John "Lt" Sciandra vCISO, CISSP, CMMC Lead CCA/Instructor’s Post

Following up on last week's post about intellectual honesty in the MSP space, this week we delve into how to choose the right Managed Service Provider (MSP) for your organization. Intellectual honesty is a crucial factor to consider during this selection process, as it directly impacts the quality and reliability of the service you will receive. When evaluating MSPs, here are key factors to help you identify intellectual honesty and make an informed decision: Transparency in Communication: What to Look For: An MSP that clearly communicates the capabilities and limitations of their services, avoiding overpromising or underdelivering. Red Flags: Vague answers, reluctance to provide detailed information, or evading direct questions. Evidence of Accountability: What to Look For: An MSP that owns up to past mistakes and demonstrates how they have addressed and learned from them. Red Flags: Blaming clients or external factors for issues without taking any responsibility. Comprehensive and Realistic Assessments: What to Look For: An MSP that conducts thorough assessments of your current IT environment and provides realistic recommendations tailored to your needs. Red Flags: Generic solutions or recommendations that seem too good to be true without thorough understanding of your specific requirements. Proactive Risk Management: What to Look For: An MSP that identifies potential risks and provides strategies to mitigate them, ensuring compliance and security. Red Flags: Downplaying risks or offering oversimplified solutions to complex problems. Commitment to Continuous Learning and Improvement: What to Look For: An MSP that stays updated with the latest industry trends and continuously invests in the education and certification of their team. Red Flags: Outdated practices, lack of ongoing training, or an unwillingness to adapt to new technologies. Client References and Testimonials: What to Look For: Positive feedback from current clients that reflects the MSP’s integrity and reliability. Red Flags: Difficulty providing references or a lack of recent testimonials. By focusing on these factors, you can identify an MSP that embodies intellectual honesty and aligns with your organization's values and needs. At Net Friends, we prioritize transparency, accountability, and continuous improvement, ensuring that our clients receive the highest level of service and trust. Choosing the right MSP is a critical decision that can significantly impact your organization's success. Make sure your choice is guided by intellectual honesty to build a trustworthy and effective partnership. #MSP #IntellectualHonesty #TechLeadership #NetFriends #Cybersecurity #Compliance #ITSupport

Back in 2021, I attended a Dynamic CISO conference which has an interesting topic on cybersecurity readiness for boards. At the time, I wasn’t fully aware of the vital role independent directors, Board members play in corporate governance and risk management. But that session opened my eyes and sparked a new ambition in me—to contribute at the board level to share best of both sides As a cyber leader sharing insights to board members As an independent director understands cyber risks, business risks, share the strategies and roadmap. Trust me it wasn’t an easy path. information security manager < CxOs < Board member Understanding governance from a director’s perspective took time and effort, but I was determined to grow my knowledge. After months of studying, setbacks, preparation, I’m proud to share that I’ve recently cleared the Independent Director Proficiency Test and am now a IICA certified independent director. I’ve always believed that independent directors play a critical role in offering fresh perspectives, ensuring accountability, and managing risk—especially in today’s evolving digital landscape. Now, I’m ready for this next chapter, excited to contribute my skills in cybersecurity and governance to help organizations. #IndependentDirector #Cybersecurity #Governance #RiskManagement #Leadership

The authoritative source for #InfoSec #Security #CyberSecurity #Leaders #CISO #CSO #Security #Privacy #SecurityByDesign #PrivacyByDesign #Leadership #Strategy #DefenseInDepth #SecDevOps #DevSecOps - get your copy now: https://lnkd.in/bkhVr8U

