Steve Levinson
Steve Levinson – Online Business Systems – VP, Risk, Security, and Privacy & CISO As the Vice President of Online Business Systems’ Risk, Security, and Privacy Consulting Practice, and Online’s Chief Security Officer, Steve leads a vibrant, pragmatic, risk-based, business-minded security consulting practice that focuses on right-sized security, including advisory services, governance/program management and risk assessments (PCI, HIPAA, ISO, NIST, FedRAMP and preparation for SOC2) technical security services (vulnerability scanning, penetration testing, red teaming, and secure code development), data protection and privacy, cloud security, and specialized security services for the healthcare and financial industries. Steve is considered a thought leader in the cybersecurity community, delivering captivating presentations and webinars, and having penned dozens of insights for many publications. Steve is an active CISSP, CISA, and QSA with an MBA from Emory Business School and has over twenty years of IT security experience, and over 25 years of IT experience. Steve’s strong technical and client management skills combined with his holistic approach to risk management resonates with clients and employees alike. He has performed or participated in hundreds of risk assessments and compliance assessments, starting his consulting career with Verisign and AT&T Consulting, where he provided cybersecurity consulting leadership. Since then, Steve has served as a key strategic advisor for hundreds of clients and has gained the trust of many industry partners and affiliates, earning him a seat as a respected voice around the PCI SCC’s Global Assessors Round Table. In addition to serving as virtual CISO for several clients, Steve has also performed security architecture reviews, network and systems reviews, security policy development, vulnerability assessments, and served as cybersecurity subject matter expert to client and partner stakeholders globally. Wherever Steve’s travels take him – and he travels a lot – he makes friends and finds time in his busy calendar to gather as many local like-minded security professionals, colleagues old and new, to share ideas, foster connections, and build on ideas. His true professionalism and his earnest nature, together, make up the ‘magic’ that fuels the passion of those he leads. It was exactly this combination of Steve’s vision, passion, and his connections around the world that recently helped form Online’s EMEA division, expanding the organization’s security and digital transformation footprint internationally. Keeping up with the latest security trends and threats is easier than keeping up with Steve; when he’s not connecting with clients or fighting cybercrime, Steve is making meaningful memories with his family, keeping pace with his beloved pups, catching the early surf just after sunrise, or charging down a mountain slope. “Where’s Stev0?” is a common phrase jested amongst colleagues around the virtual Online office. But not to worry, if you miss him, he will circle back again soon.
Online infuses the right amount of security into everything we do – I like to refer to this approach as our “special sauce.” Security is not just important to our Risk, Security, and Privacy (RSP) practice (which lives, breathes, eats, and sleeps security), it’s important to our entire company. We have built security into our development processes, our service management practice, our customer/digital experience offerings, our internet of things (IoT) offerings, and our cloud-based (AAS) service offerings.
Earlier this year we refreshed Online’s internal security policy. Our old policy was simply too generic and did not represent our organization’s security-first philosophy. When we first shared the new policy internally, many questions surfaced from Onliners and these became the impetus for the blog series you’re reading now. The goal of this series is to ‘humanize’ each section of our own security policy in a way that will hopefully resonate with you the reader, which in turn will help you embrace this thing called information security.
Why a Security Policy?
In today’s business climate where companies are becoming increasingly aware of security and third-party risk, security policies are not only expected, but they are business drivers.
A security policy provides a framework and set of standards that enable an organization to exercise proper due diligence to adequately protect critical assets. The policy is supported by underlying processes (how will we do it?) and standards. It helps an organization make sure they have a consistent strategy to address the protection of critical assets.
In addition, the policy (and underlying processes) is the glue that allows for organizations to go through change (which is inevitable) while helping maintain the right security posture. If an employee switches roles or leaves the company, the new person needs to be able to take the reins not only operationally, but in a way that doesn’t allow security to slip. Documented policies and procedures can help with this.
Scope - How much is just enough?
It is critically important to implement a policy that aligns with your business model – to protect assets (data, systems, networks, applications, etc.) with the right amount of policy, process, controls, technology, and people to be able to demonstrate that you are exercising proper due diligence. Just like your security program, your security policy should be right-sized for your organization. The issue many organizations face, however, is that it can be difficult to know just how much security you need. That’s where Online can help, our team of security experts has years of experience developing and implementing security policies for organizations of all sizes and industries.
Do I have to read the whole thing?
The important thing about writing any policy is that it should apply to those to whom it is applicable. When we shared our new policy, we asked all Onliners to read the encryption and key management policy items; in the end, this may not have been the best approach as it applied to only a handful of people – so we refined who that applied to. At my last job, I had to read a two-page asbestos policy (because some of the company’s facilities may have had asbestos) yet I was a virtual worker who never set foot in any of their facilities! In short, you will lose your policy-reading audience if you force them to read portions of a policy that doesn’t apply to them – therefore try to include a preamble section of each policy talking to whom it applies.
Make it referenceable
Change is constant – roles, technology, cyber threats, and clients are all susceptible to it – therefore we need to be able to quickly react to address the risk associated with change. The security policy should be located in an easy-to-find location and should be well indexed so that it can be easily searched. Then, even if your job today doesn’t require any cryptography or key management, for example, you can at least know where to find out more.
Remember, just like the voice on the airport intercom says, “Security is everyone’s responsibility,” and this is true for all organizations. In my next post, we will talk about the various roles associated with creating and maintaining your organization’s security policy.
Are you looking for guidance on creating or reviewing your organization’s security policies? Feel free to reach out to me directly or leave a comment below.
Submit a Comment