The Cyber Professor

Why Should TMG and cyberCTRL Manage Your Cybersecurity?

by | Dec 23, 2022

Choosing a cybersecurity provider is a lot like choosing a security system for your home. Everything that’s most important to you is held within those four walls, and finding the right ways to protect it is serious business. Given the stakes, it’s natural to wonder, who are these TMG people anyway? So, let’s start with me.

 

My Background
I was born in Athens, Greece. After high school, I chose to come to the United States to study physics and computer science. I did that at The State University of New York in Brockport. My years at Brockport were formative to me as a person, a scientist, and as a professional.

After graduating with my bachelor’s degree in science, I became an instructor of computer science and a computer systems manager at the Stratford School in Rochester, New York. Following brief graduate work stints at the Rochester Institute of Technology and the University of Rochester, I moved to New York City to serve as the director of academic computing at the Pratt Institute. From there, I was recruited to be the vice president of information technology at the O’Connor Group, a real estate manager and developer in New York City.

Then, in the middle of the Reagan Recession, I decided that there was no better time than the present to start my own company, which I did in 1989. I have been running my own firm ever since, surrounded by partners and colleagues who teach me more and more every single day. For more than 30 years, we have delivered an ever-evolving spectrum of IT and cybersecurity consulting services.

I lived through the amazing advances in computer science that are now the stuff of lore: I was there during BitNet, sending email messages and watching the message hop from node to node. I was amazed at formatting the first 10 MB hard disks of IBM’s new personal computer. I’ve fed endless floppies in and out of the first Macs. I’ve built muscles carrying the Compaq “Portable,” which was nicknamed “luggable” for good reason. I’ve carried pagers and cell phones the size of suitcases. I subscribed to CompuServe and AOL and still have a working Hayes 14.4 modem.

 

Focused on Security
Throughout it all, I have always been fascinated by security, privacy, and the protection of data. Even before “cybersecurity” was a word, I insisted that the sites we ran were managed with real-world, pragmatic, business-focused computer security, business continuity, and disaster recovery. Maybe it was because George Whelan, a partner of mine at the time, was a computer virus collector (he still has them). Maybe, because I remain culturally Greek, which is to say, naturally private.

Whatever the reason, I always asked, “What happens if ‘this’ gets out?” or “How fast can we be back up and running?” Any of my consultants will tell you that even now, the first thing they are taught when they start working for me is that “not checking the backup is a career-ending mistake.”

Following decades as a practitioner of both IT governance and cybersecurity management, I decided to make it official and joined Information Systems Audit and Control Association (ISACA). ISACA is an independent, nonprofit, global association that was founded in 1969, engaging in “[t]he development, adoption and use of globally accepted, industry-leading knowledge and practices for information systems.”

Joining ISACA was one of the smartest things I ever did. Through ISACA, I got certified in two areas: one in IT governance, becoming Certified in Governance of Enterprise IT (CGEIT), and another in cybersecurity, becoming a Certified Information Security Manager (CISM.) As of this writing, I am proud to have the highest scores in the New York chapter in both categories, as well as membership in the top 5 percent of those tested worldwide for CISM and the top 10 percent for CGEIT. I also added one more ISACA certification, that of Certified Data Protection Solutions Engineer (CDPSE).

Not one to stand still, and always fascinated by the beauty in complexity, I decided in 2018 to study privacy and its implications on our society, business, and systems. I joined the International Association of Privacy Professionals and eventually got certified as CIPP/US – Certified Information Privacy Professional for the United States. Just like ISACA, the IAPP is an incredible community of privacy experts that have dedicated their life to the study and implementation of sound privacy principles.

My decades in IT consulting have given me a powerful skill set—the ability to understand and communicate with engineers and IT specialists and also understand and communicate with “civilian” businesspeople who don’t know NIST from SANS. Because I am in constant discussions with civilians, I have learned how to put “the the whole cybersecurity thing” into simple, direct language that anybody can understand.

A few years back, I turned this knowledge into two books: Cybersecurity Program Development for Business: The Essential Planning Guide (Wiley 2018) and Privacy, Regulations, and Security: The Essential Planning Guide (Wiley 2021). Both books offer step-by-step, actionable approaches to cybersecurity while dispensing with the technobabble that mars so many discussions of these topics. The books aggregate best practices and offer detailed instructions on how to take control of your own cybersecurity—all supported by my experience with real-world clients.

But even with these guides (excellent as they are!), staying on top of cybersecurity is a big job, and the bigger your firm, the bigger it becomes. Not only are the threats constantly evolving, so is the software that tries to protect you from those threats… and so are the (many) regulations that determine what is permitted and what is not. Privacy regulations, for example, can differ widely from country to country, and if you collect personally identifiable information abroad, you need to know what the various expectations are and how to comply.
Cybersecurity will never be a case of “one [book] and done.” It’s not so much a task as it is a way of life.

 

The Birth of cyberCTRL
Before you can design a cybersecurity program that suits a particular business, you need to understand every nook and cranny of what that business is and does. To this end, in my books I proposed a tool: an integrated set of linked spreadsheets based on the NIST cybersecurity framework. The process of gathering information to fill out the spreadsheets helps expose where a business is secure and where it is not. In our practice at TMG, we have used this process time and again, and we have found it very useful. But also limited.

The most important limitation is not the labyrinthian structure of the spreadsheets, which admittedly can become hard to manage after a couple of iterations, but that of people. No matter which way you cut it, there is a lot—a lot!—of work to do in spinning up and managing a cybersecurity program. Our clients, great partners as they are, were facing the critical shortage of “hands-on-keyboards” and a hodge-podge of tools that don’t talk to one another and scream alerts at people that don’t understand them.

That is when it dawned on me! The same principle that 30-some years ago created one of the first managed IT firms in New York, would do it again with cybersecurity. Only this time, the solution will be complete–people, tools, and services–together in one business-focused, realistic, subscription. To make that happen it would take more than a bunch of connected spreadsheets!

We took what we had created, what we learned in the field, what our clients needed, and after months of exhaustive due-diligence we identified two partners whose best-of-breed products in Governance, Risk and Compliance (GRC) and Security Orchestration Automation and Response (SOAR) would be customized to our requirements and integrated into the heart of our solution: cyberCTRL.

Today, cyberCTRL is more than the sum of its parts. It is an industry-first Cybersecurity-as-a-Service (CaaS) solution that, in single subscription, provides all necessary expert services plus an ultra-secure, cloud‐based customized set of tools integrating Governance, Risk, and Compliance (GRC) with Security Orchestration, Automation, and Response (SOAR) and our own set of Extended Detection and Response (XDR) modules, tools, and services. Now, I dare you to say that three times fast!

So that’s my story, and I am sticking to it! You will find me happily at the head of TMG as we launch and grow cyberCTRL with the help of our global partners and clients. I am privileged to be able to continue my journey, surrounded by incredible professionals, clients, and friends that teach me the value of hard work, dedication, and love every single day.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *