Paul Bergman

Tag: Boards

  • A Stormy Future: Challenges Ahead for Non-Profits

    A stormy outlook for non-profits? With the rollercoaster of today’s economic landscape, it’s going to get bad before it gets any better.

    As many know, I’m at the helm of Lamp of Learning, a non-profit that’s near and dear to my heart. You know, in this ever-changing world where economies can flip like a pancake, non-profits like ours are the syrup of goodness that makes everything a bit sweeter. ????

    So, let’s chat about the rollercoaster that is today’s economic landscape. It’s a bit like the weather—sometimes sunny, sometimes stormy, but always unpredictable. For us in the non-profit sector, it’s super important to know what’s on the horizon so we can keep being those beacons of hope and change.

    In this cozy little blog post, we’re going to unpack what the future might look like for non-profits. We’ll talk about the bumps in the road, sure, but also the hidden shortcuts and scenic routes that could make our journey a whole lot smoother.

    So, buckle up! We’re diving deep into the challenges, opportunities, and all the must-know strategies to keep our non-profits not just surviving, but thriving. ????

    Stay tuned and let’s navigate this adventure together! ????

    Weathering Economic Storms

    The economy is like a rollercoaster, with its highs and lows. In recent years we’ve witnessed unusual shifts, from global pandemics to rapid technological advancements. Nonprofits must be prepared to adapt swiftly to these changes because economic changes brought by global events can impact funding, donor behavior, and community engagement. However, history shows us that nonprofits are resilient and adaptable, finding innovative ways to continue their missions even in tough times. And flexibility is also the key; embracing remote work, digital fundraising platforms, and virtual events can open up new doors for engagement and support.

    Challenges on the Horizon

    While the challenges may seem daunting, they also present opportunities for growth and transformation. In the current economy, non-profits may face reduced funding as government priorities shift or donors tighten their belts. Additionally, the competition for philanthropic dollars has never been fiercer. Staying relevant and distinctive in a crowded market is the key.

    Shifting Strategies for Success:

    1. Diversified funding streams – Relying on a single source of funding can be risky. It’s time for non-profits to think creatively about their revenue streams. Exploring partnerships with businesses, seeking grants, and cultivating individual donors can provide a diversified financial foundation, reducing the organization’s vulnerability to economic changes. 
    2. Digital transformation – The virtual realm has become a lifeline for non-profits. Embrace technology to expand your reach, engage with supporters, and deliver services through online platforms. Social media, virtual events, and crowdfunding can help amplify your impact.
    3. Transparency and Accountability – In a skeptical world, transparency and Accountability are non-negotiable. Clearly communicate your goals, actions, and results to foster trust among donors and supporters.
    4. Adaptive Programming – Flexibility is key. Tailor your programs and services to address current needs while remaining aligned with your mission. Being nimble allows non-profits to grab emerging opportunities. 
    5. Collaboration and Partnerships – Non-profits exists to serve their communities. In times of economic uncertainty, community needs may rise, making non-profit services even more critical. Strengthen community engagement efforts, collaborating with local partners, and staying aware of what people’s needs can enhance their credibility and impact. 

    The Forecast for non-profits in this economy might include cloudy days and stormy nights but remember that every cloud has a silver lining. By embracing change, staying resilient, and using the power of innovation, non-profits can not only weather the storms but also emerge stronger and more impactful than ever. As we navigate the horizon together, let’s remember that the heart of every non-profit’s mission remains committed to create positive change in the world, no matter the circumstances. 

    References:

    Four Trends That Will Affect Nonprofits in 2023 (asaecenter.org)

    2022 Nonprofit Jobs Outlook and Economic Trends (foundationlist.org)

    State of Nonprofits: 2022 Budget Forecasting | PNC Insights

    3 Trends For Nonprofit Success In 2023 (forbes.com)

    Philanthropy Trends To Watch In 2023 (forbes.com)

    How Nonprofits Can Engage in Sustainability (linkedin.com.

    Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He writes on cybersecurity and board management for both corporate and nonprofit boards.

  • How a CISO needs to present to the board

    How a CISO needs to present to the board

    As a Chief Information Security Officer (CISO), reporting to the corporate board can be both an opportunity and a challenge. On one hand, it’s an opportunity to educate the board on the current state of the company’s security posture, demonstrate the value of security investments, and gain support for future initiatives. On the other hand, it’s a challenge because the board may not be well-versed in technical security concepts, making it difficult to communicate effectively.

    Paul Bergman, CISO
    Chief Information Security Officer

    In order to successfully report to the corporate board, a CISO must approach the task with a clear understanding of the board’s expectations and a well-crafted communication strategy. Here are a few key steps to help you do just that:

    Understand the board’s priorities

    Understand the board’s priorities: Before you present to the board, take the time to understand their priorities and what they are most concerned about. This will help you tailor your presentation to their specific needs and ensure that the information you provide is relevant and valuable.

    Use clear, concise language

    The board is likely to include individuals who are not technically savvy, so it’s important to use clear, concise language that is easy for everyone to understand. Avoid using technical jargon or acronyms, and instead focus on the key security issues that are most relevant to the company’s operations and reputation.

    Emphasize the impact of security risks

    The board needs to understand the impact of security risks on the company’s bottom line. Highlight the potential financial and reputational damage that can result from a security breach, and make sure to demonstrate the value of investments in security technologies and processes.

    Paul Bergman, board member

    Provide regular, comprehensive updates

    The board should receive regular, comprehensive updates on the state of the company’s security posture. These updates should include information on the most significant security risks facing the company, as well as the measures that have been taken to mitigate those risks.

    Encourage open communication

    Encourage open communication with the board, and be prepared to answer any questions they may have. This will help to build trust and ensure that everyone is on the same page when it comes to security issues.

    Be proactive

    A good CISO is always looking ahead to identify potential security risks and developing strategies to mitigate them. Share your vision for the future with the board, and outline the steps that you are taking to stay ahead of the curve.

    In conclusion, reporting to the corporate board as a CISO is an important responsibility, and requires a well-thought-out communication strategy. By understanding the board’s priorities, using clear language, emphasizing the impact of security risks, providing regular updates, encouraging open communication, and being proactive, you can build a strong relationship with the board and help ensure the success of your company’s security efforts.

  • Make Your Board Stronger with Independent Board Members

    Make Your Board Stronger with Independent Board Members

    The Challenges of Small Company Boards with No Independent Directors

    Small company boards often consist of founders, family members, and close associates of the business. While this can create a close-knit and cohesive board, it can also lead to conflicts of interest and a lack of objective decision-making. Such close boards can become leaders in name only, often delegating true leadership to a single individual due to complacency or strong-arm tactics.  Independent board members offer a counterbalance to small company boards struggling to provide effective corporate governance, which can impact the long-term success of the business.

    One of the main challenges of small company boards with no independent directors is a lack of diverse perspectives. Without input from individuals outside the company, the board may be limited in its ability to identify potential risks, explore new opportunities, and make informed decisions. This can lead to groupthink, where the board makes decisions based on consensus rather than independent analysis.

    Another challenge of small company boards with no independent directors is the potential for conflicts of interest. Board members with close ties to the business may prioritize personal interests over the interests of the company, which can impact decision-making and create ethical concerns. Without independent directors, there may be no one on the board to challenge these conflicts and provide an objective perspective.

    Corporate boards need benefit from independent board members.
    Corporate Boards need an outside point of view

    What is an Independent Board Members?

    Independent board members are individuals who are not affiliated with the business and do not have a vested interest in its success. They bring an objective and unbiased perspective to the board, providing valuable insights and challenging assumptions. Independent directors are typically chosen for their expertise and experience in a specific industry or functional area, and they are expected to provide guidance and oversight to the board.

    Independent board members are appointed to serve the interests of shareholders and other stakeholders, rather than the interests of the company’s management or board members. They are responsible for monitoring the performance of the business, providing guidance on strategy, and ensuring that the company adheres to ethical and legal standards.

    The Value of an Independent Voice on the Board

    The value of independent board members lies in their ability to provide an objective voice on the board. They bring a fresh perspective and diverse expertise to the table, which can help the board identify potential risks and opportunities. Independent directors can also challenge assumptions and biases, helping the board make more informed decisions.

    Another key value of an independent board member is their ability to provide oversight and accountability. They are responsible for ensuring that the company operates ethically and in compliance with legal and regulatory standards. Independent directors can also provide guidance on key governance issues, such as executive compensation and risk management.

    Independent board members can also play an important role in building stakeholder trust. Shareholders and other stakeholders may feel more confident in the company’s management and operations if they see that the board includes independent directors. This can lead to improved shareholder value and a stronger reputation for the company.

