top of page

Pillars of cybersecurity: prevention, protection, mitigation, and governance

During a panel discussion at Compliance Week's virtual Cyber Risk & Data Privacy Summit, the former superintendent of the New York State Department of Financial Services described how the structure of a cybersecurity program is similar to that of a compliance program and can be categorized into four buckets.

As an adjunct law professor at Fordham University, Maria Vullo asserts that the essential pillars of a robust cybersecurity program are prevention, protection, mitigation, and governance.

Vullo suggested beginning with a risk assessment, emphasizing that prevention is a "foundational requirement" of any solid cybersecurity system, but not something that firms should absolutely set and forget.

"Risk assessment should be a periodic exercise when things change and new information or new businesses get acquired," she said, adding that once potential vulnerabilities are identified, "then the access controls and all the other controls and defensive infrastructure that may be built in encryption, data governance, and asset inventory" can take shape.

Vullo stated that it is crucial to have the correct monitoring mechanisms in place in order to spot any gaps promptly. Constant monitoring is regarded as the ideal framework for meeting regulatory obligations and White House suggestions.

According to Vullo, mitigation comprises having an incident response strategy and a disaster recovery program, whereas governance requires having the proper resources, independent reporting mechanisms, and monitoring third-party vendor security.

Vullo also identified old data that is not removed as a problem for many businesses. David Sherman, a partner at the law firm BakerHostetler, concurs.

"I’ve helped clients respond to slightly over a thousand security incidents in my career. So far and across the board, the thing that pops up invariably—whether it’s ransomware, an email compromise, a network intrusion, you name it—is, ‘My goodness, why do I have this stuff?’ " Sherman stated. He explained how risk might be mitigated by implementing proper data retention regulations.

Sherman stated, "If we can identify where those critical data stores and critical systems exist within our network; take whatever limited resources we have; and bolster the security, defenses, and visibility into what’s happening within those critical environments, no matter what it’s going to put you in a better position from a regulatory and governance perspective."

Darren Hayes, founder and head of the Digital Forensics Research Lab at Pace University, placed cyberattacks tied to political events, the use of internet of things (IoT) devices, and permissive remote work culture as his top three cybersecurity trends.

"It’s absolutely amazing the amount of these unsecured IoT devices. Why? Because they’re built cheaply," cautioned Hayes. "They’re mass produced and integrate very little security. People don’t want to pay a whole lot of money for that IoT device they put in their home."

Sherman acknowledged that the work-from-home mentality caused by the Covid-19 epidemic poses a risk because to employees "perhaps taking a slightly more casual approach to security at home."



bottom of page