NIST finally dropped version 2.0 of the Cybersecurity Framework. (CSF). Here's why you must pay attention to the update: 🔹 Version 2.0 highlights supply chain management and governance, essential for today's connected digital ecosystem. 🔹 Version 2.0 emphasizes governance and supply chain management, which are crucial for today's interconnected digital ecosystem. 🔹 It introduces new tiers for assessing cybersecurity maturity, making it easier for companies of all sizes to benchmark and improve their security posture. 🔹 The update aligns closely with business objectives, ensuring that cybersecurity measures contribute to overall business performance and resilience. 🔹 For AI-driven companies, this means a more integrated approach to managing cybersecurity and other business risks, maximizing security and innovation. 🔍🔍Here are five significant distinctions between NIST CSF 2.0 and version 1.1.🔍🔍 🔹 'Govern' is introduced: 'Govern' is a new core function included in CSF 2.0 that highlights how cybersecurity and risk management are strategically aligned. 🔹 Increased Emphasis on Supply Chain Risks: Considering the current digital ecosystem's rising complexity and interconnection, the updated edition emphasizes managing cybersecurity risks inside the supply chain. 🔹 Improved Tier Descriptions: CSF 2.0 includes more thorough explanations of the Tiers, giving businesses more precise direction for going from fundamental to sophisticated cybersecurity risk management procedures. 🔹 Expanded Incident Response and Recovery Guidance: Organizations are supported in managing and recovering from cybersecurity incidents with more thorough guidance on incident analysis, response, mitigation, and recovery. 🔹 Integration with Privacy Frameworks: The revised framework proposes using the NIST Privacy Framework in addition to the CSF to address privacy issues, acknowledging the interaction between cybersecurity and privacy. 😞My biggest disappointment? #SecureSDLC and #AppSec are still left out. How will NIST 2.0 change your cybersecurity program's approach to support innovation and commercial expansion? I'd love your take. #cybersecurity #CISO #RockCyber #leadership #nistcsf #riskmanagement

As we close 2024 has your organization implemented NIST 2.0? Do you need to tackle it in 2025? Connect with me to discuss options.   Key highlights of CSF 2.0 include: 🔹 New "Govern" Function: A pivotal addition to address risk management and align cybersecurity strategies with organizational goals. 🔹 Broader Applicability: Designed for organizations of all sizes and sectors, with tools like quick-start guides and mapping resources to over 50 related documents. 🔹 Focus on Supply Chain Risk: Greater emphasis on managing third-party and operational technology (OT) risks, critical for industries like manufacturing and utilities. 🔹 Adaptable Framework: Support for various maturity levels, making it easier for businesses to scale and refine their cybersecurity strategies.   This update acknowledges the challenges of today’s digital ecosystem, where identity management, third-party risks, and regulatory demands are increasingly critical. As cybersecurity shifts from being a cost center to a core enabler of business resilience, CSF 2.0 empowers leaders to integrate security into their strategic decisions effectively. Check out the details here: SecurityWeek Article What are your thoughts on the new framework? Will your organization adopt these updates? Let's discuss! 💬   #Cybersecurity #NISTCSF #RiskManagement #Framework #Leadership #opentowork #vCISO #ElevateIT

I am delighted to share my achievement of C|CISO EC-Council certification. Thanks to all my fellow #CISOs and #cybersecurity #professionals for continuous interactions, awareness, sessions, and enabling small steps every day towards continous improvement. #EliteCISOs CISOPlatform The Certified Chief Information Security Officer (C|CISO) certification exam covers five essential domains related to information security management. Understanding these domains is crucial for #effective #leadership and #decisionmaking in the field of cybersecurity. The domains covered in the C|CISO certification exam include - Governance, Risk, Compliance (#GRC), - Information Security #Controls and #Audit Management, - Security Program Management & #Operations, - Information Security Core Competencies, and - #Strategic Planning, Finance, #Procurement, and #ThirdPartyManagement. By continous practicing these domains through ##linkedincommunity, #linkedinelearning, we as CISOs or passionate cyber enthusiasts can gain a holistic understanding of security frameworks, policies, procedures, audit processes, and risk assessments. Additionally, we can align security strategies with business goals, manage security projects, and oversee incident response, business continuity, and disaster recovery. I am sure we are thought already into it. However, continous #learning with this real-world experiences enhances, our leadership skills, and generate more confidence in our #skills. Special Thanks Dr. Lopa Mudraa Basuu 🇮🇳 George Hlaing CISSP, ISSAP, CISA #cyberawareness #cyberdefense

