top of page
image.png

Download the presentation which was delivered on D-Day 2024.

Books

Check out our new Book Reviews page.

These are some favorite books of mine - I hope you find them interesting and useful - Justin.

Carpenter

Statements of Work

Statements of Work (SOWs) from some Cybersecurity and IT consultants are clearly inflated to make it look like they are doing a lot of work.

 

If your general contractor did the same thing in their proposal it would look like this:

* We will buy nails, wood, glue, etc. (and they would list it all out)

* We will carefully put pieces of wood across each other

* We will then drive the nails into the wood, using best practices laid down by the Massachusetts State Board of Building Regulations and Standards

* We will then measure the work and ensure it meets the highest industry standards

etc...you get the picture.

 

Instead, wouldn't it be much better if the SOWs were simple and goal oriented?

Something like this:

-----------------------------------------------------------------------------

1. Email is vital for your organization's business. We want to ensure that criminals don't take over your email, or spoof emails so that they look like they come from you. We will ensure that vital emails to your clients, donors, and investors make it through. We will do this by:

* Implementing SPF, DKIM, and DMARC

* Implement strong authentication

* Educate your staff with engaging and interactive sessions where we explore common scams and how to protect yourself

etc...

-----------------------------------------------------------------------------

Additionally, these SOWs tend to focus on technology instead of the complete picture. Security is not merely a technological problem, and requires more than technological solutions.

 

Noted security expert Bruce Schneier perhaps put it best:

“If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.”

 

If you're looking for someone to secure your organization, please contact me. I promise you that I will not inflate the proposal with big words or charge you inflated amounts.

Please consider carefully the testimony of Jen Easterly of CISA.

While your organization may not be critical infrastructure, there is a good chance that you support critical infrastructure in some manner. Increasingly intrusions occur through third parties.

  • Are you an HVAC vendor for a Hospital?

  • Do you produce IoT or medical devices?

  • Do you produce software for accounting, lab results, patient records, or other systems used in Hospitals or other critical infrastructure?

 

Then you are a part of this also. 

 
It is vital for all to understand the big picture here. 
 
I also recommend watching the following video - I personally have met the agents and CEOs on this video and heard their stories first hand. This is real. This is not a spy novel. 
https://www.fbi.gov/video-repository/made-in-beijing-030722.mp4/view  
 
The internet has brought the battle out of the shadowy world of spies and to ALL OF US. 
 

What does "HIPAA Compliant" really mean?

Organizations should be very careful about bandying around such terms as "HIPAA compliant", "HIPAA Certified", or "HIPAA Secure." We see these all the time, but as noted in the article below from the FTC, it can put your company at risk of fines for deceptive practices if you are not actually HIPAA compliant.

https://www.ftc.gov/business-guidance/blog/2023/07/protecting-privacy-health-information-bakers-dozen-takeaways-ftc-cases 

“Be careful about loose language suggesting some government imprimatur that doesn’t exist. Falsely conveying that kind of approval expressly or by implication violates the FTC Act.” 

Interested in helping your organization become HIPAA compliant? Please contact me to discuss.

bottom of page