Rural governmental and health organizations are some of the entities that are the most vulnerable to data breaches and cyberattacks, especially when compared to businesses and institutions in the big cities.
As they hold heaps of user data and usually have no strong and professionally implemented security measures, the lack of funds and staff prevent them from being able to secure that data. Thus, a professional look and some training from the experts in the cybersecurity field is now more crucial than ever.
Michael K. Hamilton, the Founder and Chief Information Security Officer at Critical Insight, a service that provides cybersecurity management and implementation, told CyberNews all about the importance of relying on cybersecurity experts to ensure information security both on a personal and company level. He also mentioned how Critical Insight is raising a new generation of professionals in the field of cybersecurity.
Let’s go back to the start of Critical Insight. What was the journey like throughout the years?
First, I left public service as the CISO of the City of Seattle and started a consulting firm to develop a managed service to integrate with consulting and provide a single source for outsourcing security. I had a strong mission to focus on organizations that provide critical services.
Initially, I funded company operations by cashing out investments early – at a 35% tax rate.
Later on, I took a $200K wallop from a Tribal organization that stopped paying us. I cashed out more 401K to pay people and keep going.
I also was in a plane crash in a Cessna with the original 4 founders on the way to an annual planning offsite. We just got back on the plane and kept going.
In 2016, I met the lead investor and completed A round of financing. Then, the company brought on a stellar management team and added healthcare as a key vertical. After that, we built out two security operation centers on opposite sides of the Cascade Mountains.
In terms of performance, our four-year CAGR on all revenue is 65%, and the four-year CAGR on subscription revenue is 105%. We also completed additional funding rounds and have grown the company to more than 80 employees.
You describe your solutions as people-focused. Can you tell us more about this approach?
Technology is not a differentiator, since technology differences between vendors may account for a 5% delta in detection capability. The oversight by and interaction with Analysts, SOC Supervisors, Customer Success Managers, and Security Strategists – all of which are allocated to each Critical Insight customer – is the differentiator in terms of the customer experience. Additionally, we know that our combination of managed and professional consulting services allows organizations to ‘pitch the problem over the fence’ rather than wrestle with attracting and retaining their own security staff. For these reasons, we focus very intently on our employees.
Because we are a focal point for the professional practitioners that are essentially unattainable by our markets, we own the “people problem”. In 2015, I created a 501C3 non-profit PISCES: Public Infrastructure Security Cyber Education System that provides no-cost network monitoring for small cities and counties. In return, we get to use data collected as a “live-fire” curriculum for Analysts-in-training at, currently, 5 universities. This provides infrastructure protection for down-market critical organizations and workforce development for the company. That also means we get better-trained graduates.
We work hard on both our company culture and to ensure there are professional pathways for our employees to upskill and cross-skill. We have had analysts convert to offensive security consulting; one person that’s held 5 different roles in the company, and the VP of SOC operations started as an Analyst. Because of this, we have a less than 95% retention rate for our technical staff and have been designated as one of the best places to work in Washington State.
Besides providing security solutions, you also provide risk assessments. What set of tools do you use to determine one’s state of cybersecurity?
Because we provide professional services that complement our monitoring and response, Critical Insight conducts a variety of assessments depending on the needs and the regulatory requirements of the customer. This can be against the HIPAA security rule, the NIST cybersecurity framework, the ISO standard, and so on. Using these standard frameworks, we identify control gaps, then estimate the likelihood and impact of undesired outcomes to quantify risk. We then develop a corrective action control plan and resource the plan for budgeting purposes. This results in a two-year roadmap and budget to address corrective actions, along with an annual risk assessment to provide to auditors.
It seems like the pandemic tested cybersecurity worldwide. What are the main takeaways?
The mobility of cybersecurity practitioners has been exacerbated by the “great resignation”. This has employers thinking about greater strategic problems: how to create a “bigger bench” of practitioners and how to improve their retention.
The rise of telehealth, remote work and digital transformation obviously has increased the attack surface of the health sector.
Which of the two are most likely to experience cyberattacks – big enterprises or small businesses? What are the main differences between the threats these groups face?
Large enterprises will continue to experience attacks, however, in general, threats have moved down market. Enterprises can afford to staff security for monitoring, GRC, and so on, whereas local governments, rural health, and the mid-market cannot. Threat actors know about the problems in smaller organizations. There are a lot of open windows in small and medium businesses, and cyber burglars know this.
Setting up a cyber security strategy can often be a lengthy and complicated process. Which features are often overlooked or forgotten about?
When designing a security program, the part that’s overlooked is the management. A security program doesn’t run itself. Someone needs to be responsible and accountable for outcomes and key performance metrics. Someone needs to design that body of work and align it with the compliance tasks that must be performed weekly, monthly, quarterly, and annually, and to establish accounting for the resourcing that will support those management tasks. You have to get everything on the calendar and tally up the amount of effort. Especially when someone in IT will have this work added to their existing tasks, the account for the additional work, or both security and IT will be done poorly.
What security threats do you think companies should be prepared for in 2022?
Nation-State activity that may be hiding behind the false flag of criminals, using destructive malware. This is consistent with recent joint bulletins from the FBI and CISA, and something that we’ve been watching develop for some time. The geopolitical and diplomatic difficulties being worked on now have the potential to escalate, and we should be ready.
Talking about individual users, what security measures do you think should be adopted by the general public?
For personal use, use multi-factor authentication where possible, and use a good password manager or vault. Address security of your home network – if your Wi-Fi password is the name of your dog, you’re doing it wrong. Finally, get up to speed with the update cadence of all your devices. Do not resist the reboot.
Share with us, what’s next for Critical Insight?
Critical Insight continues to grow quickly, and differentiate ourselves with our people strategy, our alignment with DHS and the network of Fusion Centers, and our mission focus of leaning into what’s important at the scale we live our lives. We intend to continue to promote the value proposition that a combination of managed and consulting services provides security resources that are unattainable to the mid-market.