- October 29, 2020
- Posted by: Pat Riot
- Categories: Finance, Private Wealth, RIA
Maturation is a part of life. To mature is to progress and to evolve. No matter the context, we all start at the most rudimentary level and over the course of time we eventually mature enough to reach a culmination point where we become experts. For us as humans to conceptualize the lineage of “beginner to expert” we usually use levels to describe our current state(s) and our objective or future state(s). We use levels as a designation in psychology, business, medicine, our personal lives, and even information security. For RIA’s & PWA’s the maturity of your information security is just as important as your business maturity. As your business grows, the return on your clients’ portfolios increases, and you find your “investing way,” you inadvertently become a target. Simply by working in financial services you are in one of the top 3 most targeted industries – no matter how small the business or organization may be. Understanding information security as well as where you stand in terms of maturation is the first step to investing into the trust of not only your clients’ & employees’ information, but their trust as well.
To start, the term “information security” is something of a misnomer. By its nature, it implies that your information can be totally secure. Unfortunately, all security solutions contain a certain percentage of aggregate efficiency. For the non-physics folks, aggregate efficiency is the ratio of potential work to the amount of useful work that gets embedded into a product or service. In this case, traditional point security solutions that are reactive in nature (2FA, Firewalls, spam filters) are commonly employed by RIA’s & PWA’s. These solutions have an extremely low aggregate efficiency because they simply sit and wait for something to happen. The amount of potential work (and cost) is enormous, while the actual useful work that it carries out may be minimal to none – until an incident occurs. On the contrary, as your information security posture matures, so too does the aggregate efficiency in your solution. Turning your devices and business into a proactive information security, threat hunting machine. This allows you to minimize the amount of potential work and cost and increase the amount of work embedded into your security solution by utilizing artificial intelligence and machine learning. This lets you focus on investing and growing your AUM, while our security solution quietly mitigates threats in the background.
Traditional security solutions bundle solutions from multiple vendors into a one size fits all security suite, charge as part of their monthly fee, and tell you that your information security posture is mature. This traditional model makes the solutions industry agnostic and allows the providers to enjoy wholesale discounts and avoid managing multiple tools that serve the same function. Business wise, this makes perfect sense. As a security solution, not so much. Information security is not a one-size-fits-all problem. Its solutions need to be tailored to the specific risk(s) of an organization or business and be able to progress in accordance with the size, scale and resources available; all while proactively benefiting the company. Mitigating potential threats and vulnerabilities before they happen, not reacting to an incident after it occurs. A small, non-tech driven investment firm with less than 10 employees who only have access to sensitive information through a firewall protected device; will not have the same risk assessment as a national tech-driven firm utilizing Big Data to plan investment strategies. Steel Patriot Partners can facilitate both instances and progress through the maturity levels at a pace you and your resources are comfortable with.
Beyond that, the SEC is very clear that information security policies and procedures cannot be cookie-cutter, off-the-shelf solutions. For RIA’s & PWA’s, the SEC offers very specific guidelines and offers guidance on information security. The Office of Compliance & Inspections requires you to provide a Written Information Security Policy (WISP) as well as evidence that all employees in the firm know, understand, and follow these policies. We’ve all been through an audit and we all know that none of our employees know what the heck to do in the event of an information security breach. In total, the SEC recommends 34 specific requirements that can be broken down into six subgroups: Governance & Risk Assessment, Access Rights & controls, Data Loss Prevention, Vendor Management, Training, & Incident Response.
At Steel Patriot Partners, we have created a way that sets us apart from our competitors. Derived from DoD and NIST Frameworks, industry best practices, and a holistic view of information security we created the Steel Patriot Partners Cyber Maturity Model. The Model is comprised of 5 levels encompassing everything you need to do in order to achieve information security maturation. Because of the Framework’s hierarchical design, it enables organizations to apportion steps between their current level and their desired level in a way that is appropriate to their resources, capabilities, and needs. Becoming cyber secure does not only mean the protection of data. It means that you are investing in your cyber health, your customers trust, your own revenue, and the future of your business.
If you would like a place to start, we have created a free quiz that allow you to see your current cyber maturity Here. If you like the idea of becoming cyber secure but would like some more information you can take a look at our Resources page, give us a follow-on social media (Facebook, Twitter, LinkedIn), send us an email, give us a call at 703-297-4405 or contact us directly! Regardless of the method you choose, we look forward to hearing from you and – as always, we appreciate your time for reading our content! Stay blessed and stay secure!