|
The Cybersecurity and Infrastructure Security Agency's (CISA) Cyber Performance Goals (CPGs) are a set of protections aimed at reducing risk to businesses, critical infrastructure, and U.S. citizens. Join us for a webinar deep dive into the CPG assessment process, highlighting its key elements and explaining why it’s vital for effective cybersecurity.
In this expert panel discussion, Chris Kay, CISA State Coordinator and Advisor, and Tom Brennan, Managing Partner at Proactive Risk, will provide clear steps for integrating CISA’s goals into your organization’s cybersecurity strategy. They’ll break down why CPGs are important, how they align with broader national security objectives, and how businesses can pair them with other leading compliance frameworks to create a robust, comprehensive security posture. Key topics will include:
Learn More and RSVP Here
0 Comments
In the world of cybersecurity, there are three core pillars that every organization should be focusing on: people, process, and technology. These three work in tandem to ensure that your organization isn’t the next target of a data breach, ransomware attack, or—heaven forbid—an IT disaster caused by an employee clicking on a suspicious email attachment with the title “HOT DATES THIS WEEKEND!!!”
But let’s take a step back for a moment and consider something equally perplexing: why, in a world so full of logical solutions, does pizza come round, gets packed in a square box, and is always eaten in triangles? It’s a mystery that rivals the enigma of cybersecurity itself—complex, counterintuitive, and full of things that don’t quite add up until you take a deeper look. The Cybersecurity Triangle:A Perfect Analogy First, let’s unpack the “people, process, and technology” bit, because it’s a good analogy to the pizza conundrum.
Why Pizza Is Round and Cybersecurity Should Be Proactive Here’s where the pizza metaphor gets interesting: Why is pizza round? Maybe it’s because it’s supposed to be universally approachable—everyone loves pizza. But here’s the kicker: it’s packed in a square box. Why? Because square boxes are efficient to manufacture, store, and stack. You don’t want to waste space. The pizza inside, however, is trying to “break out” of that square by being round. It’s a paradox. In cybersecurity, technology is the box. It's square, structured, designed for efficiency. But the threat landscape? It’s round. It’s unpredictable, constantly evolving, and moving in different directions, just like a pizza that’s too big to fit into its neat, little square box. If you’re not proactive about risk—if you only rely on the structure of your technology to protect you—you’re going to end up like that pizza: squished in a box with vulnerabilities that are trying to escape in all directions. Triangles: A Symbol of Security Decisions Now, here’s the best part of this analogy—why do we always eat pizza as triangles? It's not because the pizza is begging to be dissected into perfect slices of bite-sized portions (though, I’ll admit, pizza does get extra satisfying when you have the perfect triangular piece in hand). It’s because triangles represent proactive decision-making. Let’s break it down: when you’re eating pizza in a triangle shape, you’re tackling the problem (the pizza) piece by piece. You can’t just take a whole slice in one bite (unless you’re an absolute savage), but you can make sure each bite is thoughtful, deliberate, and, most importantly, proactive. That’s exactly how cybersecurity should be. You can’t just install some shiny new software or slap on a firewall and call it a day. You need to break the problem down into smaller, manageable slices. Identify the risks, create processes for handling them, and ensure your people know exactly what to do when things go wrong. You need to be deliberate with every bite. One proactive decision at a time. So, when it comes to cybersecurity, don’t be like the person who orders pizza, stares at the box, and wonders why it’s round but packed in a square box. Don’t just react to the threats and hope for the best. Instead, be proactive—grab your triangular slice and take a bite out of risk management, one carefully considered decision at a time. Because in the world of cybersecurity, just like with pizza, you can either be the guy who eats the pizza with reckless abandon and ends up with toppings all over his shirt, or you can be the guy who eats it in a way that shows you’re in control. You’re not just sitting there hoping the pizza (or your organization’s cybersecurity) stays intact. You’re taking charge. You’re the one who’s ahead of the game. You’re the one who gets the last slice—er, I mean, stays secure. Conclusion: Risk Is Like Pizza—It’s Better When You’re Proactive In the end, pizza is a lot like cybersecurity. It’s all about balance. You need the right mix of people, process, and technology to ensure things don’t get too messy. And just like pizza, risk management is best when you break it down into smaller, actionable steps. Whether you're avoiding that one guy who always brings "cheesy" security advice to the table or making sure your processes are smooth, always be one step ahead of the game. So next time you’re enjoying a pizza slice (and wondering why it's round, packed in a square box, and eaten in triangles), think about cybersecurity. Because if you’re proactive about managing risk, you’ll never be the one stuck with a