At Foster Moore, cybersecurity is a top priority—it is the backbone of our commitment to building secure, innovative registry solutions. As we celebrate Cybersecurity Awareness Month, we dive deeper into how we protect our systems, data, and people. We sat down with Chuck Moore, our Chief Information Security Officer (CISO) and one of the company's co-founders. In this exclusive Q&A, Chuck shares his insights into the critical role cybersecurity plays at Foster Moore, the challenges organizations face today, and how we are staying ahead of the curve.
Chuck’s expertise and leadership have helped shape our robust security strategy, ensuring that we not only meet industry standards but also anticipate evolving threats. This is a must-read for anyone wanting to understand how cybersecurity ties into the core of our operations—and how every Foster Moore employee contributes to safeguarding our future.
Read on to hear from Chuck about his role, the importance of building a “human firewall,” and the latest strategies we’re using to keep Foster Moore at the forefront of cybersecurity excellence.
What's your role as Foster Moore’s Chief Information Security Officer?
The primary objective of any Chief Information Security Officer (CISO) is to safeguard an organisation's information assets by developing and implementing a comprehensive cybersecurity strategy. This includes managing risks, ensuring regulatory compliance, and aligning security initiatives with business objectives. Since I have taken on the role of CISO, the entire Foster Moore team and I have made significant strides in implementing the strategy and have fostered a security-conscious culture to protect the organisation from evolving cyber threats.
Why is cybersecurity so important at Foster Moore?
Cybersecurity is crucial for businesses like ours because it protects sensitive data. This data includes customer information, sensitive employee details, financial details, intellectual property, etc. A robust cybersecurity posture helps maintain business continuity, preserves customer trust, and ensures compliance with industry regulations. Without solid security measures, Foster Moore would be vulnerable to financial loss, reputational damage, and operational disruption.
Regular training is crucial to maintaining a strong cybersecurity posture. Can you share more about the cybersecurity awareness training program at Foster Moore and how often employees are engaged with it?
At Foster Moore, our cybersecurity awareness training program is designed to equip our team with the knowledge and skills to recognise and respond to evolving cyber threats. The program covers several topics, including phishing prevention, password hygiene, data protection, and compliance requirements. Foster Moore team members engage with the training monthly (or so), ensuring team members stay updated on the latest threats and best practices. Regular refreshers and interactive sessions foster (no pun intended) a culture of security awareness across the organisation.
Phishing is one of the most common threats facing organisations today. What kind of phishing training does Foster Moore provide to employees, and how do you assess its effectiveness?
Phishing prevention is critical to any cybersecurity strategy because phishing attacks are among the most common and damaging cyber threats businesses face. These attacks aim to deceive employees into divulging sensitive information or clicking malicious links, often leading to data breaches, financial loss, or compromised systems.
Building a "human firewall" refers to fostering a workforce as the first defence against cyberattacks. Cybercriminals see employees as the weakest link in cybersecurity, but with regular and practical training, team members can become a powerful shield. A human firewall ensures that every team member is vigilant and aware of potential risks, reducing the likelihood of falling victim to phishing and other social engineering attacks.
Through continuous training and simulations, Foster Moore has greatly enhanced our security posture by fostering this awareness. Our Phishing Prone Percentage (PPP)—calculated as the number of clickers divided by the number of simulated phishing emails sent in a campaign—serves as a key metric, and we’ve seen significant improvement in our PPP over the past two years. Foster Moore's team has successfully shifted from passive users to informed defenders, playing a vital role in preventing breaches.
What are some of the biggest cybersecurity challenges organisations face today?
Today's organisations face significant cybersecurity challenges, including increasingly sophisticated cyberattacks such as ransomware and zero-day exploits, making threat detection and response difficult. Insider threats, both malicious and accidental, continue to pose significant risks, while the rise of cloud computing introduces vulnerabilities related to misconfigurations and data breaches. The pressure to comply with evolving data privacy regulations, like GDPR and CCPA, adds complexity. These challenges require a proactive approach, combining advanced security technologies with strong employee awareness and compliance strategies to safeguard against ever-evolving threats.
How is Foster Moore addressing them?
To effectively tackle cybersecurity challenges, Foster Moore has adopted a defence-in-depth strategy, using multiple layers of protection through various key measures. Significant investments have been made in evaluation and implementation of technical controls, such as industry-standard tools like Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) systems, which monitor for unusual activity and help prevent both malicious and accidental incidents.
Security is a key part of our products that we deliver and manage for our clients. Our software development function includes secure coding practices, threat modelling as well as implementing tools and processes to support a secure development lifecycle.
Additionally, we prioritize securing our cloud environments by focusing on proper configuration management, encryption, and robust identity and access management (IAM) practices. Guided by the U.S. National Institute of Standards and Technology (NIST) compliance standard, we follow good practices by implementing recommended security controls, such as employing multi-factor authentication (MFA) to protect our cloud (and other IT) assets.
We’ve also implemented other proactive measures, like continuous monitoring and vulnerability assessments, essential for addressing threats before they escalate. Additionally, we are strengthening our insider threat programs by establishing clear policies and conducting regular employee training.
Lastly, we are investing in the governance, risk, and compliance (GRC) program to ensure we stay current with regulatory changes while establishing data protection policies, conducting audits, and performing privacy impact assessments to maintain compliance and avoid legal penalties. We are creating a robust cybersecurity framework to safeguard our assets and information effectively.
What can employees do to be more proactive in ensuring their company's information and assets are secure?
Employees can play a key role in securing the company’s information by staying informed through active and diligent participation in cybersecurity training and adhering to our prescribed practices. Since Access Management exploits are the number one tactic attackers use today (followed by phishing), learning, understanding, and employing strong password management, including complex passwords, and enabling multi-factor authentication, is essential. Remaining vigilant against phishing attempts and using only approved company tools help further protect against potential threats. Above and beyond our security training, self-education on practices and issues would be ideal.
Is there any source of education or information you recommend to people wanting to stay up to date with cybersecurity best practises?
Blogs like Krebs on Security, Hacker News, and Dark Reading provide timely updates on industry trends and light-touch reading on cyber threats and security practices. If you want in-depth details on cybersecurity best practices, check out the SANS Institute for training and certifications and NIST for comprehensive frameworks and guidelines. In addition to providing good bedtime reading, these publications are excellent resources for gaining an in-depth understanding of the requirements for effective controls to safeguard Foster Moore’s crown jewels.
In today's ever-evolving cybersecurity landscape, having leaders like Chuck at the helm of our security strategy is a true asset to Foster Moore. His dedication to protecting our systems and empowering our team ensures that we remain a trusted partner for our customers, no matter the challenge.
We're proud to have Chuck on our team, driving innovation and safeguarding the integrity of our data, products, and services—so we can continue delivering the secure, world-class registry solutions our clients expect.
Happy Cybersecurity Awareness Month!