Anthony Villanova of Rhymetec: 5 Ways To Optimize Your Company’s Approach to Cybersecurity & Vendor Review

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

With a lifelong passion for learning, I embarked on my professional journey as a security analyst with a strong determination to incorporate cybersecurity best practices into every aspect of my work. As I familiarized myself with diverse security frameworks, I seized the opportunity to transition into the role of a cloud compliance analyst, which set the trajectory for my career. Throughout 2022, I collaborated closely with more than 40 organizations, implementing compliance initiatives and enhancing cybersecurity measures. This endeavor yielded a multitude of top-notch compliance reports and certifications. Presently, I lead a team of vCISOs, ensuring the success of client compliance programs across a wide range of clients, encompassing varying sizes and levels of distinction.

Ok, thank you. Here is the main question of our interview:

What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Vendor Review” and why?

1. Implement and follow a set of information security policies.

Every security program should start with a defined list of information security policies. An organization’s information security policies should specify its approach to information security across different organizational functions. These policies should be tailored to meet control requirements and should specify processes and required internal deadlines. The strongest cybersecurity programs will have well-defined policies that employees can refer to in order to deepen their commitment to following them, while the weakest programs implement a boilerplate policy set in order to check a box.

2. Implement a robust security awareness training program.

Security awareness training programs should have a focus on social engineering and should be digestible and meaningful to the attendees. The strongest cybersecurity programs contain many refreshers and topic-specific training, while the weakest require a minimum of one training per year. Create engagement within an organization to emphasize why information security is so important and what the implications are when security awareness training is forgone.

3. Ensure a process is in place for onboardings and offboardings.

Having a repeatable process for onboardings and offboardings makes it much less likely for access control issues to occur. The strongest cybersecurity programs have a repeatable process outlined within their policies with documented artifacts for each onboarding and offboarding, and contain a set of checks and balances. The weakest cybersecurity programs delegate this responsibility to IT without follow-up. Don’t forget to account for access control privilege creep when employees change roles as well.

4. Regular security audits and testing.

Conducting a regular security audit provides confidence to organizations and their clients that information is protected and secure. The strongest cybersecurity programs will align with numerous cybersecurity frameworks, create a web of controls to implement and maintain, and demonstrate this successfully and repeatedly during annual or sometimes more frequent audits throughout the year. Audits should be planned around and entered into with confidence.

5. Implement and maintain a third-party management program & vendor review process.

Ensure data is protected not only within your organization, but with those that your organization shares data with as well. The strongest cybersecurity programs will implement a vigorous vendor review process and create risk remediation strategies with vendors, while the weakest approve vendors solely based upon the presence of an attestation report or a certificate of compliance. All attestation reports and vendors should be reviewed thoroughly prior to transmitting any sensitive information.

---

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

Technology has interested me since I was a child, however I initially hesitated to turn my passion into a profession, fearing it would dampen my enthusiasm. As a young adult, I explored creative ventures and had some success, but there was a turning point in my career where I discovered the intersection between creativity and technology. After numerous explorations into different areas of computer science, I was enthralled by the constant battle and innovation of cybersecurity. Such a field surely would hold challenges for me and allow me to explore creative solutions to complicated problems. And that is exactly what I have been able to do at Rhymetec, now I creatively explore solutions to real problems every day.

Can you share the most interesting story that happened to you since you began this fascinating career?

The battlefield of cybersecurity is relentless. The clash between data guardians and adversaries shapes the success of businesses and even organizations. In a cyber landscape where Advanced Persistent Threats (APTs) and other malicious actors loom, cybersecurity becomes a dance of intellect and innovation. New challenges arise day after day, forging creative defense tactics. It is a story of perpetual vigilance, where thinking outside of the box is a necessity for success.

One particular story comes to mind; in the beginning of my cybersecurity career, I had learned about attackers leaving infected USB drives near targets and was introduced to the concept of social engineering. Fortuitously (or maybe not so if it had found another target), I had found a USB drive lying on the ground outside my office. Upon evaluation in a closed environment, malware was found on the USB drive. The question of if this was a targeted attack has lingered with me for years, imprinted by the greater lesson of the story: attackers will find creative ways to access your information, so it is necessary to find creative ways to protect your information.

None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

It’s difficult to point gratitude to only one person on this journey. I’ve had many influences and inspirations, from my brother who introduced me to technology, to my first boss in the field of cybersecurity who emphasized the necessity to think outside the box, and to the current leaders of my organization who have worked to carve out a new space within the SaaS startup cybersecurity realm. However, no-one in my life has been more influential or supportive than my other half and significant other, Briella. She’s not a cybersecurity expert by any means, but she’s an expert on me.

Are you working on any exciting new projects now? How do you think that will help people?

I am very excited about the new service offering tiers that Rhymetec is rolling out on our Virtual CISO (vCISO) service line. At Rhymetec, our goal is to increase the flexibility of our offerings so existing and future clients can have more genuine offerings that meet their exact needs and budgets. Our vCISO service will offer three levels of service from lighter services to more robust service offerings that will more closely align to what our clients are looking for from a hands-on perspective.

Rhymetec currently offers a virtual CISO service offering for companies who can’t afford a full-time CISO, but require executive level security leadership in order to grow and achieve or maintain compliance. A vCISO assists in all compliance and cybersecurity needs that align with the client’s business and can analyze and make recommendations on developing an internal InfoSec program.