🚀 The NIST Risk Management Framework (RMF) Small Enterprise Quick Start Guide is designed to help smaller organizations implement a structured approach to managing cybersecurity risks. This guide simplifies the RMF process, which is typically used by larger entities, to fit the needs and resources of smaller enterprises. It provides a step-by-step approach for identifying and assessing risks, implementing security controls, and continuously monitoring and improving the security posture. By tailoring the RMF to smaller operations, the guide ensures that even with limited resources, small enterprises can effectively safeguard their information systems and comply with federal guidelines. It emphasizes practical, scalable solutions and best practices to help these organizations integrate robust risk management processes into their day-to-day operations. 🔔 Stay connected for industry’s latest content – Follow Dr. Anil Lamba, CISSP, AWS, CISA, CDPSE, CRISC #linkedin #teamamex #JPMorganChase #cybersecurity, #technologycontrols, #infosec, #informationsecurity, #GenAi #linkedintopvoices #cybersecurity #cybersecurityawareness #innovation #techindustry #cyber #birminghamtech #cybersecurity #fintech #careerintech #handsworth #communitysupport #womenintech #technology #security #cloud #infosec #riskassessment #informationsecurity #auditmanagement #informationprotection #securityaudit #cyberrisks #cybersecurity #security #cloudsecurity #trends #grc #leadership #socialmedia #digitization #cyberrisk #education #Hacking #privacy #datasecurity #passwordmanagement #identitytheft #phishingemails #holidayseason #bankfraud #personalinformation #creditfraud

Today, I wanted to address my CISO, COO, and CIO mentors, friends, colleagues, bosses, and customers. In my CISM exam, there were >5 questions asked in different ways for how a CISO ensures that the strategy is focused on business with proper stakeholder alignment, participation, accountability, and collaboration. It got me thinking that if I am fully equipped with the skills and knowledge to be "business aligned" and that led to this paper. I tried to look at what business meant in my last two work experiences associated with startups where one is always trying to come with financial projections to demonstrate the future of their venture to secure funding. I took a simple approach for just understanding what is business and primarily business is the valuation of the business and then I dived into how the world -- investors, shareholders, customers, employees and other stakeholders calculate and perceive the valuation. I am trying to propose that the cyber stewards should focus on the same parameters that these stakeholders focus on and then see how their efforts are influencing each one of them ultimately delivering the net positive on "valuation" of the business. This paper serves as a good conversation starter, aiming to develop something valuable for cyber stewards to make a better impact in articulating the ROI of their strategy. I sincerely welcome all comments, feedback, and questions on this topic. #CyberSecurity #BusinessAlignment #ROI #CyberStewards #CISMExamPrep Take a 5-minute glance at the paper and a total read of 10-15 minutes: [Link to the paper](https://lnkd.in/gvr-89db) #CyberSecurity, #RiskManagement, #CISO, #BusinessStrategy, #Valuation, #InformationSecurity, #TechLeadership, #Compliance, #DigitalTransformation, #Leadership

Introducing Myth-Busting Mondays! We’re excited to kick off a new weekly series called "Myth-Busting Mondays," where we’ll be debunking some of the most common misconceptions in the world of IT strategy, risk management, and compliance. Every Monday, we'll tackle a different myth that could be holding your business back from achieving its full potential. Why Myth-Busting? In today's rapidly evolving digital landscape, misinformation can spread quickly, leading to costly mistakes and missed opportunities. At Pelican3, we believe that knowledge is power, and we’re here to set the record straight! Whether it's clarifying misconceptions about cybersecurity, understanding the real value of compliance, or uncovering the truth about digital transformation, we're committed to providing you with clear, actionable insights that can help you make informed decisions and drive your business forward. What to Expect from the Series: Each week, we will identify a popular myth or misconception in the industry and break it down with facts, research, and real-world examples. From “Only large companies need a cybersecurity strategy” to “Compliance is just a box-ticking exercise,” no myth is too big or too small! Actionable Insights: Beyond just debunking myths, we’ll provide you with practical tips and strategies that you can apply to your business immediately. We want to help you turn these misconceptions into opportunities for growth. We encourage you to engage with us! Share your thoughts, ask questions, and suggest myths you want us to debunk. Let’s start a conversation that drives learning and growth for everyone involved. Stay Tuned for Our First Myth-Busting Post! Next Monday, we’ll dive into our first myth: “Cybersecurity is just an IT issue.” Spoiler alert: It’s a critical business issue that affects every department in your organization. Let's separate fact from fiction and empower your business with the knowledge to succeed. #MythBustingMondays #ITStrategy #RiskManagement #Compliance #CyberSecurity #DigitalTransformation #Pelican3Insights