The Pain of Discipline vs The Pain of Regret

By | Uncategorized | No Comments

“We must all suffer from one of two pains: the pain of discipline or the pain of regret. The difference is discipline weighs ounces while regret weighs tons.”

– Jim Rohn

Dexter High School's Dan Flowers is overcome with emotion after his wrestling season came to an end at the hands of Allen Park High School's James Cusin, who beat Flowers 10-6 in their 125 pound consolation bracket match of Friday afternoon's MHSAA Individual State Wrestling Championships at The Palace of Auburn Hills. Lon Horwedel |

For all three of my boys, wrestling has been around as long as they have. As long as wrestling has been around them, coaching has been around me. I volunteer and assist running the youth team in our town, and although all my boys have passed through the team, I think the lessons wrestling taught them were very important.

One such lesson is the “Pain of Discipline vs. the Pain of Regret”. The idea behind this is that if you work hard and show self-discipline in the wrestling room, you will not have to feel the pain of losing a match later on. It forces you to ask yourself, “is the hard work now worth the victory later?”

This summer both of my high schoolers have been going to practice everyday and understand that they have to work hard now to win later. They must cover all their bases to ensure everything goes smoothly down the line.

I’ve realized that information security works under the same focus.  We don’t want to spend the extra time to think up a stronger password, backup files, convene an information security committee meeting, write policy or invest in a firewall.  All those things are pain of discipline actions.  It will hurt a little bit now but help us avoid it hurting a lot later.

And hurting later includes the greater of the two pains, the pain of regret.  Like when we lose the key proposal or a customer contract to a bad sector on a laptop or server.  Or when a client asks us to prove we have a security committee and follow whatever alphabet soup regulation they are accountable to.  Or when our weak password is easily guessed and your business penetrated.  Or when you have to terminate an employee for inappropriate behavior but can’t produce the policy he violated. Or when ….

So take the time to hustle in practice and work to win the match.

Take the time to invest in your future and endure the pain of discipline by considering information security’s role in your business and avoid the pain of regret that comes with the impact of a future predictable risk.

Understanding Common Threats

By | Uncategorized | No Comments

Understand the common threats to your business and think about how to prevent them, detect them and respond to them before they occur

A common misconception about information security in businesses involves where their vulnerabilities lie – and they may be closer to home than you’d think. I think it’s important to outline some common data security threats, not only from the perspective of an information security professional, but from the standpoint of a business owner.

If you can better understand where you are most likely to lose data, you can take steps to prevent data loss and a breach of your systems. Whether you are a small business or a large firm, I believe that these threats affect anyone who needs to keep their data secure – and that’s everyone!

Threat models are commonly used in information security analysis to illustrate the potential for risks to impact an organization. The threat model is used to describe the characteristics of a given threat and the harm it could to do a vulnerable system.

If we do a project where we identify threat scenarios we’ll go into detail. At a simple level we’ll identify the pieces of the threat scenarios including the actor (WHO), the action (HOW), the motivation (WHY), the vulnerability exploited (think WEAKNESS) and the potential impact (think DAMAGE). These four steps can help businesses understand and plan for certain threat scenarios.

We do not address the probability of these events occurring, which in most cases is impossible to predict accurately. There’s no way of telling the likelihood of a threat or providing a definite “yes” or “no”, but we can provide information on common threats and issues.

Over your morning coffee, run through these common scenarios and ask yourself how they would impact you:

A trusted employee decides to:

  • Download unauthorized software from the Internet which contains a Trojan horse or other malicious software.
  • Disable antivirus scanning prior to the download of an emailed MS Office document
  • Transfer information from a third-party computer to their work computer bringing in a virus or other           malicious software into the company.
  • With any number of portable memory devices data is copied from the network and is stolen undetected.

A disgruntled employee decides to retaliate against your company:

  • With knowledge of the backup tape courier routine the tape drop off is intercepted and the information contained on the tapes are used to attack your company’s reputation or are used for material gain.
  • With any number of portable memory devices data is copied from the network and is stolen undetected.

A former employee decides to retaliate against your company:

  • With a haphazard termination process the former employee uses his/her still active network access and credentials to damage or steal information from an outside location.
  • With a haphazard termination process the former employee gains access to a company facility and uses his/her still active network credentials to damage or steal information from an outside location.

