Meet Our Cyber Experts: Roman Etebar

1. What Cyber Intelligence / Cyber Security items keeps you up at night?

I worry about the absence of an iterative and comprehensive continuous monitoring strategy and execution that incorporates sufficient levels of automation and accounts for people/process/technology across the organization.

2. What are the three top changes that are vital for (organization, government, citizen) to make in the next two years to shrink their risk of attack?

COVID-19 has forced a paradigm shift in the way business is conducted.As employee telework is increasingly becoming a permanent solution for a growing number of organizations, the risk landscape and threat footprint increase exponentially when employees remotely connect their own devices (i.e desktops/laptops/tablets) to corporate/government networks. It is cost prohibitive and impractical for any organization to provide an end point computing device to every employee.

A set of well-defined and enforceable policies backed by technology that govern BYOD (Bring Your Own Device), Access & Identity Management and Remote Access are critical to the security posture of any organization.

This is true for organizations in public or private sector.

Practical cyber security awareness is vital for the average citizen considering the ever-increasing utilization of social media and the trust we put in the information available on social media

3. What specific skillset do you hire for (or recommend others hire for) to stay ahead of Cyber threats?

The ability to cope under stress and also the ability to decompose problems/issues into the smallest units possible in pursuit of root cause.

Cyber security landscape changes by the hours if not minutes. I seek candidates who are motivated and driven to keep their technical skills relevant and updated and also candidates that show interest in learning how to align security with organization mission and objectives.

4. Like any insurance, investment in security can be viewed as money wasted because it only pays for itself if a breach is attempted. How do you explain to your management why it is worth the investment?

There are many examples of major data breaches that have declared companies bankrupt.

Reputation damage for an organization can’t be quantified in monetary terms and for a lot of companies it is something that cannot be repaired.

5. How do you create a culture where security is a priority not an afterthought?

A culture within an organization mirrors its leadership’s beliefs and behaviors. Security aware cultures exist within organizations whose leaders provide support for and advocate cyber security to be embedded across organizational wide and encompassing people/process/technology

6. What metrics should be used to determine an organization’s risk profile that all leaders should be tracking today?

• Vendor risk management (supply chain).
• Practical and measurable cyber security awareness program/training.
• Key Risk Indicators and Key Performance Indicators organization-wide.

7. How important is incident response planning and how often should an organization’s plan be updated?

Incident Response is critical to the daily operation of any organization. In the public sector incident response planning is a Federal mandate. Incident Response planning must be iterative and it must adjust and adapt to the ever-changing cyber threat landscape.

Normally, incident response planning is reviewed and updated in the lessons learned phase when a major incident is responded to; however, tabletop exercise and cyber attack simulation exercises should be conducted semi-annually or at least annually to ensure an organization’s incident response can handle as many threat models as practical.

Roman Etebar is the managing partner of Adroit Edge, a cyber security consulting company. Prior to establishing his own practice, Roman held senior positions in Peloton Systems (Director of Cloud Computing, Cyber security and Risk Management), Tsymmetry (where he was in charge of Cyber Security Strategy), Cognizant (Information Risk Management for Americas and Europe), BRTRC Federal Solutions (as a senior Cyber Security Engineer and Governance, Risk and Compliance technical solution developer), and DRS Technologies (where he was a senior Information Assurance Engineer). Roman received his Bachelor of Science degree in Information Technology and is certified by the International Information System Security Certification Consortium as a Certified Information Systems Security Professional.