Guidepost Solutions are a key partner of FusionExperience.  They incorporate Ignoto into the core of their investigations service.  They have recently made some very interesting comments concerning the coming of the Cyber Monitor.  Here's what they had to say:

Guidepost commented recently that in the foreseeable future regulators will begin to impose cyber monitors upon regulated entities that have failed to adequately protect confidential information. They assert it is the next likely step after the design and mandate by regulators of cybersecurity standards, as is now beginning in the financial services industry. To prepare for this new development, you are asked what we can expect of a cyber monitor.

They first draw upon what monitors of many varieties do now. To put it simply, a monitor compares what is taking place to what should take place and moves the monitored entity to reduce any discrepancy to zero. For example, suppose a financial institution has violated anti-money laundering regulations and has been the subject of a state or federal regulatory action. Using the relevant regulations as a template, the monitor examines the entity's policies and procedures as they appear in internal documentation and as they are actually put into practice in day-to-day operations at every level of the organization. The objective is to bring both the theory (the written policies and procedures) and the practice (what officers and employees really do) into conformity with the regulations. 

To some this may sound like a description of what many consultants do. A monitor, however, is not a consultant. A monitor does not work for the monitored entity. The monitor works for and reports to the regulator, but is paid by the monitored entity. The monitored entity cannot terminate the monitorship or ignore the monitor's findings and recommendations because of the continuing involvement of the regulatory agency.

A cyber monitor will likely operate in a similar fashion. The cyber monitor will, of course, be knowledgeable about all aspects of cybersecurity and have the ability to conduct its own security assessments and penetration tests. But as the agent of the regulator, the cyber monitor will focus on the effectiveness and compliance of security procedures, leaving the details of the procedures, including equipment and personnel to be deployed, up to the monitored entity. Also, a monitor will always pay close attention to the culture of the monitored entity.  Guidepost ask: Does it take its obligations to the regulator seriously? Is there a commitment from the Board of Directors down through the organization not to repeat the behavior that led to the monitorship? This is a key distinction from a security vendor. The monitor is tasked not with making recommendations or installing systems. The monitor is focused on changing how the entity thinks, plans and operates so that it is in compliance with regulations and affirmatively intends to remain so.

Thus, Guidepost concludes the cyber monitor's prior experience as a monitor in multiple industries across a spectrum of issues is absolutely essential to the success of a cyber compliance monitorship.

Cybersecurity is among the fastest changing frontiers on the planet. New weaknesses are discovered and exploited at a dizzying pace. Regulators can only impose requirements that speak to broad issues and reasonable practices. The entities they govern will have to define the specific techniques they believe will comply with those regulations. Should matters go awry, and experience tells us they will, a cyber monitor will actually be able to help the organization re-align operations and achieve compliance.

Welcome to the new FusionExperience website where you will find the latest information concerning Fusion's strategic direction and products.  There are also interesting datasheets for you to download if you want to learn more.  Enjoy.