An authorized visitor or an unauthorized visitor or intruder penetrates one of your company’s facilities and:

  • Unchallenged as they walk the floors of the facility they exploit targets of opportunity such as unlocked, unattended systems, backup tapes set unsecured waiting for courier pickup, etc.

A third party caretaker of your company information has a security incident.  While that incident may not impact your company network, your company has no controls to prevent that incident from impacting your company at a business level.

All of these are common threats which many business owners don’t realize exist. Understanding the possible actors (WHY), along with the action (HOW), and the vulnerability exposed (WEAKNESS) can help you predict the possible damage and prepare for future threats. There’s never going to be 100% certain digital safety in today’s increasingly digital world, but an understanding of common threats posed to your firm can save your information before it’s gone.

Improve Qualys Guard Investment With Free Training

By | Learning Events | No Comments

Improve Qualys Guard Investment With Free Training

Jacadis recommends factoring training costs into your security control selection process.  Conducting assessments, we routinely find security technology implementations being run by professional staff without the necessary knowledge to effectively use them.  Training typically was not considered in these cases because of the cost.  Training, of course, can cost several thousand dollars just for a course and if travel is required it can easily double that price tag. But training is critical to getting your full investment out of your security tools and it is often the difference between the safeguard working and failing.

Qualys Guards training landing page Read More


7 Things to Consider in 2016 Security Testing Plans

By | Security News | No Comments

As you consider  security testing plans for 2016, we want to provide guidance based on what we are seeing from security testing clients so far this year.  Risk assessments and security testing are an important part of any information security program but in an environment were budgets are constrained we need to spend security testing dollars wisely.  Here are seven things to consider when making your 2016 security testing plans.

Read More

Information Security Policy Guides Risk Management

By | Uncategorized | No Comments

The term “policy” is overused jargon with overlapping and confusing meanings.  Information security policy can be several different things.  Company or organizational policies that define a value or a position taken on an issue by an organization, system policies which define a particular computer resource, and firewall policies which define rules for what can pass through the boundary are different things with different purposes.

Here are some thoughts related to good information security policy practices.

Read More

Remove Vulnerabilities to Improve Company Security

By | Security News | No Comments

Removing vulnerabilities is crucial to managing your information security risks.

We can help lower an organization’s ongoing security risk by lowering the vulnerabilities or weaknesses in computer software and operating systems. This reduces weaknesses available for exploit by a cybercriminal or malware or other threat.

Leave the keys in the car with the door unlocked and sooner or later the car is going to be stolen.

Leave the infrastructure and applications that run the business unpatched and sooner or later something bad is going to happen.

Vulnerability management (or VM for those of you who insist on communicating with acronyms) a repeatable process or practice of identifying vulnerabilities (especially for software and firmware) within the enterprise, classifying them by their severity and either remediating or accepting the risk they pose to the environment. A vulnerability management process steps through identifying, classifying, remediating and mitigating vulnerabilities, or weaknesses, in software applications and operating systems.

Vulnerability management is a critical leading security practice for an organization of any size. It is an expectation to meet compliance with the Payment Card Industry’s Data Security Standard and other regulatory authorities.

Many of the steps or processes involved in VM use technology to automate some of the work.

Jacadis uses QualysGuard in the field as well as with customers building their own vulnerability management program. With Qualys we can map a network to identify the systems that are on it. We can then scan each system and identify vulnerabilities on that system. Qualys ranks vulnerabilities by severity. We can then prioritize fixing them by severity. Qualys provides support for the workflow of getting found vulnerabilities fixed and confirming that the fix has been successful.

Some clients are overwhelmed with vulnerability data and find they need consider threats as a part of their vulnerability prioritization. In those environments Jacadis uses Kenna’s product to integrate the results of vulnerability scan data with the results from 8 different threat feeds. This accelerates the prioritization of what needs fixed first in order to improve the company’s security posture.

Tools are important, but it isn’t as simple as just scanning and fixing.

Once scanned there are other steps that need IT staff involvement. Patches need to be deployed, applications updated and systems hardened. Sometimes exceptions need to be managed. Other times countermeasures need to be implemented because not all vulnerabilities can simply be fixed with a patch.

And the process isn’t a one-time thing. It needs to be implemented as a routine regular recurring mature process.

