In 2014, 2018 and 2020 presented to a Board Audit Committee of a Fortune 50 energy company the output of cyber maturity assessments of the company’s global business and process control networks. The assessments were conducted under the NIST Cyber Security Framework (“CSF”), the NIST standard relating to industrial control systems, and the Baldrich Excellence Framework. Also helped the company set NIST CSF “Target States” of maturity.
In 2021, conducted for the Board Audit Committee of a global SaaS provider, NIST CSF assessments of the corporate and production networks, an assessment of the company’s susceptibility to a Solar-Winds style supply chain attack, a cloud security framework assessment, an analysis of top cyber threats using the MITRE Att&Ck framework, and an analysis of the company’s security roadmap. Presented our findings to Executive Management, the Audit Committee, and the full Board in October 2021.
In 2022, participated as a Steering Group member of an auto parts manufacturer’s look-back on the technical, personnel, and governance gaps that made a disruptive and costly ransomware attack possible. Supported the CIO in broadening and prioritizing remediation. Acted as an advisor to the company’s Global Risk Committee which has oversight responsibility for cyber risk. In 2023, oversaw a global security assessment using the NIST CSF, and global internal and external penetration/capture-the-flag exercises on all external-facing networks and all non-OT and Dev internal networks. Briefed the Global Risk Committee and executive leadership on the results.
In 2022, performed for the full Board of an oil & gas company a look-back on the adequacy of its response to a major ransomware attack, and performed a high-level security roadmap review
In 2021, conducted for the Board of Directors of a global testing company an investigation into the root cause of – and extent of harm resulting from – a crippling ransomware attack on the company. Provided the Board with a short-term security roadmap to address major security gaps.
In 2020, briefed the Board of Directors of a national construction company on the root cause of – and the strengths and weaknesses of the company’s response to – a disruptive ransomware attack. Provided the Board with a short-term security roadmap to address major security gaps.
In 2019, conducted for the Board of Directors of a national chain of dental clinics an after-action investigation in the wake of a ransomware attack. The report was based, in part, on 17 interviews, including of the Board and Board Audit Committee Chairs. In 2020, briefed the BAC on lessons learned, a holistic cyber threat assessment, and a crown jewels analysis.
In 2016 and 2017, presented to a public health care company’s full Board of Directors the output of an enterprise-wide maturity assessment under the NIST CST, the output of work helping to set CSF Target States, and industry benchmarking data on cyber maturity. This assessment was based on 40 interviews and a review of 80 IT security, forensics, incident response, and pen testing documents.
In 2016, briefed the Board Audit Committee of a public media and entertainment company on a cyber security framework assessment, using a best practices model, and including priority recommendations relating to increasing the company’s ability to detect and respond to cyberattacks. In 2017, briefed the same Board Audit Committee on the implementation of those recommended solutions and the company’s response to two significant cyberattacks.
In 2016, conducted and briefed the Board Audit Committee of a financial services firm on a cyber threat assessment and roadmap for working through certain cyber security regulatory concerns. In 2019, worked with select members of the full Board, as well as with Executive Management, of the same firm to create incident response decision trees that were tied to the most likely cyber incidents as determined by the threat assessment. In 2020, briefed the full Board of Directors on an integrated series of cyber tabletop exercises conducting with the CISO organization and then the Crisis Management Team. Focused the Board on its potential role in overseeing the hypothetical crisis response.