Sidekick Security

Our CEO Robert Wood recently sat down with HITRUST to talk about third-party risk management. What's not working, what to potentially do about it, and why it seems to be in a perpetually stuck state. The recording for that webinar was recently posted up on YouTube here - https://lnkd.in/e9NxQCdF If you want to talk about your own TPRM program and how you can make it better, we'd love to help!

At Sidekick Security, we believe cyber risk management should empower organizations and their strategy—not just check compliance boxes. Yet, many organizations struggle to bridge the gap between security, risk, and business outcomes. In this latest episode of The Security Program Transformation Podcast, our CEO, Robert Wood, sits down with Mads Bundgaard Nielsen to discuss: ? The difference between compliance-driven vs. business-driven risk management ? How Monte Carlo simulations and decision science can transform cybersecurity risk assessments, especially when you're not only modeling money and financial impact ? The flaws in current vulnerability scoring systems (and what to do instead) ? Why organizations struggle with third-party risk management—and how to fix it ? A practical roadmap to start quantifying cyber risk today If your organization is navigating the challenges of GRC, risk quantification, and business-aligned cybersecurity, this episode is packed with actionable insights to help you level up your risk management approach. ?? Listen now: - Youtube: https://lnkd.in/eAzE9Q4F - Spotify: https://lnkd.in/eghgtJSp - Apple Podcast: https://lnkd.in/e8M78zJf At Sidekick Security, we help organizations move beyond checklists and compliance to real, risk-based security. Let's talk about how you can turn cyber risk into business intelligence. #CyberRisk #RiskManagement #CyberSecurity #GRC #DecisionScience #BusinessOutcomes #CyberSecurityLeadership

On this Valentine’s Day learn to love some of those things in cyber that drive you nuts. Password managers, when you really integrate them into your day to day flow it will make life so much easier when you’re not remembering all those credentials for every app under the sun. Compliance, which is a four letter word in many cybersecurity circles can help align, motivate, and get budget to support really important needle moving activities. Third party risk, which is normally boiled down to annoying questionnaires that never help anyone. But if you’re actually looking at how your suppliers work in your environment you can avoid getting blindsided. Stay secure out there! #cybersecurity #ciso #tprm

A fascinating discovery from a recent HIPAA assessment highlighted a critical misconception in healthcare security that is worth sharing. A large software company purchased another firm that was selling to a large number of healthcare organizations. By design, the software wasn't storing any patient data and there was a very intentional product architecture and data flow. The organization had also built an impressive security infrastructure around the data inspection capabilities they had. Their philosophy seemed elegant: if they don't store health data, HIPAA doesn't apply. They even had it written into their contracts as a means of managing liability. But here's where it gets interesting...the HIPAA conduit exception isn't about intention - it's about capability and reality. Think of this rule like a mail carrier. They transport sealed letters containing medical information but never open them. That's a true conduit. But the moment you can read the contents (or do read the contents) - even if you don't store them - you're no longer just carrying the mail. You're processing it. Our assessment dug into and revealed that their full packet inspection technology, while excellent for security, meant they could see and analyze all traffic - including healthcare data in these particular customer environments. So even with minimal storage and strong security controls, the ability to inspect meant they couldn't claim the conduit exception. Key learning: with tech today being so incredibly interconnected, especially at the intersection of healthcare and cybersecurity, it's not about whether you intend to handle PHI - it's about whether your technology can access it. The silver lining? Many of their security controls already aligned with HIPAA requirements. The gap wasn't as wide as they feared. Sometimes understanding your true compliance obligations is the first step toward meeting them. And sometimes you don't get that understanding without really digging in, threat modeling, and pulling apart the software. #HealthcareSecurity #HIPAA #Compliance #CyberSecurity #HealthTech #RiskManagement #SecurityByDesign

During a recent assessment, we uncovered a number of issues ranging from misconfigurations, injection bugs, broken authZ, and so on. Here’s one thing that’s different with the Sidekick process though. We took one of the high-risk API findings for this client and transformed that into: - A clear compliance roadmap for their upcoming SOC2 and ISO 27001 audits - A strategy for eliminating that entire class of issue through better app design - A monitoring plan for similar issues in the environment - Assurances for their customers through retests and attestation letters that help build trust in sales When we work with our customers, we try to bring everything back to the bigger picture strategic outcomes. Ready to do the same? #SecurityTransformation #BusinessEnablement #penetrationtesting

Happy Veterans Day to all those who have served this country! ??????

The second episode of the security program transformation podcast has dropped. In this episode Robert Wood interviews Tyler Healy from DigitalOcean to unpack the journey they've been on building trust and scaling. Episodes are live on YouTube, Spotify, iTunes, and anywhere you are getting your podcasts. https://lnkd.in/du9ibKcS #ciso #cybersecurity #digitalocean #podcast #securityledgrowth

There's never enough people, time, or resources in cybersecurity. That's one of the core drivers on why we need to figure out smarter ways of prioritizing all those limited resources towards the problems that really matter. In this recent podcast discussion between Robert Wood and Dr. Joe Lewis this kind of intentionality rang true throughout the conversation. As you're looking at your vulnerability management procedures, instead of treating everything the same based on some arbitrary tool outputs; think instead about the profiles of risk that matter most to your organization. Your security program is after all yours...not one from FAANG, not some lofty program ideals you saw on YouTube or LinkedIn. If you haven't had a chance to catch the podcast yet, give it a listen: - Video podcast on YouTube: https://lnkd.in/evY4hjut - Podcast site for audio: https://lnkd.in/eNiiV2T7. #ciso #vulnerabilitymanagement #cybersecurity #riskmanagement

Today we are thrilled to announce the launch of the security program transformation podcast. The first episode was a fantastic conversation with the CISO for CDC, Dr. Joe Lewis. The conversation everything from humility in leadership, what risk really means, Lego, and organizational dynamics. You can find it at any of the places you normally listen and consume your content: Youtube - https://lnkd.in/e_EFbAFq Spotify - https://lnkd.in/eq25y3Jj iTunes - https://lnkd.in/eQZ9ij7D Podcast website - https://lnkd.in/efVNWGYn. #ciso #digitaltransformation #securityprogram

?? You don’t want to miss this one! ?? Join us on Tuesday, October 1st at 6:00 PM for the next ISC2 Northern Virginia Chapter meeting at Capital One in Tysons Corner. We’ll have an insightful fireside chat with Robert Wood, founder of Sidekick Security, and Dan Waddell from Agile Defense, discussing the game-changing concept of Cyber Data Lakes. Plus, recruiters from Agile Defense will be there—don’t miss out on the chance to network, earn 1 CPE credit, and enjoy complimentary food and drinks! Seats are limited, so register today. See you there! #isc2nova #isc2 #cybersecurity #networking #recruiting #agiledefense