{"id":883,"date":"2026-05-07T14:49:00","date_gmt":"2026-05-07T19:49:00","guid":{"rendered":"https:\/\/cmitsolutions.com\/des-moines-ia-1210\/?p=883"},"modified":"2026-05-08T15:02:27","modified_gmt":"2026-05-08T20:02:27","slug":"what-should-a-business-cybersecurity-plan-include","status":"publish","type":"post","link":"https:\/\/cmitsolutions.com\/des-moines-ia-1210\/blog\/what-should-a-business-cybersecurity-plan-include\/","title":{"rendered":"What Should a Business Cybersecurity Plan Include? A Modern Guide Inspired by Behind the Firewall"},"content":{"rendered":"<h2><b>Key Takeaways<\/b><\/h2>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Cybersecurity is a layered strategy, not a single product<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Employees are a critical line of defense and require ongoing training<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">MFA and strong password practices can prevent the majority of breaches<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Incident response planning is essential for minimizing damage<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Continuous monitoring is required in today\u2019s threat landscape<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Cybersecurity plans must be tailored to each business<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400\">In today\u2019s rapidly evolving threat landscape, understanding <a href=\"https:\/\/cmitsolutions.com\/it-services\/cybersecurity\/\">what should a business cybersecurity plan include<\/a> is no longer optional\u2014it\u2019s essential. The recent episode of Behind the Firewall podcast reveals many small and mid-sized businesses still believe cybersecurity is just about installing antivirus software. In reality, it\u2019s a comprehensive, layered strategy designed to protect people, systems, and data from increasingly sophisticated attacks.<\/span><\/p>\n<p><span style=\"font-weight: 400\">Drawing insights from Edgar Ortiz of CMIT Solutions, this guide translates expert advice into practical, business-focused cybersecurity strategies.<\/span><\/p>\n<h2><b>Cybersecurity Is a Strategy, Not a Product<\/b><\/h2>\n<p><span style=\"font-weight: 400\">One of the biggest misconceptions highlighted on Behind the Firewall is that cybersecurity can be solved with a single tool.<\/span><\/p>\n<p><span style=\"font-weight: 400\">\u201cThey think cybersecurity is just one product. It\u2019s not\u2014it\u2019s a layered defense strategy.\u201d \u2014 Edgar Ortiz<\/span><\/p>\n<p><span style=\"font-weight: 400\">Antivirus software alone is no longer sufficient. Modern threats\u2014ransomware, AI-driven phishing, and social engineering\u2014require a dynamic, multi-layered defense approach.<\/span><\/p>\n<p><span style=\"font-weight: 400\">Think of cybersecurity like home security: a lock on the door isn\u2019t enough. You need monitoring, alerts, and awareness working together.<\/span><\/p>\n<h2><b>The 7 Essential Layers of a Cybersecurity Plan<\/b><\/h2>\n<p><span style=\"font-weight: 400\">According to Edgar Ortiz of CMIT Solutions, every small to mid-sized business should implement these seven critical layers:<\/span><\/p>\n<h3><b>1. Endpoint Protection (EDR)<\/b><\/h3>\n<p><span style=\"font-weight: 400\">Advanced, behavior-based protection for laptops, desktops, and servers that can detect and stop threats like ransomware in real time.<\/span><\/p>\n<h3><b>2. Email Security<\/b><\/h3>\n<p><span style=\"font-weight: 400\">Since over 90% of attacks begin with email, advanced filtering is essential to block phishing, malicious attachments, and impersonation attempts.<\/span><\/p>\n<h3><b>3. DNS Filtering<\/b><\/h3>\n<p><span style=\"font-weight: 400\">Prevents access to dangerous websites, stopping threats before they even reach your systems.<\/span><\/p>\n<h3><b>4. Multi-Factor Authentication (MFA)<\/b><\/h3>\n<p><span style=\"font-weight: 400\">One of the most effective controls against unauthorized access\u2014especially for email, cloud apps, and administrative accounts.<\/span><\/p>\n<h3><b>5. Dark Web Monitoring<\/b><\/h3>\n<p><span style=\"font-weight: 400\">Provides early warning if employee credentials are exposed in data breaches.<\/span><\/p>\n<h3><b>6. SIEM (Security Information and Event Management)<\/b><\/h3>\n<p><span style=\"font-weight: 400\">Gives visibility into your environment by collecting and analyzing logs to detect real threats.