    The Best Way to Find Independent Board Members

    Finding the right independent board members can be a challenge for small companies. However, there are several strategies that can be used to identify and recruit qualified candidates:

    • Utilize professional networks: Board members may have professional contacts who could be potential independent directors. Tap into these networks to find qualified candidates. There are numerous associations of trained and vetted board members such as the Private Directors Association which are great sources of executive talent. If you are looking for cyber qualified board members, check out Digital Directors Network.
    • Use executive search firms: Executive search firms specialize in finding qualified candidates for executive and board positions. They can help identify and recruit independent directors with the right expertise and experience.
    • Leverage industry associations: Industry associations can be a good source of potential independent directors. Attend industry events and conferences to network with potential candidates.
    • Conduct a thorough search: Take the time to conduct a thorough search for independent directors. This may involve reviewing resumes, conducting interviews, and conducting background checks.

    Conclusion

    Small company boards without independent directors may struggle to provide effective governance with only executive directors. Independent board members play a critical role in ensuring effective corporate governance by providing an objective perspective, diverse expertise, and oversight and accountability. While the process of identifying and recruiting independent directors may take time and effort, the value they bring to the board and the company is well worth it.

    Paul Bergman writes on cybersecurity and board management for both corporate and nonprofit boards.

  • Are you 100% certain that you are on top of security basics?

    Are you 100% certain that you are on top of security basics?

    At the siberX CISO Forum Canada, C. Kelley Bissel, CVP of Microsoft Security reported that CISOs are failing to do the basics. He puts a fair amount of blame for these failures on the company CISO.

    “Ninety-eight per cent of attacks are elementary and take advantage of unpatched devices, a lack of multifactor authentication to protect logins, no privileged access controls, no identity management, and password vulnerabilities.”

    C. Kelley Bissel, CVP, Microsoft Security

    First, it’s not all on the CISO

    A strong argument could be made that a CISO in a non-security centric organization is set up to fail. A CISOs job is difficult even with the full backing of leadership. Consider implementing MFA alone: Many executives will push back on the implementation because it isn’t easy.

    Another point of pushback is access control. I first felt this pushback when I was implementing SOX controls and logging on physical access to the company servers on the CIO. The CIO was extremely bothered having to log his access and tried to kill the process as being inefficient. The fact is, he didn’t need access 99.96% of the time anyway. He nearly killed the process which would have led to a possible security exception in an audit. Not a failure of the CISO but a failure of the organization to allow the necessary security.

    So what are ‘security basics’?

    Mr. Bissel outlines the basics as patching, login protection, access control, identity management, and password strength. Certainly, he was simplifying it for presentation but CIS offers a more comprehensive list that includes 56 “Basics” from 18 different controls in Version 8 of the CIS Critical Security Controls.

    security basics

    See other blog posts for more information on putting in basic cybersecurity.

    Consider looking into vCISO service providers. Tracc Development (site sponsor) or any number of service organizations would be happy to help. Omni Group Consulting and Triden Group have excellent talent.

  • Compliance on the horizon? Understand your terms now!

    Compliance on the horizon? Understand your terms now!

    I recently worked on a compliance readiness project to get a company ready for an ISO 27002 audit. I was amazed at how little the organization understood about governance. They were having problems with other compliance as well, even though they were a SOX compliance entity. Yes, they had pretty written “policies” but these were clearly designed by the marketing team, had no structure, and included standards, guidelines, procedures, and even documented the people assigned to do it all.

    ISACA defines internal controls as the policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected.

    ISACA COBIT 5 Framework

    Doing it wrong is even worse than not doing it at all!

    Poorly-scoped documentation often results in governance functions becoming more of a hindrance than a help. An example of inadequate governance documentation is a multi-page policy document that mixes high-level security concepts, configuration requirements, and work assignments. This type of documentation can cause confusion and inefficiencies across technology, cybersecurity, and privacy operations. There are several reasons why this type of documentation is bad, including the fact that it is confusing and people are unlikely to read it, which defeats the purpose of having it in the first place. Additionally, excessively-wordy documentation that explains concepts in great detail can make it difficult to understand exact requirements. If compliance (or certification) is a goal this can lead to gaps, which goes against the goal of being audit-ready.

    Start with the goal in mind

    First, start of with the requirements. If the goal is a certification or compliance, your governance should align to the requirements. If you are already compliant with a framework, find a crosswalk, or mapping, from your framework into the desired framework. This can help focus your efforts and help build a plan for what needs to be done.

    For many technologists, words matter. Terms like “policies” and “procedures” are often used interchangeably but they are not. These terms have quite different implications and those differences should be kept in mind, since the use of improper terminology has cascading effects.

