April 6, 2022
An Interview With Tyler Gallagher, CEO and Founder of Regal Assets
As part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Charlie Wood, Executive Vice President for FoxPointe Solutions Information Risk Management Division of The Bonadio Group.
Charlie Wood is the Executive Vice President and Practice Lead for FoxPointe Solutions. Charlie holds many certifications including Certified Information Services Auditor (CISA), PCI Qualified Security Assessor (PCI QSA), Certified in Risk and Information Systems Control (CRISC) and Certified Information Security Manager (CISM).
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
Igrew up on a dairy farm in upstate NY. We didn’t have cable on the road I grew up on, so you can imagine that computers were pretty scarce as well. I took a basic computer class my senior year of high school and learned how to write basic commands in an effort to entertain people in my class.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
No — not one story in particular. It was more of a fascination with technology and looking to future to understand its impact on business — that drove me to cybersecurity.
Can you share the most interesting story that happened to you since you began this fascinating career?
There are three areas that comprise cybersecurity — people, processes and technology. Throughout my career I have had the most fun exploiting the weakest link — people. I have talked my way past armed security guards on several occasions. I have even convinced employees to help me load an ATM into my personal vehicle under the guise that the ATM was broken and I needed to take it back to the shop to fix it. All of this is to show just how weak and susceptible people can be to risks, fraud and cyber-attacks.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
Growing up on a farm, I had the unique opportunity to see true perseverance and dedication on a daily basis — from my father and grandfather. I credit their grit, perseverance and work ethic to shaping my own work ethic which is probably the primary reason for my career success.
Are you working on any exciting new projects now? How do you think that will help people?
Prefer to not disclose given the sensitive nature of the work we do
What advice would you give to your colleagues to help them to thrive and not “burn out”?
Surround yourself with great people. Great people lift everyone else up — even when you are having a bad day. They also help reduce your stress and as a result — burn out. I truly believe we have the best team of cybersecurity and consulting professionals in the northeast. As good as they are at their jobs, they are even better people outside of work
The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
The landscape changes daily. What was secure this morning may not be by lunch time.
New technology means new risks and opportunities the learn and help customers on a daily basis.
Meeting likeminded individuals that have a passion for cybersecurity and hearing their stories of success.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
A lack of qualified candidates at both the entry level as well as the C-suite. The great resignation left the industry looking for CISO / CIO leadership.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
Prefer to not disclose due to the sensitive nature of the work that we do.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
Prefer to not disclose due to the sensitive nature of the work that we do.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
Outsourcing day-to-day operations of your network / IT infrastructure is one solution. Finding a trusted managed service provider who specializes in security, can help you mitigate your risk. Before engaging with one of these organizations, you should ensure that the service providers have the appropriate certifications which demonstrate their continued commitment to the protection of their customers data.
Even if you outsource the day-to-day security of your organization, you should still have a CISO or vCISO (virtual chief information security officer). This is critical because you want to ensure that your managed service provider is in fact performing the functions that you pay them for. It is also important to have someone in this capacity so that they can help align cyber/security needs with business objectives.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
Organizations must have the appropriate tools in place to detect and alert companies to the likelihood of a breach. Assuming you have these tools in place — anomalous events are a good place to start. Examples — invalid login attempts by power users, users trying to access files and information that they do not have rights to, data being exfiltrated from the network, etc.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
Contact your legal counsel immediately. If you don’t have a legal representation with experience in the cybersecurity space — find one now. It isn’t a matter of “if” you will get hit, but a matter of “when”. Companies should also perform incident response tabletop testing. This process involves getting key stakeholders together and simulating a cyber event. It is essentially a dry run for when your organization suffers an issue.
As more states create privacy laws and regulations — it becomes increasingly difficult for companies to have a complete picture of what they need to do to become and remain compliant. This is where an external organization like ours can assist and help companies through the process.
What are the most common data security and cybersecurity mistakes you have seen companies make?
Historically, the most common mistake companies make is not training the end user. People are often the weakest link in cybersecurity, and you can spend significant money putting the appropriate security measures/protocols in place, but if you aren’t training the end user to avoid clicking on malicious links, to protect sensitive information or to raise their hand when they think something is amiss — then you are leaving yourself exposed.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
With most employees working remotely — new challenges have arisen from a technical perspective which need to be addressed such as securing remote access capabilities.
Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
Cyberattacks are a growing threat for small businesses and according to a recent Small Business Association (SBA) survey, 88% of small business owners felt their business was vulnerable to a cyberattack.
- Conduct Ongoing, Documented, Thorough Information Security Risk Assessments: Businesses should maintain an ongoing information security risk assessment program that considers new and evolving threats to protected data and adjusts to changing standards for user authentication, layered security, and other controls in response to identified risks.
- Educate Employees Against Risks: Leaders should establish basic security practices and policies for employees, such as requiring strong passwords, and establish appropriate Internet use guidelines that detail penalties for violating company cybersecurity policies. Establish rules of behavior describing how to handle and protect customer information and other vital data.
- Protect Against Unauthorized Access: Limit the number of credentials with elevated privileges across the organization, especially administrator accounts and the ability to easily assign elevated privileges that access critical systems. Review access rights twice a year to reconfirm access approvals are appropriate to the job function.
- Utilize The Standard Practice For Backing Up Data (“The 3–2–1 Rule”): Create up to at least three copies of the data; In two different storage formats; With at least one copy located offsite and if needed, air gapped.
- Invest in Robust Cybersecurity Software: Invest in an email gateway including MimeCast, ProofPoint, or Microsoft
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-) (Think, simple, fast, effective and something everyone can do!)
Free security software for all organizations!
How can our readers further follow your work online? Go to foxpointesolutions.com and check out our blog.
To stay on top of the latest cybersecurity trends, visit https://www.foxpointesolutions.com/, to learn more, or connect with me on LinkedIn: https://www.linkedin.com/in/charlie-wood-qsa-cisa-cism-crisc-1458147/
This was very inspiring and informative. Thank you so much for the time you spent with this interview!