Issue link: https://iconnect007.uberflip.com/i/1088168
74 SMT007 MAGAZINE I MARCH 2019 of the data is transferred to my facility elec- tronically. Where am I exposed, and what do I do? Humphreys: Well, you're exposed internally and externally without knowing what kind of protection and controls you have in place, but the data in transit and data at rest issues or challenges that NIST has a guide for is some- thing that's an area in electric utilities, for in- stance, where there's no regulatory require- ment covering data at rest and data in transit. They will say that your security logs and data aren't allowed to leave your electronic secu- rity parameter, which is hindering people from adopting cloud in the electric utility space. But if you took to the regulators with the NIST guide and said, "I've implemented these NIST best practices to protect my data in transit and data at rest. I'll take your compliance violation and fight it all day because I'm beyond what your compliance violation is," those are the kinds of things I would tell a manufacturing company to look at. Look at these guides to mitigate your hypervisor permissions or your jump post where that data is leaving and com- ing back and forth, and the multifactor authen- tication that you have when people access that file share. These aren't overly strenuous safeguards to put in place, which is the other thing. People get really wrapped around the action and think this is going to be some hugely in- timidating task to implement, but it's not that hard to put a couple of processes in place and stand up a hypervisor. Most of these folks have some kind of multifactor authentication meth- od already in place. It's more of a procedural and knowledge-type process such as, "This is how we're going to do it now as part of our culture to mitigate these risks versus all of this effort to bring in new technology and tools." Johnson: I need to bring in some expertise to take a look at this situation, put together a plan, and implement it. Humphreys: Correct. Johnson: I know I'm oversimplifying this, but how big of a company do I need to be to justify hiring somebody dedicated on my staff to do that? Where is that threshold where I should have somebody that I've hired versus some- body I'm working with on a contract for a proj- ect basis? Humphreys: For example, a $15-million manu- facturing company should easily have a dedi- cated staff of two to three people devoted to general-purpose IT. The unicorn is really the general counsel side with the technical, which is like the Bigfoot unicorn thing that you find out there. I'm contemplating going back to law school, to be quite honest. Johnson: The technical recruiter on the confer- ence call is the purple squirrel. Humphreys: Exactly. That's your diamond in the rough, or whatever analogy you want to use for the mythical creature, but that's what you want to do. In the absence of find- ing that, if you can get the younger talent as you see here to have a sparkle in their eye on the regulatory side and retain them, that's the key. Have a plan to incentivize them to stay; keep them on their career route. And train them in-house. But at a $15-million company, you need two to three dedicated IT staff with one to two people with heavy regulatory and security backgrounds who are strategic thinkers and understand best prac - tices. 25-30% of my work is mapping the regulatory requirements...to ITAR standards