Cybersecurity Best Practices for Management Consultants

By: Craig Mackay, FCMC and Marcus Troiano

On November 9th, What’s up Wednesday host Craig Mackay discussed cybersecurity best practice with guest speaker Marcus Troiano, a cybersecurity advisor at Mandiant (now part of Google Cloud).

The session explored effective methods of protecting against cyber threats and steps to take to protect your most valuable assets.

Here's a recap of the key takeaways and some questions from the Q&A to help management consulting leaders take their cybersecurity efforts to the next level:

1. Are on-premises systems more secure than cloud by way of less ‘attack surface’?
While it may seem that moving to the cloud increases an organization’s attack surface, most organizations manage their IT estate poorly, resulting in both external perimeter vulnerabilities and misconfigurations, and poor internal security practices.

Most companies are significantly behind on patching for internal systems, have a flat / non segmented network, and legacy systems.

Cloud providers typically manage their security better – this is their core business. Of course, it's very important that companies properly architect and configure their cloud footprint, and utilize multi-party accountability for shared and segmented elements of the computing paradigm. 

Finally, Cloud is scalable, can have built-in resilience, (if architected properly), and can also future-proof an organization.

2. When ransoms are paid, is data being returned and Personally Identifiable Information (PII) not being retained/shared by the hackers?
In most cases, there seems to be “honour amongst thieves”, but there are cases where attackers did not keep their word. As always, it is a business decision of whether to pay / not pay.

3. Is FOSS (Free and Open-Source Software) better than proprietary software from a publicly audited perspective?
This very much depends - there have been security vulnerabilities for both FOSS and proprietary software. It is important to have due diligence, ongoing monitoring, and sufficient security controls.

4. Have you heard of ransomware negotiations as a service?
There are several organizations which provide ransomware negotiation and payment services. Even if you don’t intend on paying, it may be wise to look into who these are, and establish relationships. 

5. Do you have comments or recommendations on Managed Security Service Providers (MSSP)?
The MSSP market is quite broad, with everything from niche local players, to large multi-nationals. Critical that you review options, and go with the provider which best fits your need. MSSPs services are only as good as you define them.

It’s a simple reality that we are all at risk from cyber threats and businesses need to have a plan and framework in place to manage risk. The National Institute of Standards and Technology at the U.S. Department of Commerce provides the NIST Cybersecurity Framework (CSF) on their website that management consultants may find helpful.The framework will help businesses of all sizes to better understand, manage, and reduce their cybersecurity risk and protect their networks and data.  

The NIST framework has 5 elements: identify, protect, detect, respond, and recover.  It is somewhat simpler to implement the NIST framework compared to the ISO 27001 framework, but if you are doing a lot of international work you may need to consider both.

For those who want a quicker fix to help mitigate risk: 

  • Implement two-factor authentication (2FA) on all your vulnerability points. 
  • Establish an incident response retainer, regularly test your plans (table top exercises)
  • Establish a multi-year cybersecurity strategy, and conduct constant evaluation and improvement activities (maturity assessments, red teams).

Session Resources
For a full recording of Protecting Against Cyberthreats visit the CMC-Ontario website.  

If you want to download a PDF version of the presentation visit the CMC-Ontario on-demand library

For information on upcoming CMC-Canada events, visit the association events calendar.


About the Authors - Craig Mackay, FCMC and Marcus Troiano

Craig Mackay, FCMC

Craig Mackay is Past President of the Institute of Certified Management Consultants of Ontario and Vice President of Nortak Software, responsible for Information Solutions. 

Craig is host of What’s Up Wednesday the digital series presented by CMC-Ontario, he is also a Management Advisory Service (MAS) consultant recognized by the National Research Council of Canada Industrial Research Assistance Program (NRC-IRAP) and the Canadian Association of Management Consultants (CMC-Canada).

Marcus Troiano 

Marcus Troiano is a Cybersecurity Strategy Advisor and the Practice Lead for Mandiant / Google Cloud's Strategic Consulting Services in Eastern Canada.

With a focus on providing innovative solutions to the complex security challenges his clients face, he has led and delivered cybersecurity strategy development and transformation projects for leading organizations and governments across the globe.


Article Disclaimer
All opinions expressed in this article are the views of the authors and not CMC-Canada. 

Also, all views in this recap post should be used for informational purposes only and not as legal advice. When managing cyber threats, every situation is unique, and your team should make any decisions on managing threats in consultation with legal and security experts, as well as your own corporate leadership.

What's Up Wednesday: Protecting Against Cyber Threats