As A CIO, Are You Keeping On Top Of Cybersecurity?
CIOs that I work with are far too busy to chase team members around for updates. Most end up not getting full pictures of how their facilities fare. They know what they’re investing in, but have no clue whether or not those investments are paying off (or in some cases, even getting implemented properly).
CIOs turn to Galactic Scan when they want clear transparency of the network security, giving them a high level view across their network and an understanding that their initiatives are working (and when they’re not, being able to make critical decisions to best secure their facilities).
Specifically, CIOs often talk about the need to:
Track Cybersecurity Improvements In Real Time— Stop wasting time following up with multiple team leads or update meetings just to pry out key metrics. Galactic Scan CIO gives you the ability to see how your team is making progress toward your security initiatives easily with one easy to understand report.
Keep Policies And Procedures Updated—When you change a security policy or procedure for any reason, have the ability to check that your team’s actions (configurations, passwords, etc.) are actually abiding by those policies.
Keep An Eye On Vulnerabilities— When was the last time you were able to see a live update of your facility’s security at the click of a button? Most CIOs remain in the dark at least on parts of their IT team’s security because most teams are too busy supporting users to make time for security reports and updates. Be able to see when vulnerabilities pop up on your network (on average, we notice 8 vulnerabilities popping up each month) and get prioritized instructions for your teams to address them.
Give Updates To Leadership Teams And Boards—Do you ever put off summaries and reports for your board members? Is it always easy to translate technical language into something a non-technical professional will understand? Get done-for-you communications and summaries without having to stress about making more time in the day.
Be Assured That Their Teams Are Using Their Time Effectively—Ever wonder if your technicians are actually resolving a security issue effectively? Instead of having them spending hours researching a fix to a security vulnerability or relying on a vendor that most often puts their name at the bottom of a list, get an actionable solution through our weekly security implementation calls.
Show How They Are Spending Their Security Dollars Wisely—Why spend tens of thousands of dollars for one assessment when you could spend a fraction of the cost getting a real time live assessment of your entire network—including user behavior (where they go, what they store, and whether they are moving PHI insecurely or suspiciously throughout your network).
Know Where Their Data Is—Where do you keep track of where sensitive or critical information is stored? Excel? A Word Document? In a Sharepoint folder? Why not get a system in place that constantly tracks and tags your data assets and gives your team to have a simple system to review those assets periodically (for instance during a disaster recovery exercise).
A Few Common Questions CIOs Often Ask Us:
Shouldn't my IT team already be doing this?
Imagine that you asked your IT company to set up a new user with the password of Welcome1! and did not follow the check list because the help desk is working with 300 tickets that day. The step that was missed? Prompting the password to reset.
Let's say for a minute that they did it and told you to change it in the following weeks. What if you never changed it?
Will your IT team be the first to admit doing something wrong? How long could a vulnerability such as this easy to crack password be on your network without getting fixed?
We’ve assessed small clinic chains through large 400+ bed hospitals that had this very issue (these passwords were live for years).
What if your IT team upgraded your Antivirus?
Imagine if they upgraded the software on all of your computers. The upgrade worked by: step 1 removing the current version, and step 2 installing the new software. The first step executed successfully on all of the computers, but the second step only worked on about 80% of them. This just happened at a hospital that is using our services. The project was considered complete, yet over 300 computers were left naked.
You might say, well we have a security officer that checks stuff like this… More often than not—especially if you are contracting with a security firm—they are checking your systems once or twice a month. In many cases, they check this stuff annually.
We were able to identify this antivirus problem to various healthcare organizations, show the client and get their IT team to fix the issue in less than 3 days. The bottom line: how long is too long to wait to get these simple issues fixed?
We train our users, why do we need something like this?
Imagine if you walked into your office tomorrow to find out that a hacker was holding all of your cloud data for ransom. You then found out that your account was the one that was being used to get to the data in the first place. Imagine the embarrassment and frustration you would cause your entire company. Do you know how to secure your cloud account? Are you ABSOLUTELY SURE YOU have it locked properly? 100% of the users we assess say they have a training program. 83% of the users we assess are making simple mistakes that give hackers access to their cloud data.
We already do a pen test.
Penetration tests happen once a year, max twice a year. Do you check your locks each day before going to bed? Now, imagine if you paid someone to check those locks once a year, would you still want to personally check them before going to sleep?
Vulnerability Monitoring is much different than penetration tests, it is like checking your locks every night before you go to sleep.
Why can't we just do this scan once a year?
Would you only check your lock once a year on your front door to make sure it's working? What about a safe deposit box with all of your family's sensitive documents?
If you only check your network once a year, you're setting yourself up for potentially hundreds of open holes—holes that a technician may have accidentally placed in your network. On top of that, your team may have inadvertently done something that ultimately leads to leaked data.
Would learning about something like this months later help you? Wouldn't you rather deal with a tooth decay as soon as possible? Rather than having a root canal?