We believe there are five core components to a mature vulnerability management program:

  1. Vulnerability Management Policy, which defines the organization’s vulnerability management posture, the level of security the firm wants to maintain, key processes within the firm’s vulnerability practices, reporting and compliance. The policy guides IT staff in performing the function and guides management in providing oversight.
  2. Patch Management Policy, which defines the organization’s stance on patching including the frequency of patching, testing, deployment, auditing, recovering from flawed patches, reporting and compliance.
  3. Automated vulnerability scanning tools are necessary in today’s environment as both a security leading practice and oftentimes as a compliance requirement.
  4. Reporting and metrics requirements should be defined in both the Vulnerability Management and the Patch Management Policy. Many of our clients regularly report vulnerability and patch management efforts to their information security steering committee for oversight.
  5. Audit and compliance requirements should be defined in both the Vulnerability Management Policy and the Patch Management Policy. Staff and tools need to be deployed to verify that the practices defined in the policies are being followed.




Risk Management: An Information Security Trend that Matters

By | Security News | No Comments

Learning how to use Risk Assessments and ongoing Risk Management tools is going to be crucial to companies building information risk management programs in 2016.

As one year ends and another begins it is a sure bet that tech company marketing teams will begin to crank out the trend reports.  The transition this New Year is no different.

The cynic recognizes the pattern.  This company identifies these threats that only their product protects against.  That company identifies another set of threats that only they, of course, protect against.  And so it goes.

Not all of these surveys are bad.  Some are quite helpful in keeping informed about the security landscape.  But they are all put out with the intent of creating demand for products.

We have been doing this long enough that we realize it isn’t about the products.

The trend we see going into 2016 is that companies need to get better at understanding their individual risk profile and building the discipline to manage risk within that profile.  Security safeguards – including products purchased – should be selected based on the risks that they mitigate.

What is risk?

The same joke gets told in security industry conferences all the time. If you put five risk professionals in a room and ask for a definition of risk, you’ll get at least six models.

The “industry” doesn’t agree all the time on the details of the risk model.  But your job isn’t to argue about the fine details of a model. Your job is to manage risk so your organization can run and grow.

Simply – and there is agreement here — risk is the product of the likelihood of something bad happening times the impact that occurs if it does happen (Risk = Likelihood x Impact).

We appreciate and usually use a simple model with a little more detail.

Jacadis uses the definition of risk outlined in NIST 800-30 which is represented mathematically as Risk = Asset x Threat x Vulnerability x Likelihood x Impact where the variables are defined as follows:

Assets in this context are your information and data valuables from your computers, other form factors, servers, network devices and networks to the applications and databases that contain them to the physical locations they are housed to the processes employed to use them for productive work to, of course, the people that use them.

Threats are the bad guys, the bad actors, the malicious code or the act of God that can impact the confidentiality, integrity and/or availability of information and data contained in your assets.

Vulnerability are the chinks in your armor, missing patches, poor practices, weak passwords or other weaknesses that allow a threat to launch an attack on an asset.

Without the jargon your valuables (assets) are attacked by bad actors (threats) through the exploitation of weaknesses (vulnerabilities).

What do we defend first?  Where do we start when we have more assets, threats and vulnerabilities than we can manage?   We need a means of prioritizing the risk.

In the model we’ve chosen, we use Likelihood and Impact represented on a qualitative scale with 1 being low likelihood or low impact and 5 representing high likelihood or high impact.  There are models that used detailed quantitative measures but our experience is that the qualitative, with some limitations, gets us to a point where we can prioritize the cataloged risk and get an organization started on the way to improving its information risk management program and its security posture.

Risk Assessment V. Risk Management

Jacadis conducts a large number of risk assessments annually.  An annual risk assessment (sometimes coupled with security controls assessments and penetration tests) is considered a leading security practice.

A risk assessment focuses on identifying, measuring and prioritizing risks.  Sometimes a risk assessment focuses on an entire organization, sometimes a single system.  Focused on the scope of the assessment, we will report back to the client on risks identified.  We will quantify them and using qualitative scores for likelihood and impact help the client prioritize them.  Finally, we will include a risk treatment plan of recommendations to what needs to be done to reduce the found risks.  Broadly our recommendations will be to:

  • Accept the risk
  • Avoid the risk
  • Mitigate or control the risk
  • Transfer the risk

While the risk assessment is a one-time event or snapshot of the risks found in an analysis of the in scope systems, risk management is an ongoing process.

