Jeffrey Lush, CEOCybersecurity justified solely based on compliance and policy, is like putting a gate at the end of the walkway, for a house without walls. Across the board, the approach to cybersecurity is still riddled with a gross disregard for actual security, traded in favor of row fills of ticked boxes on a compliance evaluation sheet. Policies drafted are often effective, but they are rarely upheld to realize the true sense of their purpose, with the efficacy of most watered down by their poor adherence or implementation. An insufficient understanding of risks, a shortage of technical staff, slow response rates, poor security program management, and lack of adequate technical expertise are all contributing factors in the ineffective enforcement of good cybersecurity practices. Because at the end of the day, whether it be government-mandated regulation—such as GDPR, PII, PCI, PHI, NIST or industry-ascribed self-regulation—the most critical aspect of compliance is securing information and keeping it that way. Delaware-based cybersecurity software, BAP Solution, is trying to drive home this very concept, which their CEO, Jeffrey Lush echoes—“Compliance is not security; but by leveraging BAP—Build, Analyze, and Protect—our three levels can be used with all aspects of your cyber strategy.”
As a part of its “build” offering, BAP has developed a special tool that assists companies in becoming compliant with specific regulations such as PII, PCI, or FISMA, to be more secure and compliant. The tool walks the customer through the process, helping them pick out their required security objectives and build their controls (bapSolution.com/OCS). In the analysis phase, BAP will validate the exact mandates that the customers follow in their implementations to inform them if they are deployed properly. For instance, to an administrator working on the systems’ access control policy, details about how his LDAP servers are set up would be appropriate for the control, although BAP will validate the implementation language to make certain the access control policy does not talk about disposal of sensitive information, for example; an intuitive and context-specific feedback and score card.
Compliance is not security; but by leveraging BAP—Build, Analyze, and Protect—our three levels can be used with all aspects of your cyber strategy
The validation helps customers establish what their controls are, verify if they are following regulation or not. The process then moves into the protect phase. BAP aligns the controls and policies to active threat with continuous monitoring, give customer real-time “health” of their controls. BAP is a 100% self-contained, virtual appliance, that runs on any of the VMware or Hyper V virtualization platforms ranging from the free versions to paid cloud hypervisors.
The company has also designed a dashboard and reports, making it as simple as possible for the most non-technical of users. E-mail alerts will mail users of all their policies and visualize their security status through a very simple “red-yellow-green,” stoplight report. BAP can enable stakeholders to look at the security health of their environment, without having to interpret a security specialists’ terminology or lexicon—they can see it all, as green, yellow, or red.
BAP is the policy and security ops teams’ best friend. BAP integrates any information that can be collected using an event file, for example IoT. With relationships involving some of the major IoT gateway manufacturers, BAP projects that IoT is going to continue to be an influence on the security that their system would reinforce. As IoT continues to be more mainstream, BAP wants to be on top, ingesting all the gateway events, correlating them back to the controls as well to give a true system level health.