    Also keep in mind that an audit will confirm that policies are being enforced. This means that if a policy says “Bob will update the SSL keys”, what happens if Bob retires? The policy will need to be rewritten! That’s undue work AND it is very likely that it will be forgotten. Another common mistake is to be too specific with tools, such as stating “All servers are to be running Windows Server 2008.” Obviously these policies will not age well. While all policies should be reviewed regularly, little mistakes like these can be overlooked.

    Source: http://www.commoncontrolsframework.com/

    Doing it right

    In the realm of cybersecurity documentation, a strong governance structure is built on a hierarchy of components that work together in an integrated approach to managing requirements. Keep these components distinct and don’t try to address everything in one document! These components include:

    Policy: A high-level statement of management intent that formally establishes requirements to guide decisions and achieve rational outcomes. Policies are enforced by standards and further implemented by procedures, and are often created in response to external influences like statutory, regulatory, or contractual obligations.

    Control Objectives: Targets or desired conditions that are designed to ensure policy intent is met. Control objectives help to establish the necessary scope to address a policy and should be directly linked to an industry-recognized practice, such as statutory, regulatory, or contractual requirements.

    Standard: Formally-established requirements related to processes, actions, and configurations that are finite and quantifiable. Standards satisfy control objectives and exceptions are never made to policies, only to standards. If a standard cannot be met, a compensating control should be implemented to mitigate risk.

    Guidelines: Recommended practices that allow for discretion or leeway in interpretation, implementation, or use. Guidelines are based on industry-recognized practices or cultural norms within an organization and augment standards when discretion is permissible.

    Procedure: A formal method of doing something based on a series of actions conducted in a certain order or manner. Procedures are the responsibility of the asset custodian to build and maintain, in support of standards and policies.

    Together, these components create a comprehensive and effective governance structure for managing cybersecurity requirements.

    For more information on governance and cyber security, check out other articles here.

  • What happens to ransomware money?

    What happens to ransomware money?

    Ransomware is a type of malicious software that encrypts a victim’s files. The attackers then demand payment in exchange for the decryption key, typically in the form of cryptocurrency, like Bitcoin, because it is easier to make the exchange anonymous. In recent years, ransomware attacks have become an increasingly common form of cybercrime, and the attackers behind them have been able to generate significant amounts of money. But what happens to all of that ransom money? Where does it go and how is it used?

    The vast majority of ransomware payments make their way to Eastern Europe and the former Soviet Union. These regions have become hub for cybercrime due to the high level of technical expertise and the relative ease with which criminal operations can be conducted.  This begs the question about how closely these criminal organizations are to nation states. While Western governments are careful about blaming other nations for such attacks, it is clear that interests are aligned. Western states have noticed an increase in cybercrime activities against them for their support of Ukraine over the last year, clearly an indication of a link in ideologies at the least.  It should be noted that North Korea is also even more clearly in the cybercrime game and uses funds from ransomware payments to directly finance the regime.

    Once the ransom money has been converted into more liquid forms (local currency), it can be used for a variety of purposes. Some of the ransom money is used to fund the attacker’s lifestyle, including expensive cars, luxury vacations, and high-end real estate. Other money is invested in other criminal operations or laundered through various financial institutions to make it appear as legitimate income.

    While Hollywood likes to portray “hackers” as reserved types in hoodies sitting alone in a dark room, ransomware attacks are often carried out by organized crime syndicates. These organizations are extremely well connected and organized as well as any Fortune 500 company. As with any corporation, part of revenue goes back into product development funding development and distribution of new malware, the creation of botnets, and the purchase of stolen data on the dark web. This money can also be used to bribe law enforcement or government officials, allowing the attackers to operate with impunity.

    Mr. Robot

    The flow of ransomware money is complex and multifaceted, and it is difficult to determine exactly where it all goes. Some of it is used to fund the attackers’ lifestyles, while some is invested into developing new and more complex attacks.  Some attacks may directly or indirectly prop up nations.

    If hit with ransomware, each company and individual must evaluate the cost rebuilding their systems and data against paying the ransom. However, that is a simplistic view of the equation. With the rise of corporate social responsibility, paying a ransom to restore services must consider what the ransom proceeds may support.