We like to see clients create a risk register to maintain a catalog of risks that is used as the center point of the risk management process.

Many clients take our initial baseline assessment with the findings and risk treatment plan in spreadsheet format and use that to create the foundation of their risk register.

Others choose to do this in a GRC tool like what our partner TraceCSO provides.

Regardless of your chosen tools, the risk register is important to the risk management process.  It is a tool that will help management understand the risks the organization faces, understand the risks or likely impacts, serve as a basis to communicate about the organization’s risk tolerance and its willingness to accept risk and finally report the status of found risk over time.  It is also a great capture point for technical and non-technical managers to park those things that “keep them up at night” so they are available for discussions during security committee meetings.

Like a risk assessment our client use the risk register to support risk management in across four phases:

  1. Identify the risk in terms of asset, potential threats and identified vulnerabilities.
  2. Evaluate the severity of the risk by calculating using qualitative choices for likelihood and impact
  3. Identifying possible solutions and communicating the potential reduced risk from each choice
  4. Monitoring and analyzing the implementation of solutions; and,
  5. Memorializing your company’s information risk management effort in the case of a breach or audit event.

In that regard, Jacadis is a continuous risk management company.  We help our clients identify risks, evaluate the severity, identify and select countermeasures to and monitor and analyze the effectiveness of the steps taken.  We help them do it through risk assessments and through teaching them how to use a risk register, either in spreadsheet form or as part of a GRC toolset like what TraceCSO provides, as the core of their information security program.

Continuous Risk Management means continuous improvement of security and compliance.

Overwatch: Staying on Top of Your Vulnerabilities

By | Security News | No Comments

If you’re an information security professional, you know that managing your vulnerabilities in your environment isn’t a sprint. It’s a marathon.

New vulnerabilities are discovered each day, and it isn’t enough for us to turn on Windows Updates and hope for the best. Attackers aren’t just looking at OS vulnerabilities. They’re also looking at the software you have on your desktop, that nifty app on your mobile phone, and the scripts you have running on your website.

Read More

Risk I/O Partners with Jacadis Strategic IT Security Solutions

By | Press Releases | No Comments

New Partnership enables organizations to prioritize their remediation by identifying the most critical vulnerabilities in their environment

Columbus, OH November 26, 2013 – Risk I/O, a software-as-a-service platform that correlates external Internet breach and exploit data with vulnerability data to monitor, measure, and prioritize vulnerability remediation, has partnered with Strategic IT Security Solution company Jacadis to promote its vulnerability correlation, analysis, and prioritization application.

Jacadis will be introducing to their clients the range of risk and vulnerability intelligence solutions in Risk I/O’s portfolio, including real-time analysis of global attack and breach data, alongside security vulnerabilities, to help businesses identify where they are most likely to be attacked. The platform prioritizes vulnerabilities and provides customizable Risk Meters, allowing organizations to easily measure risk across their IT environments.

“We are very excited to be partnering with a trusted reseller such as Jacadis,” Ed Bellis, President and Cofounder of Risk I/O commented, “Jacadis will be able to now offer a way for their client network to identify where attacks are most likely to occur through a prioritized list of vulnerabilities to fix.”

Risk I/O strives to ensure that the automated vulnerability scanning solutions from web application, host, network, and database vulnerability assessment tools that it connects to align as closely as possible with solutions its audience has in place. Through a centralized, easy-to-use application, Risk I/O makes it easy for organizations to monitor and measure all parts of their environment and their exposure to active attacks.

Doug Davidson, CEO of Jacadis added, “Most breaches are preventable. Attacks come through known holes in a target’s defenses. But vulnerability management, the actions we take to remove and reduce those holes, is hard. From a business perspective we don’t know how to focus our time and treasure. From a technical perspective the task seems daunting with many asking “where do I start?!”. Risk I/O gives us actionable information to help us focus time, treasure and technical effort on those vulnerabilities most likely to be attacked. We are excited to welcome Risk I/O into the family of tools we use to help customers reduce their attack surface and improve their security effectively and efficiently.”