<\/span><\/p>\n<h3><b>7. Security Awareness Training<\/b><\/h3>\n<p><span style=\"font-weight: 400\">Often the most overlooked\u2014but most important\u2014layer.<\/span><\/p>\n<h2><b>Why Employees Are Your First Line of Defense<\/b><\/h2>\n<p><span style=\"font-weight: 400\">A recurring theme from the podcast is that cybersecurity isn\u2019t just technical\u2014it\u2019s human.<\/span><\/p>\n<p><span style=\"font-weight: 400\">\u201c90% of successful cyberattacks start with a human decision.\u201d \u2014 Edgar Ortiz<\/span><\/p>\n<p><span style=\"font-weight: 400\">Employees are frequently the entry point for attacks, whether through phishing emails or social engineering tactics.<\/span><\/p>\n<p><span style=\"font-weight: 400\">Effective programs\u2014like those implemented by CMIT Solutions\u2014focus on:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Monthly micro-training<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Simulated phishing campaigns<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Real-time coaching after mistakes<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400\">This approach transforms employees from a vulnerability into a powerful defense layer.<\/span><\/p>\n<h2><b>The Importance of Strong Passwords and MFA<\/b><\/h2>\n<p><span style=\"font-weight: 400\">Credential-based attacks remain one of the biggest risks.<\/span><\/p>\n<p><span style=\"font-weight: 400\">\u201cIf you fix passwords and authentication, you eliminate most of your risk.\u201d \u2014 Edgar Ortiz<\/span><\/p>\n<p><span style=\"font-weight: 400\">Best practices include:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Using long passphrases (14+ characters)<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Avoiding password reuse<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Using a password manager<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Enabling MFA everywhere possible<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400\">Authenticator apps or hardware keys provide stronger protection than SMS-based authentication.<\/span><\/p>\n<h2><b>What to Do in the First Hour After a Breach<\/b><\/h2>\n<p><span style=\"font-weight: 400\">One of the most practical takeaways from Behind the Firewall is how to respond when something goes wrong.<\/span><\/p>\n<p><span style=\"font-weight: 400\">The first hour is critical:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400\"><b>0\u201310 minutes:<\/b><span style=\"font-weight: 400\"> Contain the threat by isolating systems (without shutting them down)<\/span><\/li>\n<li style=\"font-weight: 400\"><b>10\u201320 minutes:<\/b><span style=\"font-weight: 400\"> Notify your incident response team and cyber insurance provider<\/span><\/li>\n<li style=\"font-weight: 400\"><b>20\u201335 minutes:<\/b><span style=\"font-weight: 400\"> Preserve evidence and document actions<\/span><\/li>\n<li style=\"font-weight: 400\"><b>35\u201350 minutes:<\/b><span style=\"font-weight: 400\"> Assess scope and rotate credentials<\/span><\/li>\n<li style=\"font-weight: 400\"><b>50\u201360 minutes:<\/b><span style=\"font-weight: 400\"> Activate internal communication with leadership and legal teams<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400\">Preparation\u2014not reaction\u2014is what makes the difference during a breach.<\/span><\/p>\n<h2><b>Customizing Your Cybersecurity Plan<\/b><\/h2>\n<p><span style=\"font-weight: 400\">CMIT Solutions emphasizes that no two businesses are alike.<\/span><\/p>\n<p><span style=\"font-weight: 400\">Cybersecurity strategies should be built around:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400\"><b>Industry requirements<\/b><span style=\"font-weight: 400\"> (HIPAA, PCI, etc.)<\/span><\/li>\n<li style=\"font-weight: 400\"><b>Business size<\/b><span style=\"font-weight: 400\"> and infrastructure<\/span><\/li>\n<li style=\"font-weight: 400\"><b>Risk profile<\/b><span style=\"font-weight: 400\"> and data sensitivity<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400\">A structured implementation roadmap typically includes:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">30-day plan: Address critical vulnerabilities<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">60-day plan: Deploy core security controls<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">90-day plan: Establish monitoring and response<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">12-month roadmap: Mature and optimize the program<\/span><\/li>\n<\/ul>\n<h2><b>Cybersecurity and Compliance Go Hand in Hand<\/b><\/h2>\n<p><span style=\"font-weight: 400\">Rather than treating compliance as a checklist, the smarter approach is to build strong security first.