The former superintendent of the New York State Department of Financial Services explained how the structure of a cybersecurity program is like a compliance program and can be divided into four buckets during a panel discussion at Compliance Week’s virtual Cyber Risk & Data Privacy Summit.

Maria Vullo, now an adjunct professor of law at Fordham University, said a strong cybersecurity program is structured with prevention, protection, mitigation, and governance as the core pillars.

Vullo advised starting with a risk assessment, stressing prevention is a “foundational requirement” of any good cybersecurity framework but not necessarily something companies should set and forget.

“Risk assessment should be a periodic exercise when things change and new information or new businesses get acquired,” she said, noting that once potential vulnerabilities are identified, “then the access controls and all the other controls and defensive infrastructure that may be built in encryption, data governance, (and) asset inventory” can take shape.

‘No easy button’ to zero-trust model

Jamie Miller, chief executive at cybersecurity solutions company Mission Multiplier, explained the difficulty of implementing a zero-trust security model at Compliance Week’s virtual Cyber Risk & Data Privacy Summit.


“It’s really a myriad of different technologies, business processes, and policies that all need to come together and work together to achieve a zero-trust environment,” Miller said.


One of the key elements of a zero-trust framework, according to Miller, is implementing two-factor authentication.


“You need to understand the identities of all your users,” he said. “Who’s accessing your environment fundamentally, who’s coming into your network—making sure you’re authenticating who they really are.”


Miller said while continuous monitoring is a large part of a zero-trust model, simply setting up automated scans isn’t enough.


“You could be running these automated scans, but if you’re not taking the action and doing the remediation and analysis” then you could run into problems, he said. “It’s not just set it and forget it.”


Miller also noted the process takes time.


“You have to acknowledge this is not something that happens overnight,” he said. “You’re going to have to start slowly, going through some of these fundamentals and building it into your culture and how you do business.”

For protection, Vullo said having the proper monitoring systems in place to quickly detect potential holes is paramount. Continuous monitoring is considered the optimal framework to comply with regulators’ requirements and the White House’s recommendations.

Mitigation involves having an incident response plan and a disaster recovery program, according to Vullo, while governance includes appropriate resources, independent reporting structures, and managing third-party vendor security.

Vullo also flagged old data being stored and not deleted as a risk to many companies. Fellow panelist David Sherman, partner at law firm BakerHostetler, agreed.

“I’ve helped clients respond to slightly over a thousand security incidents in my career. So far and across the board, the thing that pops up invariably—whether it’s ransomware, an email compromise, a network intrusion, you name it—is, ‘My goodness, why do I have this stuff?’” Sherman said. He explained how establishing reasonable data retention policies can mitigate risk.

“If we can identify where those critical data stores and critical systems exist within our network; take whatever limited resources we have; and bolster the security, defenses, and visibility into what’s happening within those critical environments, no matter what it’s going to put you in a better position from a regulatory and governance perspective,” Sherman said.

Darren Hayes, founder and director of Pace University’s Digital Forensics Research Lab, ranked cyberattacks linked to political events, use of internet of things (IoT) devices, and lax remote work culture as his top cybersecurity trends.

“It’s absolutely amazing the amount of these unsecured IoT devices. Why? Because they’re built cheaply,” Hayes warned. “They’re mass produced and integrate very little security. People don’t want to pay a whole lot of money for that IoT device they put in their home.”

Sherman agreed the work-from-home culture brought on by the Covid-19 pandemic is a risk due to employees “perhaps taking a slightly more casual approach to security at home.”