UnHacked 47: "Architects of Defense" with Lori Crooks

Guest: Lori Crooks, CEO of CADRA Inc. (specializes in security assessments and security management projects)

Main Discussion Topics

Protection: Compliance frameworks provide controls to protect business data and prevent breaches
Competitive Advantage: Being compliant can create business opportunities over competitors who aren't compliant
Contract Requirements: Many clients now require security compliance as a baseline
Insurance Requirements: Cybersecurity insurance policies require specific compliance measures
State/Industry Requirements: Some states and industries have mandatory compliance standards

Typical timeline: 3-6 months (smaller businesses) to 12+ months (larger organizations)
Cost range: Mid five-figures ($50,000+) to six figures
Process includes: Initial assessment, gap analysis, remediation, policy documentation
Most organizations have some technical controls (firewalls, AV) but lack policies and procedures

Acceptable Use Policy: Defines how employees should use company systems and data
Information Security Policy: Covers usernames/passwords, remote access, etc.
Incident Response Policy: Details how to detect, investigate, and respond to security incidents

Some employees resist using personal phones for 2FA
Options: Provide company phones, compensate for personal phone use, or use hardware tokens
Ultimately, employees unwilling to follow security protocols may need to be let go

Every business falls under some type of compliance framework
Building a security-minded culture must start with leadership
Compliance can be viewed as a competitive advantage rather than just a burden
Third-party verification is important - don't just assume your IT provider "has you covered"
Policies need regular review and reinforcement to be effective