  • Why boards need to be paying attention to cybersecurity now

    Why boards need to be paying attention to cybersecurity now

    Contrary to popular belief, cybersecurity is not an operations issue! Cybersecurity is frightening and board love to disassociate by saying it is “operational” and thus not their responsibility. However, it is a critical issue for the whole organization and the legal requirements for corporate boards to pay attention to this issue are growing. With increasing numbers of data breaches and cyber-attacks, the legal landscape is rapidly evolving to protect both organizations and their customers from the consequences of these events. Here are a few key legal requirements that corporate boards should be aware of when it comes to cybersecurity:

    • Data protection laws: Many countries have enacted data protection laws, such as the European Union’s General Data Protection Regulation (GDPR), that require organizations to take appropriate measures to protect the personal data of their customers and employees. This includes implementing technical and organizational measures to prevent unauthorized access to personal data, and ensuring that the company has a process in place for responding to data breaches.
    • Cybersecurity regulations: Some industries, such as finance and healthcare, have specific cybersecurity regulations that companies must abide by. These regulations can include requirements for regular risk assessments, incident response plans, and the implementation of security technologies.
    • Contractual obligations: Companies often have contractual obligations to their customers and partners to protect the data they are entrusted with. Failing to meet these obligations can result in financial and reputational damage, and may even lead to legal liability.
    • Corporate governance laws: In many countries, corporate boards have a fiduciary duty to ensure that the company is managed in the best interests of its shareholders. This includes taking steps to protect the company’s assets and data from cyber threats.
    • Tort law: Companies can also face legal liability under tort law if they fail to take reasonable steps to protect their customers’ data. This can include negligence, breach of contract, and misrepresentation claims.

    Corporate boards must be aware of the growing legal requirements around cybersecurity. Failure to meet these requirements can result in legal liability, financial losses, and reputational damage. By staying informed about the latest laws and regulations, conducting regular risk assessments, and implementing appropriate security measures, corporate boards can help ensure that their organizations are protected from cyber threats and meet their legal obligations. I outlined a number or items a board should be doing in my post on corporate boards: The role of the corporate board in cybersecurity – Paul Bergman

  • The role of the corporate board in cybersecurity

    The role of the corporate board in cybersecurity

    The corporate board bears a crucial responsibility for managing cybersecurity risks that threaten organizations of all sizes. As overseers of the company’s cybersecurity posture, board members must take active steps to protect its assets and data from cyber threats. However, some board members may not fully understand their personal liability for lack of oversight in this area.

    Under corporate governance laws, board members have a fiduciary duty to act in the best interests of the shareholders and protect the company from cyber threats. If a board member fails in this duty, they may face personal liability for any resulting losses or damages. According to the landmark 1996 ruling in Caremark, directors can be held accountable if they fail to properly monitor and oversee the company or if their inaction results in a loss. Furthermore, if the company breaches data protection laws, such as the EU’s GDPR, board members may be accountable.

    A framework for addressing cybersecurity risk.

    To effectively mitigate cybersecurity risk, the corporate board should take the following steps:

    1. Stay informed: Invite the CISO or vCISO to present updates, but don’t rely solely on these presentations. Have a board member with technical expertise stay current with industry news, attend security conferences and events, and engage with security experts.
    2. Assess risk posture: Conduct a comprehensive risk assessment to identify areas of weakness and potential vulnerabilities.
    3. Develop a cybersecurity strategy: Based on the results of the risk assessment, outline steps to mitigate risk and protect against cyber threats, including the implementation of technologies, processes, and training programs.
    4. Allocate resources: Ensure the organization has adequate funding and staffing to implement and maintain its security posture.
    5. Foster a culture of security: Encourage security awareness and training throughout the organization and incorporate security into company policies and procedures.
    6. Insure a true representation of risks: Consider forming a cybersecurity committee working directly with the CISO to ensure a clearer understanding of risks, as executive management may suppress or under-appreciate cybersecurity risks.
    7. Engage with third-party vendors: Partner with a security vendor to supplement internal security efforts and stay updated on the latest security technologies and best practices.
    8. Monitor and review regularly: Establish regular review processes to ensure the organization’s cybersecurity posture remains effective, including reporting from the CISO on threats and regular reviews of security policies, incident response plans, and metrics.

    Clearly, the corporate board has a critical role to play in mitigating cybersecurity risk. By staying informed, assessing the organization’s risk posture, developing a comprehensive cybersecurity strategy, allocating adequate resources, fostering a culture of security, engaging with a third-party vendor, and monitoring and reviewing regularly, the board can help ensure that the company is taking the necessary steps to protect itself against cyber threats.

    Manager is pushing DEFINE YOUR ENTERPRISE SECURITY POLICY on a visual interactive display. Business challenge metaphor and information technology concept for cybersecurity standards and planning.

    More on Cybersecurity