Get Help Now



“Change” Isn’t a Four-Letter Word: Creating a Culture of Cybersecurity at Work

Posted January 19, 2019

“These people, dressed as they are, come from all over the United States to make deals here in the marketplace of America, ‘Let’s Make a Deal.’ And now, here’s America’s top trader, TV’s big dealer, Monty Hall!”

This is how every episode of the game show “Let’s Make a Deal” began in the 1970s. Whether or not you’ve seen the show, you may be familiar with the so-called Monty Hall Problem. This probability puzzle introduces the following scenario: you’re a contestant on a game show and you’ve been given the choice of three doors. Behind one of the doors is a car. Behind the other two doors? Goats. You choose door #1 and the game show host, who knows what’s behind each door, opens door #3 to reveal a goat. He then asks you if you want to switch your choice to door #2.

Should you do it?

Thankfully, the man who posed the problem in 1975, American statistician Steve Selvin, also gave the answer: yes.

According to Selvin, under standard assumptions, contestants that switch to door #2 have a 2/3 chance of winning the car, while those that stick with their original choice have only a 1/3 chance of winning.

To put it both bluntly and simply, if you don’t change, you lose out on the deal.

What the heck does all this have to do with cybersecurity?

At GreyCastle Security, we are often approached by companies that are trying to make multi-million dollar deals with large multinational corporations. These large corporations require that the companies they work with have strong cybersecurity programs in place because the vendor contract requires them to access sensitive information and the corporation wants to avoid any compromise of that data.

For the smaller company, making the deal often means making a change.

Nine times out of ten when these companies approach us, they have no cybersecurity program at all – and this leads to a “fire drill” situation where they now need to rush to put a program in place (or they’ll end up with the business equivalent of the goat behind door #1).

The lack of a formalized cybersecurity program is hindering the growth of your business.

As a business, you need to have an evolving and organic cybersecurity program. Don’t let the lack of a formalized cybersecurity program get in the way of your business growing. Here’s what you’ll need to do to get started:

  • Perform the foundational elements of a cybersecurity program, such as a risk assessment
  • Understand where data is and have a means of prioritizing and classifying critical data
  • Understand what kind of access you’ll have to client data and have effective controls to ensure you’re protecting that data

You’ll also need to be able to properly communicate what risks, if any, you introduce to clients or prospective clients and you’ll need to have the ability to push back on requests from clients and prospects if needed. You need to communicate to clients that you’ve put these things in place.

Change brings opportunity

At this point in our Monty Hall Problem, our contestant made the change. They switched to door #2 and won the car. Now that they’ve got this new opportunity – where are they going to take it?

What about your deal? When it comes to cybersecurity, making necessary changes to your program introduces new opportunities, but, thanks to security questionnaires, it may not feel that way at first.

When large, risk-averse corporations want to bring on a new partner or vendor, they’ll have their vendor risk management team evaluate whether or not the potential partner has their stuff together from a cybersecurity perspective. A part of this process often includes a 250-page document that asks questions about your cybersecurity program. Some of the questions within the security questionnaire document are relevant while others are not, but your success in growing your business with large corporate clients is dependent on your ability to give a satisfactory response.

Many companies don’t understand how to fill out these security questionnaires or don’t have resources available to fill them out accurately (including not having the amount of staff needed to fill out a growing number of questionnaires). There is also the added difficulty that questionnaires from different corporations may all be different, with different questions. It’s not unusual for companies to feel like they’re drowning in security questionnaires. The best course of action? Get ahead of these questionnaires by building a strong, foundational and formalized cybersecurity program that helps you address the issue proactively.

Being able to properly communicate what risks you may introduce as well as explain the compensating controls and security measures to control the risks you introduce should streamline the process and help you secure business with big clients.

The more business you earn, the more difficult your job gets in processing an increasing number of security questionnaires, but it also provides you with a golden opportunity to make significant and measurable improvement to your cybersecurity program. This is the silver lining.

Making the deal

Want to win more business? Then you’ll need to build a cybersecurity program that looks at your people, processes, and technology as well as understands the risks you have internally and the risks you introduce to clients. At GreyCastle Security, we help organizations become armed with a system to identify and categorize these areas. And those people in your organization getting hammered with security questionnaires? Their job gets easier because they have a formalized process.

Once your cybersecurity program is fully functioning and harmonious, your company can grow more quickly, with the added bonus of lowering your risk.

So… which door do you want to open?

About The Author: Mike Stamas

Mike Stamas is an entrepreneur, Chief Business Development Officer and Co-Founder of GreyCastle Security. GreyCastle Security is the industry’s leading provider of cybersecurity risk assessment, advisory, and mitigation services.

With over two decades of experience in the technology sector, Mike pairs his management and business development skills with a deep understanding of information security. He brings a unique brand of risk-based advising to clients and prospects.

Mike holds certifications in numerous security and related areas, including the Department of Homeland Security and other security technologies like Symantec, Cisco and Microsoft.

Mike also plays an active role in his community and currently serves as a Board Member and Vice President of InfraGard in Albany as well as serves on board positions for the Capital Region YMCA, Troy Branch and the Downtown Troy Business Improvement District. He has been recognized for his numerous achievements through various honors including the Albany Business Review’s prestigious 40 Under Forty award.


Let’s Discuss Your Cybersecurity Needs

Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Consent to display content from - Youtube
Consent to display content from - Vimeo
Google Maps
Consent to display content from - Google
Consent to display content from - Spotify
Sound Cloud
Consent to display content from - Sound
Contact Us