About Risk I/O

Risk I/O is the first software-as-a-service to use external Internet breach and exploit data to monitor, measure, and prioritize vulnerabilities across an enterprise’s environment. Risk I/O does this by connecting to an organization’s vulnerability scanners, processing each vulnerability against known Internet breaches and exploits to see if there is a match. Risk I/O then shows the prioritized list of remediation activities to reduce their security risk. Organizations can use the service to manage and measure all parts of their environment with each part having its own Risk Meter to indicate exposure to active attacks. Risk I/O processes over one billion vulnerabilities against breach data a month for its users. Backed by US Venture Partners, Tugboat Ventures, Costanoa Venture Capital and Hyde Park Angels, Risk I/O is headquartered in Chicago, IL. For more information, visit

About Jacadis

Jacadis, an award-winning provider of strategic information security and privacy solutions, virtual security staffing, and professional services, grew from the concept that being secure creates a competitive advantage. Jacadis helps companies manage the risks of running and growing a business in a threat-filled digital world through the development of long term profitable relationships. 
Jacadis helps clients operationalize their security, privacy and compliance through four services areas:

  • Assess and Measure
  • Build and Deploy
  • Manage and Defend
  • Respond and Recover

These four service areas are delivered either as strategic professional solutions packages, or through end-to-end virtual security staffing.

– See more at:

Jacadis and TraceSecurity Partner to Simplify IT GRC Management

By | Press Releases | No Comments

New partnership enables organizations to create comprehensive IT GRC programs leveraging TraceCSO, a single cloud-based software solution

Columbus, OH – November 12, 2013 – Jacadis, a strategic information security solution company, today announced a partnership with TraceSecurity, the pioneer in cloud-based IT governance, risk and compliance (GRC) solutions, to promote its flagship software solution, TraceCSO. Under terms of the agreement, Jacadis customers can now implement and manage on-going, risk-based information security programs that allow them to automate their audit and compliance management and reporting.

Jacadis will introduce its clients to a range of GRC management solutions from TraceSecurity, including TraceCSO.  TraceCSO allows organizations of any size, industry or security skill level to evaluate, create, implement and manage a holistic, risk-based IT security strategy. The innovative solution provides comprehensive visibility and accountability, improving risk profiles across all areas of an organization and protecting sensitive data from today’s top security risks.

 ”TraceCSO continues to deliver exceptional results for organizations looking to quickly and cost-effectively manage growing risk and compliance requirements,” said Peter Stewart, president and CEO of TraceSecurity. “We are excited to have Jacadis as one of our Partners, as we share mutual goals of both solving client security challenges and providing outstanding customer service.  Their experience in information security and professional services is an excellent fit for selling and supporting TraceCSO.”

 With TraceCSO, organizations have an affordable, scalable solution that can be easily deployed to centralize and tightly integrate key functional areas – including risk management, auditing, governance and compliance reporting; as well as specific areas of policy, process, training, vendor, BIA/BCP, vulnerability and incident management – all required to build and manage an on-going risk-based information security program with no third-party software required.

Doug Davidson, CEO of Jacadis added, “We look forward to helping our clients simplify their efforts to operate securely in a compliant fashion so that they can go back to their effort of running and growing their businesses.”

About TraceSecurity

TraceSecurity, a leading pioneer in cloud-based security solutions, provides IT governance, risk and compliance (GRC) management solutions. The company’s cloud-based services help organizations achieve, maintain and demonstrate security compliance while significantly improving their security posture. With more than 1500 customers, TraceSecurity supports the security and risk management efforts of organizations in financial services, healthcare, insurance, government and other regulated sectors. Founded in 2004, the company has executive offices in Silicon Valley and offices in Baton Rouge, La. For more information, call (225) 612-2121 or visit

About Jacadis

Jacadis, an award-winning provider of strategic information security and privacy solutions, virtual security staffing, and professional services, grew from the concept that being secure creates a competitive advantage. Jacadis helps companies manage the risks of running and growing a business in a threat-filled digital world through the development of long term profitable relationships. 
Jacadis helps clients operationalize their security, privacy and compliance through four services areas:

  • Assess and Measure
  • Build and Deploy
  • Manage and Defend
  • Respond and Recover

These four service areas are delivered either as strategic professional solutions packages, or through end-to-end virtual security staffing.

– See more at: