertise.

How One Woman Worked to Create Sustainable Ethics and Diversity in Information Security: Cecily Joseph

Like several other Founding Mothers, Cecily Joseph began her information security career working outside of the cybersecurity space as director of the Veritas Software Corporation’s legal department.

Her July 2005 transition to Symantec focused her work on developing a more diverse workforce. Her corporate responsibility report won a 2008 Ceres-ACCA Sustainability Reporting Award. Her work led to Symantec’s listing on the HRC Best Places to Work for LGBT Equality and its reputation as World’s Most Ethical Company.

Her current work in online safety education and cybersecurity skill development overlaps with her ongoing work that champions diversity and inclusion.

How One Woman Protected Free Speech Online: Eva Galperin

As technology changed, so did the face of women in cybersecurity and its Founding. Eva Galperin’s work in protecting free speech online arose out of her political science and international relations background.

In 2007, Galperin started working with the Electronic Frontier Foundation (EFF) which focuses on protecting free speech rights on the Internet. With the rise of social media beginning at the same time, her work in cybersecurity, privacy, and the internet placed her directly into uncharted territory. Her work with EFF includes writing privacy and security training materials while her published research addresses malware in Syria, Vietnam, and Kazakhstan.

Why Celebrate Women’s Contribution to Information Security?

ZenGRC dedicates itself to enabling IT, security, and compliance community members. Showcasing the superpowers of governance, risk, and compliance means showcasing those who create the community. Supporting Women in Security and Privacy is only one step to showcasing our ethical and sustainable business model. Continuing to hire a diverse team and boosting diverse voices aligns with our corporate strategy and mission.