He is responsible for the expansion of the overall cybersecurity strategy, consulting, advisory, assessment, remediation, engineering, vulnerability management, and managed information technology (IT) and cybersecurity service offerings for both the public and private sectors.
He acts as the change agent for SecureStrux’s most strategic clients looking to secure their corporate, government, and critical infrastructure sectors.
You are the director of Governance, Risk, and Compliance (GRC). What does that mean?
Tony: Practically every company today has cybersecurity, and IT challenges that require balancing its business objectives with its IT, cybersecurity, risk, and compliance needs. Basically, GRC provides a foundation for a company to organize its governance structure, risk management program, and compliance commitments. Keep in mind the IT and cybersecurity disciplines are an integral part of GRC. They influence the outcomes and success of a GRC program. Adversaries are targeting Controlled Unclassified Information (CUI) within all 16 of the nation’s critical infrastructures, including the Defense Industrial Base (DIB), Healthcare, and Public Health sectors.
Bottom Line: Our goal is to unify and align the company's approach to risk and cybersecurity management and regulatory compliance that is disciplined and repeatable.
Why would a company need a GRC Strategy?
Tony: All companies, whether they know it or not, have some semblance of GRC in place. The challenge is bringing it all together to build a strong GRC framework that can help the company align and integrate its risk management and compliance requirements. The purpose of GRC is to support the business, not burden it. If done correctly, the company’s GRC program will become a normal part of doing business and will realize significant benefits such as:
- Integrated risk
- Internal control and compliance activities
- Effective oversight
- Increase in repeatable processes
- Easier access to trusted information
- Integrated data, analytics, and reporting reduced duplication of business practices
- Standardized practices across lines of business, reduced costs
How does a company implement and manage a GRC program without the burden?
Tony: I mentioned that GRC should not be a burden. Once a GRC program is in place, it should be a natural way of doing business. However, building out a GRC program could involve heavy lifting and be burdensome in the early stages, especially for a company that has a little-to-no GRC foundation in place.
First and foremost, defining the goals, objectives, and priorities to build a GRC program requires dedicated engagement from key stakeholders, typically senior leadership, such as the board of directors (if it exists), c-suite (if they exist), and cross-functional leadership.
Second, defining the GRC strategy will be based on the stakeholders’ appetite for risk. Stakeholders must have a comprehensive view of risk across the organization to frame the strategic goals, objectives, and priorities. Risk appetite should be defined to cultivate a culture within the organization that enables stakeholders to take appropriate action to reduce the risks of noncompliance. Understanding the risks will not only help minimize the exposure of documented risks but also help to identify opportunities for improvement in executing to meet its business objectives.
Third, the company must understand how to navigate through the multiple compliance requirements. Stakeholders need to identify all their compliance commitments and how to achieve and maintain compliance.
This sounds ominous for small companies. Does this mean small companies are not equipped or can't afford a GRC program?
Tony: No, not at all. The need for GRC is still there. Obviously, it would need to be scaled down to fit the company’s resource limitations but also meets its risk and compliance obligations. With respect to resources, a small company more than likely would not have its own formal governance structure, risk management program, or compliance program.
Subsequently, some companies have opted to outsource GRC at some level. For example, PX Partners conducted a survey in November 2020 which found that over 90% of senior executives saw a shortage of GRC practitioners as limiting business success. Additionally, 94% agreed that accessing variable or scalable GRC teams would better support their business.
I, too, recommend a scalable and resource-smart GRC program for small companies. The PX Partners survey found that many companies tend to build an overly complex GRC program, which can have detrimental effects counter to the benefits that GRC can provide to the company. Outsourcing GRC where they need assistance should be an option for companies to consider.
How does SecureStrux help small companies with their cybersecurity risk and compliance needs?
Tony: I don’t have time here to elaborate on all the services we can provide, but we have experts who can work with companies to overcome their cybersecurity risks and compliance challenges. As I previously mentioned, our goal is to help the company proactively manage their risk and compliance obligations in a disciplined and repeatable manner. We can assist with the company’s governance activities, including developing and reviewing internal policies, interpreting compliance regulations, and ensuring stakeholders understand their responsibilities in meeting those requirements.
We can assist with navigating across multiple compliance regulations (i.e., FISMA, CMMC, HIPAA, etc.) and associated IT and cybersecurity frameworks (i.e., NIST RMF, NIST CSF, COBIT, etc.) in the federal and commercial sectors. We can tailor our support via various means, such as our Embedded Defense Package, which provides consistent support across a number of different risk and compliance frameworks, and through our Assured Defense Package, which provides ongoing support and expertise to assist with maintaining compliance through comprehensive risk assessments and management, managed services support, and continuous monitoring.
With continuous monitoring, we can oversee the company’s risk management activities and provide guidance for maintaining compliance. This can include achievement and sustainment of DoD Authority to Operate (ATO) or CMMC readiness preparation that executes a risk-based approach to maintaining compliance. We can assist with routine presentations to executive leadership to review and adjust priorities based on the company’s risks and business impact. More information can be found on the SecureStrux website at www.securestrux.com/capabilities/grc-cybersecurity/.
To wrap up, tell us what you do in your spare time.
I’m a believer in maintaining a balance between work, family, and hobbies. I look at it as a three-legged chair. Take away any leg, and the chair will fall. Everyone needs activities outside of work to maintain that balance, whether it’s activities with family or friends or enjoying hobbies on your own. For fun, I enjoy outdoor activities, including running and hiking or just sitting poolside.
In my off time, I am a part-time audio engineer and music producer, along with a videography services provider. I have played guitar since I was 9 years old. Playing in bands is very therapeutic for me. I can also be caught binge-watching football; go Terps, Ravens, and Titans.
Director, Governance, Risk, and Compliance
Tony has extensive experience within both the public and private sectors responsible for internal and client-facing GRC programs. After retiring from the USAF, Tony became a full-time information security professional fulfilling various roles as an information system security officer, information system security manager, National Institute of Standards and Technology (NIST) certifying authority, security controls assessor, chief information security officer (CISO), and a cyber security consultant. He has approximately 20 years of hands-on experience with compliance frameworks in many roles, including working as a key member of a team at the Pentagon to convert the United States Air Force from a Department of Defense (DoD) static compliance-based framework to the risk-based NIST Risk Management Framework (RMF).
Tony has been involved in the CMMC Ecosystem for close to two years as a CMMC Provisional Assessor (PA) and CMMC Provisional Instructor (PI). He has worked with DoD and CMMC Accreditation Body (CMMC-AB) sponsored working groups to develop the CMMC Certified Professional (CCP) and CMMC Certified Assessor (CCA) training and exam objectives. He has hands-on experience assisting an organization in achieving its CMMC Level 3 certification to become an Authorized CMMC 3rd Party Assessment Organization (C3PAO), as well as conducting many CMMC consulting engagements for the Defense Industrial Base (DIB).
This experience has translated to other compliance frameworks and requirements within the academic, federal agency, commercial sector, and healthcare sectors, where Tony is responsible for conducting comprehensive compliance assessments, risk assessments, and remediation engagements