<\/span><\/p>\n<p><span style=\"font-weight: 400\">As discussed in the podcast, when proper controls are in place\u2014such as access management, encryption, and monitoring\u2014compliance naturally follows.<\/span><\/p>\n<h2><b>Continuous Monitoring Is Non-Negotiable<\/b><\/h2>\n<p><span style=\"font-weight: 400\">Cyber threats evolve constantly, which means cybersecurity cannot be static.<\/span><\/p>\n<p><span style=\"font-weight: 400\">\u201cCybersecurity isn\u2019t a project you finish. It\u2019s an ongoing practice.\u201d \u2014 Edgar Ortiz<\/span><\/p>\n<p><span style=\"font-weight: 400\">Modern security programs require:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Continuous vulnerability scanning<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Regular penetration testing<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Quarterly reviews<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Annual formal assessments<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400\">Businesses that treat cybersecurity as a continuous process are far better positioned to prevent and respond to attacks.<\/span><\/p>\n<h2><b>Building a Resilient Business with Cybersecurity<\/b><\/h2>\n<p><span style=\"font-weight: 400\">Understanding <a href=\"https:\/\/cmitsolutions.com\/it-services\/cybersecurity\/\">what should a business cybersecurity plan include<\/a> is the foundation of a resilient organization. Insights from Behind the Firewall and experts like Edgar Ortiz at CMIT Solutions make one thing clear: cybersecurity is not about buying tools\u2014it\u2019s about building a living, evolving strategy.<\/span><\/p>\n<p><span style=\"font-weight: 400\">Businesses that adopt a layered approach, invest in employee awareness, and commit to continuous improvement will be far better equipped to navigate today\u2019s complex threat landscape.<\/span><\/p>\n<h2><b>FAQs<\/b><\/h2>\n<h3><b>What is the most important part of a cybersecurity plan?<\/b><\/h3>\n<p><span style=\"font-weight: 400\">A layered defense strategy that combines technology, processes, and employee awareness.<\/span><\/p>\n<h3><b>Is antivirus software enough for protection?<\/b><\/h3>\n<p><span style=\"font-weight: 400\">No. Antivirus alone cannot defend against modern threats like phishing, ransomware, and AI-based attacks.<\/span><\/p>\n<h3><b>How often should cybersecurity training be conducted?<\/b><\/h3>\n<p><span style=\"font-weight: 400\">Training should be continuous, with monthly updates and regular phishing simulations.<\/span><\/p>\n<h3><b>Why is multi-factor authentication so important?<\/b><\/h3>\n<p><span style=\"font-weight: 400\">MFA drastically reduces the risk of unauthorized access, even when passwords are compromised.<\/span><\/p>\n<h3><b>How often should a cybersecurity plan be reviewed?<\/b><\/h3>\n<p><span style=\"font-weight: 400\">Quarterly reviews combined with continuous monitoring are recommended to stay ahead of evolving threats.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h4>Podcast Transcript:<\/h4>\n<p><b>Mike Downer:<\/b><span style=\"font-weight: 400\"> Hi everybody, I\u2019m your host, Mike Downer on <\/span><i><span style=\"font-weight: 400\">Behind the Firewall<\/span><\/i><span style=\"font-weight: 400\">. I\u2019m here again with Edgar Ortiz, owner and managing partner of CMIT Solutions of Des Moines. How are you doing today, Edgar?<\/span><\/p>\n<p><b>Edgar Ortiz:<\/b><span style=\"font-weight: 400\"> We\u2019re doing excellent\u2014really happy to be here for another episode.<\/span><\/p>\n<p><b>Mike Downer:<\/b><span style=\"font-weight: 400\"> Absolutely. Today, we\u2019re discussing one of your favorite topics: what a small business cybersecurity plan should actually include. So let me ask you\u2014what are the essential components of a cybersecurity plan for a small to mid-sized business, and how do you build one?<\/span><\/p>\n<p><b>Edgar Ortiz:<\/b><span style=\"font-weight: 400\"> That\u2019s a great place to start, because this is where most small businesses get it wrong. They think cybersecurity is just one product. It\u2019s not\u2014it\u2019s a layered defense strategy.