half-eaten pizza—or worse, an unsecured network. And remember: the only thing more satisfying than a perfectly triangular slice of pizza is knowing your organization’s cybersecurity is safe, sound, and proactive. -- Bet I know what your having this week :) Join the retired investigator guild and shared purpose partners @ Old Homestead Steakhouse, NYC 1/241/16/2025 There are countless unsolved murders, lives devastated by human trafficking, and cybercriminals operating in the shadows. We’re calling on our network of professionals—whether you’re a seasoned law enforcement officer, cyber operator, or simply someone passionate about justice—to join us in making a difference. Together, we can tackle these challenges head-on with advanced cyber operations, collaborative problem-solving, and a shared commitment to stopping the bad guys. Your support, whether as an individual, corporation, or philanthropic partner, can help us bring closure to families, protect the vulnerable, and dismantle criminal networks. Let’s make an impact together—because justice shouldn’t wait  Introduction
Meet Tom Brennan, Managing Partner at Proactive Risk, where expertise and experience converge to safeguard critical national infrastructure (CNI) organizations. As a co-author of multiple cybersecurity titles, Brennan possesses unmatched knowledge, enabling him to effectively secure CNI organizations against emerging threats. We recently sat down with Brennan to explore Proactive Risk's bespoke approach, leveraging a small, seasoned team to deliver tailored solutions. Learn about the challenges they're addressing in the CNI space and how their consultative expertise is driving meaningful impact. 1. What does Proactive Risk do? What is your role?As Managing Partner at Proactive Risk, I lead a team of experts dedicated to helping governments and critical national infrastructure organizations navigate complex risk landscapes. Our boutique consultancy specializes in risk management, security assessments, and compliance solutions, delivering tailored technical advisory services to support our clients' most pressing needs. 2. What solutions/services does Proactive Risk offer? We offer a range of solutions and services, but my expertise lies in advisory, assessment, and operations. Our advisory and assessment services involve evaluating organizations against established frameworks and providing guidance on best practices, regulatory compliance, and government controls. What sets us apart is our hands-on experience. We don't just provide checklists. We offer expert consulting rooted in real-world experience. With 20 years of experience in the field, including hands-on keyboard time, I bring a depth of knowledge to high-level consulting. My focus is on strategic guidance, spanning multiple areas, rather than just checking boxes or offering generic advice. 3. Do you specialize in any specific areas (industries, services, frameworks, etc.)? We specialize in serving the CNI industry, with expertise aligned to the CISA's Cross-Sector Cybersecurity Performance Goals and Center for Internet Security (CIS) controls. While we guide organizations through compliance journeys, we emphasize that compliance is merely the foundation — true security demands a more nuanced and comprehensive approach. 4. What differentiates Proactive Risk from others in the space? How do you stand out? For the full interview click here Scenario 1: Ransomware Attack on Critical Legal Systems
Background: The law firm is targeted by a sophisticated ransomware attack that locks down critical legal systems, including case management software, document repositories, and billing systems. The attackers demand a ransom in cryptocurrency, threatening to release sensitive client information unless the payment is made. The firm is also experiencing significant downtime, which is affecting its ability to deliver legal services to both business and individual clients. Objectives:
Scenario 2: Data Breach and Client Confidentiality Violation Background: A third-party vendor that the law firm uses for document storage and management is breached in a cyber attack, exposing confidential client information, including legal briefs, personal identification data, and financial records. The vendor’s data center has been compromised, and a hacker has accessed sensitive files and emails. The breach affects both business clients and individuals, with some clients being high-profile individuals, corporations, and governmental entities. Objectives:
Both scenarios involve cross-functional collaboration between legal, financial, IT, and communications teams, with an emphasis on managing client relationships, maintaining regulatory compliance, and minimizing reputational damage These exercises will test the firm’s ability to respond to complex, high-stakes incidents involving sensitive client data. In today's interconnected world, managing risk is more complex than ever. While many industries focus on high-visibility issues like safety or regulatory compliance, when it comes to cybersecurity and data breaches, the response is often fragmented. Too frequently, organizations react to security threats by shifting blame to underfunded projects or management teams that are perceived as not fully understanding the scope of the risks. This kind of reactive response can hinder effective risk mitigation and delay critical actions when they’re needed most.
At Proactive Risk we specialize in helping businesses proactively manage their risk, especially as the landscape of threats continues to evolve. Based in Northern New Jersey, we serve industries including pharmaceuticals, finance, healthcare, technology, and logistics—sectors that are particularly vulnerable to cybersecurity risks. We understand that in today’s digital age, securing sensitive data and ensuring compliance with both state and federal regulations are critical to the success of any business. The Shifting Landscape of Risk Management Over the last few decades, the nature of risk has changed dramatically. Here's a quick look at how risks have evolved over time: - 1980–2010: Data Theft: The early years saw data theft as a growing concern, with major breaches like Yahoo in 2013 and Equifax in 2017 making headlines. - 2010–2020: Cyberattacks Escalate: The rise of ransomware attacks, such as the Maersk breach in 2017 and the Colonial Pipeline attack in 2021, marked a significant escalation in cyber risks, highlighting the vulnerabilities of even the most well-established organizations. - 2024 and Beyond: New Challenges: Emerging threats like breaches at Change Healthcare and CDK in 2024 serve as stark reminders that businesses must remain vigilant in the face of evolving cyber threats. The need for Proactive Risk management has never been more critical. Today’s businesses require a robust, proactive approach to risk mitigation—especially when third-party vendors are involved. Vendor Risk Management: A Critical Need in New Jersey New Jersey is home to some of the world’s largest and most influential industries, including pharmaceuticals, biotechnology, finance, healthcare, and technology. These sectors deal with sensitive information daily, and the risks associated with data breaches, fraud, and non-compliance are substantial. That’s why vendor risk management is more important than ever. Let’s take a look at some of the regulatory requirements and how they directly impact your business, especially in New Jersey. --- 1. New Jersey Consumer Fraud Act (CFA) Jurisdiction: New Jersey Overview: The New Jersey Consumer Fraud Act (CFA) is one of the state’s most important consumer protection laws. While it doesn’t explicitly require vendor risk management, businesses must ensure that any third-party vendor handling consumer data or providing services complies with consumer protection standards. Vendor Risk Relevance: If a vendor's actions result in fraud, misrepresentation, or harm to consumers, the business that contracted the vendor can be held liable. This underscores the importance of assessing third-party risks. Key Requirement: Carefully select and vet vendors to ensure they adhere to consumer protection laws. --- 2. New Jersey Data Breach Notification Law (N.J.S.A. 56:8-161) Jurisdiction: New Jersey Overview: This law requires businesses to notify residents if their personal information is compromised due to a data breach. The law also applies to breaches involving third-party vendors. Vendor Risk Relevance: Companies must ensure their third-party vendors maintain strong data security practices to avoid triggering breach notification requirements. Key Requirement: Contracts with third-party vendors should clearly outline data security expectations and breach notification protocols. --- 3. New Jersey Cybersecurity Regulations (N.J.A.C. 17:1-1.1 et seq.) Jurisdiction: New Jersey state agencies and private entities, such as financial institutions Overview: New Jersey's cybersecurity regulations require businesses that handle state data to adhere to specific cybersecurity standards, including for contractors and vendors. Vendor Risk Relevance: If your organization works with state contracts or handles state data, you must ensure that your third-party vendors comply with these cybersecurity regulations to avoid vulnerabilities. Key Requirement: Vendors must meet cybersecurity standards that protect sensitive data from cyber threats. --- 4. New Jersey Statewide Health Information Technology (HIT) Exchange (NJ-HIT) Jurisdiction: New Jersey healthcare organizations Overview: New Jersey’s health IT framework mandates that third-party vendors who access or manage healthcare data comply with state and federal regulations like HIPAA. Vendor Risk Relevance: Healthcare organizations must ensure their vendors are fully compliant with data security standards when handling sensitive patient data. Key Requirement: Implement robust vendor risk assessments and ensure that all third-party healthcare providers follow strict cybersecurity measures. --- 5. New Jersey Department of Banking and Insurance (DOBI) Cybersecurity Regulations Jurisdiction: Financial services sector Overview: The New Jersey Department of Banking and Insurance (DOBI) has implemented cybersecurity regulations for financial institutions, mirroring the New York Department of Financial Services (NYDFS) rules. Vendor Risk Relevance: Financial institutions must assess their third-party vendors for cybersecurity risks and ensure compliance with security protocols to protect sensitive financial data. Key Requirements: Perform ongoing risk assessments of third-party vendors and ensure they adhere to cybersecurity standards. --- 6. New Jersey's Privacy Laws (Personal Information Protection Act - PIPA) Jurisdiction: New Jersey Overview: The Personal Information Protection Act (PIPA) requires businesses to implement reasonable security measures to protect personal data, including when handled by third-party vendors. Vendor Risk Relevance: Businesses must ensure that their third-party vendors comply with privacy and data protection standards to safeguard personal information. Key Requirement: Vendor contracts should ensure that third-party vendors follow the same privacy protocols required under PIPA. --- 7. New Jersey Identity Theft Prevention Act Jurisdiction: New Jersey Overview: The Identity Theft Prevention Act mandates businesses to implement strong security measures to protect consumers’ personal data from identity theft. Vendor Risk Relevance: Organizations must ensure that their third-party vendors adhere to the security protocols necessary to prevent identity theft. Key Requirement: Evaluate your vendors’ ability to protect sensitive consumer data from fraud and identity theft. --- 8. New Jersey’s Insurance Cybersecurity Regulations Jurisdiction: Insurance industry Overview: The New Jersey Department of Banking and Insurance (DOBI) has implemented cybersecurity regulations for insurers, ensuring that third-party vendors meet specific security standards. Vendor Risk Relevance: Insurers must assess the cybersecurity practices of all third-party vendors that handle customer data to ensure compliance with state regulations. Key Requirement: Regularly assess vendor cybersecurity measures and include security provisions in contracts to protect customer data. --- Proactive Risk Joins the SecurityScorecard MAX Program Proactive Risk is proud to announce that today we have joined the SecurityScorecard MAX Program**. This partnership further strengthens our ability to help businesses proactively assess and manage third-party risk. Through the SecurityScorecard MAX platform, we can now offer enhanced tools to monitor the security posture of vendors, ensuring that they meet the highest standards for protecting sensitive data and mitigating risks. This program allows us to offer real-time, continuous monitoring of your third-party vendors, giving you a comprehensive view of their security practices. By leveraging SecurityScorecard's advanced risk scoring, we can help you make more informed decisions, improve your vendor management processes, and strengthen your organization’s overall security posture. --- Conclusion: The Importance of Proactive Risk Management in New Jersey As businesses in New Jersey face increasing pressure from regulatory bodies and rising cyber threats, Proactive Risk is here to help you navigate these challenges with confidence. Whether you operate in healthcare, finance, technology, or another critical sector, managing third-party risk is no longer optional—it's a necessity. Our partnership with the SecurityScorecard MAX Program ensures that we can provide state-of-the-art tools to help you safeguard your business, reduce vulnerabilities, and meet compliance requirements effectively. We work alongside you to implement proactive, data-driven risk management strategies that protect your business and support long-term success. Don’t wait for a data breach or compliance failure to take action. Contact Proactive Risk today to learn more about our vendor risk management solutions and how we can help you stay ahead of emerging threats.  In today's fast-paced technological landscape, an effective IT department or consultancy is more than just a group of tech experts—it’s a tightly-knit team that operates like a well-oiled machine. One of the most powerful ways to achieve this cohesion and efficiency is by fostering a hive mind culture. But what exactly does this mean, and how can it transform your team into a powerhouse of innovation, problem-solving, and adaptability? Let's dive into what a hive mind culture looks like and why it's the key to success in any IT department or consultancy.
