The number of cybersecurity incidents continues to rise. This upsurge in frequency and complexity has also resulted in an increase in costs. According to IBM’s 2022 Cost of a Data Breach Report, the average total cost of a data breach is USD $4.35 million, 83% of organizations studied have had more than one data breach, […]
About Mark Larson (Partner | CISSP, CISA)
Mark Larson started working in the technology industry in 1998 where he worked in a number of different roles prior to transitioning to the public accounting world in 2004 with Ernst & Young (EY). During his 6 years at EY, Mark provided both assurance and advisory services that spanned multiple industries for both public and private companies. After leaving EY, Mark filled leadership roles within Internal Audit, Technology, and Security functions for several companies. Mark specializes in SOC examinations and enjoys helping clients establish, formalize, and report on effective control environments while strengthening their security risk profile.
Cyber Threat Intelligence – What It Is & How It Relates to SOC 2 Audits
Cyber Threat Intelligence (CTI) encompasses the people, processes, and technologies that a Company uses to proactively identify and mitigate threats to its brand, assets, employees, third parties, and clients. In simple terms, the goal of CTI is to stay one step ahead of malicious actors and take action before an attack occurs or avoid the […]
New Trends in Cybersecurity: What to Watch for in 2022 & Beyond
As the year comes to an end, it’s important to reflect on the cyber events that captured headlines in 2021 and understand the root causes, impacts, responses, and more importantly, the lessons learned from those events. The following four cyber trends highlight areas that justify increased scrutiny and attention as we transition to the new […]
Vulnerability Management Program: Insights From an Auditor
Vulnerabilities exist within all technology environments. NIST has developed several definitions for vulnerabilities, including a “Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.” As time passes, software vendors, threat actors, or security researchers, will inevitably find defects or vulnerabilities in the […]
Vulnerability Assessment vs Penetration Testing for SOC 2 Audits
As a security practitioner and auditor, questions regarding the differences between vulnerability assessments and penetration testing come up often. Even though seasoned security professionals may already know the answer to a question like this, there are a number of non-security professionals who may need help understanding the differences, the benefits, and the costs. While larger […]
The MITRE ATT&CK Framework: How Does MITRE ATT&CK Work?
If you’re an information security professional, there’s a good chance you’ve already heard about the MITRE ATT&CK framework. If it’s something you haven’t heard of, or if you haven’t found the time to dive into its vast trove of information, it’s never too late to start! The following are some of the most common questions […]
What is Endpoint Security? Why is it Important?
“Why wash your hands?” “How to Protect yourself and others.” These are headlines that I recently ran across while browsing daily news updates. For months, we’ve been bombarded with advice and guidance on how to stay healthy during the COVID-19 pandemic. While the guidance may vary, the topic of handwashing and avoiding hand contact (i.e. […]
Security Compliance: Understanding the Difference Between Security Vs. Compliance
Throughout my career, I’ve listened to and participated in the debate or discussion surrounding security vs compliance. Most often it seems that those involved in the discussion feel as though they need to take one side or the other. That co-mingling the two is more of a necessary evil versus an activity that provides value […]