You are currently viewing Coalfire: Empowering Organizations to Manage Risks Effectively

Coalfire: Empowering Organizations to Manage Risks Effectively

With increased usage of the World Wide Web, security breaches are becoming a more common occurrence nowadays. The past couple of years have witnessed detrimental security breaches to the common public, multinational organizations and small companies alike.
Enter the Colorado-based cyber-security advisory firm Coalfire, which helps private and public-sector organizations avert threats, close gaps and effectively manage risk. The organization helps its clients develop scalable programs that improve their security posture, achieve their business objectives and fuel their continued success by providing independent and tailored advice, assessments, technical testing and cyber engineering services.
It’s All about Quality 
Coalfire employs a process-driven quality management system that ensures effective and repeatable project, staffing and contract management activities based on Capability Maturity Model Integration, Project Management Body of Knowledge, and ISO standards as well as industry best practices.
Through an emphasis on efficiency and quality, Coalfire strives to improve its clients’ experience, refine project metrics and deliver unparalleled results. The company prefers to keep its focus on a consistent approach to delivery and continually improve all Coalfire services through evaluation, internal audit and internal corrective and preventive measures.
Identifying Risks 
Coalfire advocates for creating a risk register where each risk is described, its severity is determined, ownership for risk mitigation is defined and risk mitigation tactics are clearly articulated. This risk register should be updated at least monthly, including progress reports on all existing risks along with any new risks that must be considered. A risk committee should then review the register monthly to track status on the existing and newly identified risks.
According to Coalfire, the primary categories of risk organizations should consider include:

  • Strategic: Does a risk pose a threat to the success of key strategic initiatives?
  • Financial: The unplanned costs or reduction of revenue a risk could present if realized
  • Operational: Does a risk pose a threat to how work gets done?
  • People: Aging workforce, talent gap for needed skills, health and safety, risk culture not well established
  • Reputation: Will the organization suffer damage to its credibility with the public or other stakeholders; will it impact customer loyalty/retention?
  • Technology: Exposes key infrastructure/data to theft/loss, cyber threats, impact of use of new technology such as cloud, AI/machine learning, big data analytics
  • Legal: Risk triggers litigation, contractual risks
  • Regulatory/Compliance/Privacy: Failure to comply can result in large fines. Examples include HIPAA, PCI, GDPR and the new California Consumer Privacy Act
  • Regulatory overreach: Too much (overlapping/competing) regulation leads to confusion, overspending and lack of ability to keep up and comply.

A Leader with the Mission of Reducing Enterprise Security Risk 
Tom McAndrew, the CEO of Coalfire, has over 15 years of leadership experience in information security strategies, assessment and audit for both commercial and federal sectors. He joined the organization in 2006, and since then has held key leadership roles spanning Sales, Service Delivery and Technical Testing.
Before joining Coalfire, Tom designed information security and weapons systems for Space and Naval Warfare Command, Naval Sea Systems Command and the U.S. Navy. He brings all this expertise to his leadership position, overseeing, in a hands-on manner, how the company helps enterprises identify and manage risks.
Coalfire’s mission is exclusively focused on enterprise risk reduction and management; Tom and the entire leadership team are focused on directing the organization toward helping customers achieve these aims efficiently and effectively. He is a highly visible thought leader, presenting frequently in private and public-sector speaking forums and contributing articles and commentary in the media, including the Wall Street Journal, Washington Post, Info-security Magazine and many others.
Monitoring Cyber Risks 
During its initial days, Coalfire’s business was formed to help organizations comply with emerging data security regulations, such as those imposed in the healthcare and financial services sectors. Although compliance to the ever-expanding list of data privacy regulations remains vital to Coalfire and its esteemed clients, the industry now recognizes that “compliance does not equal security,” and Coalfire’s services have thus evolved to meet this recognition. As a result, the organization has expanded from a compliance firm to one that offers a full suite of cyber-security services designed to help its clients identify, mitigate, and respond to cyber risks.
Coalfire believes that rapidly changing technologies, such as the cloud, combined with the ever-evolving cyber threat landscape requires organizations to view cyber risks as a critical business issue and not just a concern related to IT. As technologies and threats continue to change, Coalfire sees a continuous need to monitor cyber risks, leveraging tools and key business partners where practical, in lieu of just adding cyber-security professionals, who are increasingly in short supply.
Developing a Culture of Security
Coalfire believes adequately identifying and prioritizing risks should begin with the development of a governance structure, which should be a risk committee and needs to be chaired by CISO or equivalent.
According to the company, it is important to develop a culture of security where employees are all encouraged to report issues they see that pose potential risk to the organization without any fear of reprisal, but rather with the blessing and encouragement of senior leadership. The support of the board and/or executive management is critical; they need to clearly articulate the importance of security and reporting risks throughout the organization.