What is a Hive Mind Culture? A hive mind culture refers to an environment where team members think and act as one cohesive unit, sharing knowledge, skills, and resources to achieve a common goal. It’s not about losing individuality but rather about amplifying each member's strengths through seamless collaboration and communication. In a hive mind culture, the whole truly is greater than the sum of its parts. Key Elements of a Hive Mind Culture 1. Collective Knowledge and Expertise At the core of a hive mind culture is a shared pool of knowledge and expertise. Every team member contributes their unique skills and insights, creating a vast repository of information that can be tapped into at any time. This collective intelligence enables the team to solve complex problems more efficiently, as solutions are generated from a broad range of perspectives and experiences. 2. Seamless Communication and Collaboration Communication is the lifeblood of a hive mind culture. In such an environment, information flows freely and quickly among team members, ensuring that everyone is on the same page and can respond to challenges in real-time. This is achieved through the use of collaborative tools and platforms, regular check-ins, and a culture that encourages open dialogue and knowledge sharing. When team members are in constant communication, they can move in unison, much like a hive responding to changes in its environment. 3. Adaptive Problem-Solving A hive mind IT department or consultancy excels at adaptive problem-solving. Because the team thinks and acts as one, it can quickly pivot in response to new challenges, anticipate potential issues, and implement solutions with a unified approach. This level of agility is crucial in today’s ever-evolving tech landscape, where the ability to adapt and respond rapidly can make or break a project’s success. 4. Innovative Thinking and Continuous Improvement Innovation is a cornerstone of a hive mind culture. With the collective brainpower of the team working in unison, there’s a constant flow of fresh ideas and creative solutions. This environment fosters continuous improvement, as team members are always seeking new ways to enhance processes, improve service delivery, and stay ahead of technological advancements. In a hive mind culture, innovation isn’t a one-off event; it’s a continuous process driven by the collective efforts of the team 5. Shared Responsibility and Accountability In a hive mind culture, responsibility and accountability are shared across the team. Successes are celebrated collectively, and challenges are tackled together. This shared ownership ensures that all members are equally invested in the department’s goals and outcomes, fostering a strong sense of unity and commitment. When everyone feels responsible for the success of the team, they are more likely to go above and beyond to achieve it. 6. Unified Vision and Goals A hive mind IT department or consultancy operates with a unified vision and shared goals. Every team member understands the overarching objectives and aligns their efforts towards achieving them. This collective focus ensures that all activities, whether routine IT support or complex cybersecurity initiatives, contribute to the same end goals, driving efficiency and effectiveness across the board. 7. Efficient Resource Utilization A hive mind culture allows for the efficient use of resources. Workloads are balanced to prevent burnout, and knowledge is evenly distributed to ensure that no single individual is overwhelmed. This efficiency is particularly important in high-demand environments, such as law firms or consultancies, where the team needs to manage both basic and advanced technology issues, as well as specialized areas like eDiscovery and cybersecurity. 8. Cultivating a Hive Mind Culture: The Path to SuccessCreating a hive mind culture requires intentional effort and a commitment to fostering collaboration, communication, and continuous learning. It starts with leadership that values team input and encourages open dialogue. Regular training, knowledge-sharing sessions, and team-building activities can help reinforce this culture, making it a natural part of the daily workflow. When an IT department or consultancy adopts a hive mind approach, it becomes more than just a collection of tech experts. It transforms into a unified, dynamic, and innovative team capable of tackling any challenge that comes its way. By embracing this culture, you position your organization to not only meet the demands of today’s technology landscape but to lead it. Final Thoughts A hive mind culture isn’t just a strategy—it’s a mindset. It’s about harnessing the collective power of your team to drive innovation, solve problems, and achieve excellence. Whether you’re leading an internal IT department or running a consultancy, fostering a hive mind culture can unlock your team’s full potential and set you apart in a competitive market. The future of IT is here, and it’s all about working smarter, together. Need assistance with your team, we can help. Click here for more information. At ProactiveRISK we help write policies and help businesses with people, process and technology. The rapid growth of adoption of AI has put business and customer data at risk. The primary failure is human convience. Since convenience is a quality of being suitable, practical, or designed to save time, effort, or ease your employees should be educated and that must start at the top. If the management team embraces the AI gold rush, then the collective group can make business decision BEFORE a incident.
========= INTRODUCTION This policy outlines the guidelines and procedures for the use of Artificial Intelligence (AI) within our business to ensure ethical, legal, and secure application. Policy Purpose To define the acceptable use of AI technologies within the business and to protect against potential risks associated with AI use. Scope This policy applies to all employees, contractors, partners, and stakeholders who use or interact with AI technologies on behalf of the business. Definitions
Approval Process for AI Tools
By following this policy and procedure, our business aims to utilize AI technologies effectively while safeguarding our data, systems, and ethical standards. ================= This is a rapidly evolving space check back soon for updates to this DRAFT or contact us for more information. To ensure that all data remains internal and is never shared with a third party, you can use open-source AI tools and frameworks that can be run entirely on your local infrastructure. Here are some AI tools and platforms that meet this criterion:
Machine Learning Frameworks
This blog post is a work in progress.. if you have something that you would like to add please contact me I would love to include it. - Tom Shadow AI refers to the use of artificial intelligence tools and applications within an organization without the formal approval or knowledge of the IT department or senior management. This phenomenon is similar to "shadow IT," where employees use unauthorized hardware, software, or services. Shadow AI can pose significant risks to an organization, including security vulnerabilities, compliance issues, and data governance challenges.
Identifying Shadow AI
|
CategoriesTom BrennanThis is my blog, there are many like it but this one is mine. Enjoy. 
BLOG Archives
December 2025
|
RSS Feed
|
|
|
© COPYRIGHT 2025. ALL RIGHTS RESERVED.