Lawrence Cruciana

CISSP, CISM, CMMC-RPA, and Founder and President

With over 20 years of Information Technology (IT) experience in regulated enterprise businesses and as a Managed IT Services Provider (“MSP”), Lawrence brings unique insight into the fusion of information risk management, third-party supply chain privilege management, and the operational IT challenges faced by mid-market and small governmental organizations. He is an experienced information security practitioner that has designed and implemented hundreds of cybersecurity and technology risk management programs incorporating key control frameworks including NIST Cyber Security Framework (CSF) and the CIS Critical Security Controls (CSC).

Lawrence is actively engaged in ongoing security research and community development which mitigates supply-chain vulnerabilities introduced by smaller businesses into enterprise organizations. His specific emphasis recently is focusing on improving the overall security of the information ecosystem by incorporating unique risks introduced into smaller government and mid-market organizations through IT MSPs and third party trusted vendors.

Examples of Past Presentations

Lawrence Cruciana has experience in speaking on a number of subjects related to the SMB security sphere. If you are interested in having Lawrence present at an event, below are three examples of recent presentations that may speak to your audience. Feel free to contact us to suggest additional topics or areas of focus!

"Residual Risk: It's Not Always About The Zero Days"

The state of Cybersecurity often is typified in terms of the latest flashy 0-Day exploit or the most recent high-profile data breach. While these are characteristic elements of the state of security, they are not representative of the vast majority of successful attacks. Often, smaller organizations focus on implementing increasingly complex, capable, and expensive cybersecurity tools rather than securing the practical and, often, more opportunistic areas of the information ecosystem. This session will review the vulnerability management practices of a typical commercial entity, identify the common pitfalls encountered by IT teams in this pursuit, and present practical and directly-implementable methods to implement meaningful security controls across a modern multi-vendor environment. Using the CIS Controls, we'll address many of the most commonly attacked areas found in most information ecosystems using free and low- cost methods that are easily implemented and understood. Attendees will walk away with actionable information, field-proven tools, and practical methods to improve the cybersecurity posture of their individual environments.

"The SMB Supply Chain Ecosystem"

The vulnerability of government, enterprise, and small business organizations alike to supply chain attacks is a rapidly evolving threat. One commonly overlooked supply chain attack vector, recently identified within initiatives supporting the National Cybersecurity Strategy, is the use of Remote Monitoring and Management (RMM) software by threat actors to effectively bypass many existing security controls. RMM software historically has been employed principally by Managed Service Providers (MSPs). With approximately 85% of commercial organizations that employ fewer than 500 employees utilizing the services of one or more MSPs, the presence of multiple RMMs within the trusted supply chain of most commercial enterprise and government entities is nearly certain. This session will explore in depth the origins, identification, and effective risk mitigations for this highly successful emerging threat. Delivered from the perspectives of a technologist and practitioner, two experts who first raised concerns in 2016 about the potential for attacks using RMMs will explore proven methods to cooperatively improve the security of the supply chain from enterprise to SMB against RMM attacks.

"Measuring Up: Achieving CMMC/800-171 Compliance in Smaller Organizations"

Throughout the industrial supply chain, cyberattacks continue to increase in frequency and severity. Smaller organizations are disproportionately impacted by these attacks and are often not equipped to deal with the long-term ramifications. Unsurprisingly, organizations involved in the supply chain of the U.S. Department of Defense are often more aggressively targeted by sophisticated threat actors. The NIST 800-171 and emerging CMMC standards intend to help safeguard potentially sensitive information from these threat actors. Smaller organizations often have difficulty accurately measuring and reporting their cybersecurity posture under these standards. This session will provide attendees with the knowledge to more readily understand the intentions of these standards and the tools by which to measure and objectively report their cybersecurity posture to internal and external stakeholders. Additionally, we will introduce practical solutions to close the cybersecurity gap between IT and OT to improve overall cybersecurity outcomes. These solutions employ open standard cybersecurity frameworks and low-cost tools to ensure they are accessible to organizations of all sizes and complexities.