Steve Horvath, a Telos cybersecurity leader with nearly 20 years building risk and compliance solutions, joins to discuss supply chain cyber risk. He covers Xacta’s evolution into an enterprise risk platform. They talk NIST frameworks, software bills of materials, attack surface management, and the need for board-level cyber education.
25:52
forum Ask episode
web_stories AI Snips
view_agenda Chapters
auto_awesome Transcript
info_circle Episode notes
question_answer ANECDOTE
Xacta Evolved From Federal Compliance Tool To Platform
Xacta began in 2001 as a web app to automate federal compliance workflows and evidence generation.
It evolved through continuous assessment, agentless ingestion, Flux and Continuum into today's Xacta360 and Xacta.io.
insights INSIGHT
Cybersecurity Risk Cannot Simply Be Transferred
Cybersecurity risk is uniquely hard to transfer and requires organizations to minimize risk rather than rely on insurance.
Steve contrasts federal mentality of zero acceptable risk with commercial firms that may try to "buy" risk transfer, urging stronger ops and compliance teeth.
insights INSIGHT
Board Cyber Literacy Is Increasing Rapidly
Board cybersecurity literacy is improving, driven by initiatives like the SEC rule and more director-level forums.
Steve cites Domino and the Digital Director Network as examples where non-technical boards are seeking education and expertise.
Get the Snipd Podcast app to discover more snips from this episode
Imagine a world where your organization is constantly at the risk of a cyber-attack, yet no solution seems fully secure. In this episode of Innovation In Compliance, host Tom Fox and guest Steve Horvath explore the complex landscape of supply chain cyber risk management. They explore the high-profile breaches of Home Depot and Target, as well as the critical importance of frameworks like the NIST Cybersecurity Framework. Steve delves into the challenges faced by organizations, the need for effective risk management strategies, and the evolving landscape of cybersecurity in public and private sectors.
Steve Horvath is a seasoned cybersecurity expert who has spent nearly two decades at Telos, a prominent cybersecurity firm focused on protecting government and industry networks. Since joining Telos in 2006, Steve has been instrumental in developing cybersecurity strategies and services for various elements of the U.S. federal government, including the intelligence community and the Department of Defense. Today, he leads the way in driving compliance and risk management initiatives with a focus on innovative solutions like Xacta.
You’ll hear Tom and Steve discuss:
Telos' platform, Xacta, began as a web-based application focused on facilitating the rigorous compliance activities of federal standards, and has since evolved into a sophisticated platform for managing cybersecurity risks.
Cybersecurity risk is unique and highly challenging, and unlike other forms of risk, it doesn't lend itself to transference. Insurance policies won't save an organization from a devastating cyber attack.
Many organizations, particularly public ones, need to shift their mentality from accepting some level of risk to striving for robust cybersecurity operations that minimize risk as much as possible.
Education at the board level about the threats and implications of cybersecurity is a crucial yet often overlooked factor. The conversation around this is gaining traction, with initiatives such as the SEC's rule about having a board member with a cybersecurity background.
The Home Depot and Target hacks brought widespread attention to cybersecurity risks, highlighting the need for organizations to be proactive in managing threats and vulnerabilities.
The NIST Cybersecurity Framework provides a practical and easily understood framework for organizations to assess and improve their cybersecurity posture. It enables effective communication between security operators and the board, fostering a common language and understanding.
Supply chain cybersecurity is a critical concern, particularly for software and IT hardware sourcing. Having a software bill of materials and understanding the ingredients within the software helps organizations assess their exposure and potential vulnerabilities.
Network attack services refer to understanding an organization's attack surface and identifying potential points of ingress or exfiltration of data. Mitigating risks, such as phishing attacks, requires robust security education programs for users.
Creating an actionable cyber intelligence strategy involves having the right stakeholders and roles within the organization, selecting a suitable framework (such as NIST or ISO standards), and ensuring continuous validation and improvement of cybersecurity measures.
KEY QUOTE:
“You really have to do exceptional cybersecurity operations, and the best way to influence cybersecurity operations… is having some teeth behind a set of conditions and compliance requirements that guide you toward making the best decision…" - Steve Horvath
Innovation in Compliance with Tom Fox 