The new Rhymetec vCISO tiers include Mentor, Manager and Executive, which increase in scope as clients go up the ladder with what they are looking for from their vCISO. In the Mentor tier, our vCISOs advise on the direction and tools the company needs, while the company has to implement that feedback themselves. It’s more of an advisory level of service. The Executive level replicates what a full-time CISO would look like and provides an in-depth scope of services alongside that advice.

I am looking forward to assisting in rolling out these service offerings and helping equip clients with the confidence and resources needed to navigate the complexities of cybersecurity with greater ease and effectiveness.

What advice would you give to your colleagues to help them to thrive and not “burn out”?

Anchor your personal endeavors to a meaningful mission. By doing this, you’ll find the motivation to push through challenging times and combat burn out. Take heed of the warning signs of burnout, and adapt your expectations and actions to align with your mission. Our mission at Rhymetec is to reduce the complexities of cybersecurity. At work, I align my efforts with this mission and a few key internal goals. If I feel the warning signs of burnout, I will check my tasks against this mission, and if they don’t serve to push my mission forward, I tackle them from another perspective in which they do. This provides more motivation and allows me to creatively explore solutions to problems, while having the benefit of being satisfied with my own work.

The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?

The cybersecurity industry is enthralling, but there are three elements that excite me the most:

The relentless pursuit of innovation in cybersecurity defense strategies fuels an atmosphere of excitement and anticipation. With each breakthrough, boundaries are shifted. There is a thrill that lies in outsmarting ever-evolving threats and safeguarding information with cutting-edge solutions.

The birth of novel services within cybersecurity often serves as a catalyst for the emergence of larger industries. These innovative solutions address previously unexplored challenges, opening up new avenues of protection and resilience. As these services evolve and gain traction, they have the potential to reshape the cybersecurity landscape, spawning entire industries built around their unique offerings and expertise.

The cybersecurity industry provides the allure of the unknown, with challenges and opportunities for discovery abound. The industry sparks a sense of adventure and curiosity. The pursuit of the unknown becomes an exhilarating quest to uncover new solutions to evolving challenges.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

The emergence of AI and its wide availability in the form of chatbots is both interesting and concerning. While these advancements can enhance a business’s productivity, they also can empower adversaries and refine their attack methods. In particular, attackers can now conduct automated data discovery to determine high-value targets and can now produce realistic messages with this information in record time. This will likely bypass many traditional email filters and will introduce additional elements of legitimacy to social engineering attempts. Phishing attacks will become more sophisticated and harder to detect. Organizations will need to remain vigilant and introduce advanced security and phishing training for their employees. As AI use increases, organizations will need to ensure updates are consistently made to training programs to highlight the emerging commonalities of these types of social engineering attempts.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

I frequently use a number of tools to ensure security and vendor review best practices. The main tools I use are compliance automation and monitoring platforms. These platforms allow organizations to monitor their compliance using automated tests and organize and attribute evidence to controls across numerous frameworks. Organizing and preparing this information not only helps to effortlessly demonstrate compliance during audits, but also enables organizations to practice good cybersecurity hygiene by following relevant information security policies, by ensuring consistent baseline security is met on systems, and by following required onboarding and offboarding procedures.

How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?

You don’t need to have a large team to have strong cybersecurity and compliance posture, however you need to have the right knowledge and resources. A small company with standard security software following cybersecurity best practices may appear secure, but could they withstand a cyber attack? Without conducting a thorough gap analysis a company may not know if its layers of security are effective. Unless an organization has security resources available, I would always recommend looking into contracting with a vCISO or a security agency. It is never too early to engage with knowledgeable cybersecurity professionals, but it can be too late.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?

The largest indicators that something may be amiss arise from a lack of checks and balances.

Ensure systems are reviewed and all relevant controls are in place on a regular cadence, such as quarterly.

Review system logs for anomalous activity. Ask your team what administrative events are being logged and what the associated alert channels are.

Fine tune your alert mechanisms to tune out noise. Create a goal to investigate each alert as if it is suspicious.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

If an organization is the target of a security breach, the organization should immediately work to understand the entry point, ensure that the source of the data breach has its access revoked, and review other possible access points. An analysis should be conducted on what systems were compromised as well as possibilities to pivot to other systems. If customer data was not accessed, this should be communicated quickly to assuage fears amongst customers. If customer data was accessed, it’s important to provide information on which data was accessed and for how long to all affected parties. Transparency and timeliness in response are critical to maintaining customer confidence during a breach.

What are the most common data security and cybersecurity mistakes you have seen companies make?

The most common mistake that I see companies make when it comes to data security and cybersecurity is implementing security measures in order to check a box. Compliance programs are extremely helpful and provide a solid baseline to build an information security program on, but poorly implemented compliance programs can leave gaps within your organization that attackers can leverage. I recommend implementing compliance programs while keeping security best practices in mind. A perfect example of this can be seen in a security awareness training program. A robust security awareness training program will reduce social engineering risks more than a once annual 15-minute training video required of your team.

Since the COVID-19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

With the onslaught of the COVID-19 pandemic, many organizations made the move to remote work environments and moved sensitive information that used to be stored on local intranet servers and on-prem solutions to the cloud. This change has made company and customer information more available to malicious actors and made the opportunity for internal privacy handling mistakes greater. As a result, cybersecurity and digital privacy errors occur more often. Companies who continue to move to cloud infrastructure or who are new to cloud infrastructure would do well to put in the work to ensure their environment is configured against a secure baseline.