<\/span><\/p>\n<p><span style=\"font-weight: 400\">We typically talk about seven layers every small business should have:<\/span><\/p>\n<p><span style=\"font-weight: 400\">Layer one is endpoint protection\u2014modern EDR (Endpoint Detection and Response). This should be running on every laptop, desktop, and server. Not just consumer antivirus like Norton\u2014this is behavior-based detection that can stop ransomware before it encrypts your files.<\/span><\/p>\n<p><span style=\"font-weight: 400\">Layer two is email security. Over 90% of cyberattacks start with email. You need advanced filtering to catch phishing, malicious attachments, and business email compromise\u2014especially with AI making attacks more convincing.<\/span><\/p>\n<p><span style=\"font-weight: 400\">Layer three is DNS filtering. This blocks malicious websites at the network level, stopping malware before it downloads.<\/span><\/p>\n<p><span style=\"font-weight: 400\">Layer four is multi-factor authentication (MFA). This should be on everything\u2014email, VPN, cloud apps, admin accounts. It\u2019s one of the most effective controls against credential-based attacks.<\/span><\/p>\n<p><span style=\"font-weight: 400\">Layer five is dark web monitoring. If employee credentials show up in a breach, you need to know immediately and force password resets.<\/span><\/p>\n<p><span style=\"font-weight: 400\">Layer six is security information and event management (SIEM). This collects and analyzes logs across systems to detect real threats. Without it, you\u2019re essentially blind.<\/span><\/p>\n<p><span style=\"font-weight: 400\">Layer seven is security awareness training. Most attacks happen due to human error, so you must train employees continuously.<\/span><\/p>\n<p><span style=\"font-weight: 400\">That\u2019s why cybersecurity is a multi-layered approach.<\/span><\/p>\n<p><b>Mike Downer:<\/b><span style=\"font-weight: 400\"> That makes sense. Early on, you mentioned antivirus. Can you explain why having a full cybersecurity plan is different from just buying antivirus software?<\/span><\/p>\n<p><b>Edgar Ortiz:<\/b><span style=\"font-weight: 400\"> Absolutely. This is a question every business owner should ask before a breach.<\/span><\/p>\n<p><span style=\"font-weight: 400\">Antivirus is a product. A cybersecurity plan is a living strategy.<\/span><\/p>\n<p><span style=\"font-weight: 400\">Antivirus scans for known threats\u2014that worked back in 2005. But today\u2019s threats\u2014ransomware, AI phishing, social engineering, supply chain attacks\u2014don\u2019t always show up in antivirus databases.<\/span><\/p>\n<p><span style=\"font-weight: 400\">A real cybersecurity plan evolves constantly. It includes governance, incident response, training, patch management, vendor risk, and continuous monitoring.<\/span><\/p>\n<p><span style=\"font-weight: 400\">Here\u2019s the analogy: buying antivirus and calling it cybersecurity is like buying a deadbolt and calling it home security. Real security includes alarms, cameras, monitoring, and more.<\/span><\/p>\n<p><span style=\"font-weight: 400\">At CMIT, we build programs\u2014not products. We review them quarterly, update them as threats evolve, and test them regularly.<\/span><\/p>\n<p><b>Mike Downer:<\/b><span style=\"font-weight: 400\"> Great explanation. Let me ask you this\u2014why are employees considered the first line of defense?<\/span><\/p>\n<p><b>Edgar Ortiz:<\/b><span style=\"font-weight: 400\"> Because 90% of successful cyberattacks start with a human decision. Someone clicks a link, opens an attachment, or wires money based on a fake email.<\/span><\/p>\n<p><span style=\"font-weight: 400\">No technology can stop everything\u2014but training employees can stop most attacks.<\/span><\/p>\n<p><span style=\"font-weight: 400\">At CMIT, training isn\u2019t a once-a-year video. That approach is outdated.<\/span><\/p>\n<p><span style=\"font-weight: 400\">We provide:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Monthly micro-training (short, relevant videos)<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Simulated phishing campaigns<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Immediate coaching when someone clicks<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400\">This isn\u2019t about punishment\u2014it\u2019s about improving behavior.<\/span><\/p>\n<p><span style=\"font-weight: 400\">Industry click rates are 20\u201330%. We bring that down to 2\u20133%.