5 questions with Pratum and TAI

On their partnership for Cybersecurity Action Month

October has been Cybersecurity Awareness Month since 2004, but two Iowa tech organizations took the opportunity to make the month about taking action as well.

For the last four weeks, Ankeny-based cybersecurity firm Pratum and the Technology Association of Iowa have partnered on Cybersecurity Action Month, an initiative to give Iowa organizations and technology professionals free resources that help them take initial steps toward being cyber secure.

Pratum President Jordan Engbers said one reason for the initiative is that many organizations don’t yet have a cybersecurity role on their team. The work is often delegated to technology teams, who may not necessarily have cybersecurity expertise.

After an in-person kickoff event at the end of September, Pratum and TAI have sent a weekly email with several resources covering the following topics:

  • Incident response planning.
  • Vendor risk management.
  • Cybersecurity training.
  • Business impact analysis.

Gov. Kim Reynolds signed a proclamation designating this October as Cybersecurity Action Month in Iowa. Brian Waller, president of TAI, said he hopes that the proclamation and new partnership with Pratum this year will be a starting point for generating more action to address organizations’ cybersecurity.

A few hundred individuals signed up to receive the resources over the course of the month, Engbers said. The signup page to receive resources will remain available throughout the year so organizations can tap into them when they are ready. Anyone who signs up will receive all four weeks of resources.  

Engbers and Waller share more.

What makes cybersecurity a business issue?

When we’re communicating about cybersecurity, if you can make it a business issue, people get it. When [TAI] works at the state Legislature and we’re talking to legislators about data privacy and cybersecurity, if you can make it a business impact, they instantly get it because they can see the impact negatively it could have on businesses, organizations, municipalities, and so they have to be stewards of their citizens and they get it. As a way of communicating, it’s easier to do that that way.

Pratum’s mission is to solve information security challenges based on risk, not fear, and business decisions are all about risk. Everything in an organization is about risk. This happens to be cyber risk that we’re talking about. But a cyberattack will impact certainly the technology, obviously, but think about the brand, the impact to an organization in the brand. That could erode trust with their clients, and if that happens, then it’s really easy to start talking about it from a business perspective. It’s not just a technology issue. It’s are we going to get renewals from our clients? Are organizations going to start seeing us as someone that can’t be trusted with their information? That’s really how you have to start talking about it because then you can get executive buy-in to say, “It’s not just about technology.” This is what Technology Association of Iowa is great about: Every business is a technology business. The core of what we do leverages some form of technology. The only way our business is run is if we keep our technology moving, and if you shut that down through a cyberattack, that is a business issue.

Outside of what businesses can do to protect themselves, what is the role of other stakeholders?
For us, we feel part of our role is influencing state government and federal government. For instance, the European Union has a standardized data privacy called GDPR. Right now, it’s the Wild West and data privacy and what you can and can’t do, and I think there’s a role for state governments specifically to help municipalities, to help businesses find some way with wayfinding through this complex issue, because it’s going to impact our state and our business. For our purposes, we want to leverage the state and federal legislature to see if you can uniform data privacy and help citizens and businesses survive and thrive.

When an organization, say a government entity, takes action, there is a trickle-down effect. I’ll give an example. There’s something called CMMC. Basically, the Department of Defense is going to require their vendors to prove that they’re cyber secure. There’s a forum for them to show what their expectations are, and then a company can basically prove that they’re worthy of working with the Department of Defense. When that happens, there will be other entities, other government entities and other businesses that say, “Well, we can just use that same framework to then require our vendors to do it.” So the role from the government can be to generate a broader sense of understanding or awareness or maybe a platform for the other organizations, whether it be public or private, to sort of use as a starting point or an example.

What are some of the barriers companies may face in implementing a cybersecurity strategy?
One barrier that can be common is just lack of understanding of it. If someone in leadership doesn’t understand, like we referenced earlier, the business impact to it, it can be an education thing. If you don’t understand that, then how are we going to prioritize a budget to do something about it? That’s also what this is about. It’s action month — we’re creating awareness and providing actionable steps for it because it can be tough. I’ve been with Pratum for seven years, and I’ll tell you what, the conversations we were having around cybersecurity seven years ago, people were like, “What are you even talking about?” But now seven years later, we’re actually doing stuff with organizations and they’re like, “Oh, I get it. I need help.” Think about the evolution of cybersecurity, and where it was 20 years ago, 10 years ago, the conversations have changed, but those barriers are still out there. Luckily, they’re getting smaller and organizations are starting to understand it.

I would also add that I’ve been in this job eight years and I would agree that eight years ago when I started, maybe you heard the term cybersecurity a little bit. Today, eight years later, it’s a fundamental part of what we do for our members. It’s in every conversation, and it’s in every room I’m in. It just shows you the growing nature of that threat and the need for service providers in the area.

What is something you think isn’t talked about enough around information security?
What I would add is some industries feel like cybersecurity is not a thing to us. Every industry, organization, municipality, even a nonprofit like TAI, needs to be aware of cybersecurity threats, ransomware and all that stuff. Don’t think you’re immune if you’re in some different industry. We’re all targets, in my perspective.

One is, and this is where ransomware comes into play, you might not think that the information you hold is valuable to anyone else, but because it is valuable to you, if it is held for ransom, you are then willing to pay for it. That is the idea of ransomware. They might not steal it because they want it, they steal because they know you want it. To go to Brian’s point, anyone can be a victim because they know that in order to run your business or your organization, you are going to need the technology and the data to make that happen. Second would be no matter the size of your organization within it, have a cybersecurity champion have someone who is sort of spearheading that initiative. It doesn’t have to be the most advanced cybersecurity person but if they can help instill that culture and that understanding within your organization of its importance, that is a great place to start.

What else can Iowa businesses do to improve their cybersecurity going forward?
I think that TAI is a great place for organizations to join and to collaborate together. TAI does a great job of putting roundtables together in various areas of expertise, and I think I would encourage businesses to plug in and tap into that because they’re creating a platform for peers to connect and grow and learn from each other. When you can do that, there’s this commonality when we’re from the same state and sometimes in the same industry or had the same challenges.