<\/span><\/p>\n<p><span style=\"font-weight: 400\">We also train for modern threats like deepfake voice scams, AI phishing, vendor impersonation, and QR code attacks.<\/span><\/p>\n<p><span style=\"font-weight: 400\">The threat landscape has evolved, and training must evolve with it.<\/span><\/p>\n<p><b>Mike Downer:<\/b><span style=\"font-weight: 400\"> That\u2019s powerful. Let\u2019s talk about passwords and MFA. Why are they so critical?<\/span><\/p>\n<p><b>Edgar Ortiz:<\/b><span style=\"font-weight: 400\"> Here\u2019s a key stat: over 80% of data breaches involve stolen or weak credentials.<\/span><\/p>\n<p><span style=\"font-weight: 400\">If you fix passwords and authentication, you eliminate most of your risk.<\/span><\/p>\n<p><span style=\"font-weight: 400\">For passwords:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Use long passphrases (at least 14 characters)<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Use a password manager<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Never reuse passwords<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Monitor the dark web for leaks<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400\">Old advice like changing passwords every 90 days is outdated\u2014it leads to weaker passwords.<\/span><\/p>\n<p><span style=\"font-weight: 400\">For MFA:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Use it everywhere<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Authenticator apps are better than SMS<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Hardware keys are even stronger<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400\">If you combine strong passwords, MFA, and monitoring, you eliminate about 80% of breach risks.<\/span><\/p>\n<p><b>Mike Downer:<\/b><span style=\"font-weight: 400\"> Let\u2019s say something still goes wrong. What should a business do in the first hour after discovering a breach?<\/span><\/p>\n<p><b>Edgar Ortiz:<\/b><span style=\"font-weight: 400\"> The first hour is critical.<\/span><\/p>\n<p><b>0\u201310 minutes:<\/b><span style=\"font-weight: 400\"> Contain the threat. Isolate affected systems. Disconnect them from the network\u2014but don\u2019t shut them down, or you\u2019ll lose forensic evidence.<\/span><\/p>\n<p><b>10\u201320 minutes:<\/b><span style=\"font-weight: 400\"> Notify your incident response team. Call your cyber insurance provider immediately\u2014this is crucial.<\/span><\/p>\n<p><b>20\u201335 minutes:<\/b><span style=\"font-weight: 400\"> Preserve evidence. Don\u2019t wipe systems or restore backups yet. Document everything.<\/span><\/p>\n<p><b>35\u201350 minutes:<\/b><span style=\"font-weight: 400\"> Assess the scope. Identify affected systems and rotate credentials.<\/span><\/p>\n<p><b>50\u201360 minutes:<\/b><span style=\"font-weight: 400\"> Activate your communication plan. Notify executives, legal counsel, and others as needed\u2014but don\u2019t go public without legal guidance.<\/span><\/p>\n<p><span style=\"font-weight: 400\">The key is having a plan \u0437\u0430\u0440\u0430\u043d\u0435\u0435\u2014so no one is guessing during a crisis.<\/span><\/p>\n<p><b>Mike Downer:<\/b><span style=\"font-weight: 400\"> How do you customize cybersecurity plans for different businesses?<\/span><\/p>\n<p><b>Edgar Ortiz:<\/b><span style=\"font-weight: 400\"> Every business is different. We base plans on three factors: industry, size, and risk profile.<\/span><\/p>\n<p><span style=\"font-weight: 400\">Industry determines compliance requirements (HIPAA, PCI, etc.).<\/span><span style=\"font-weight: 400\"><br \/>\n<\/span><span style=\"font-weight: 400\"> Size determines the scale of your security architecture.<\/span><span style=\"font-weight: 400\"><br \/>\n<\/span><span style=\"font-weight: 400\"> Risk profile determines priorities.<\/span><\/p>\n<p><span style=\"font-weight: 400\">We conduct assessments and build:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">30-day plan (fix critical gaps)<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">60-day plan (deploy controls)<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">90-day plan (monitor and respond)<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">12-month roadmap (mature the program)<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400\">We translate technical risks into business language so owners can act on them.<\/span><\/p>\n<p><b>Mike Downer:<\/b><span style=\"font-weight: 400\"> How does a cybersecurity plan help with compliance?<\/span><\/p>\n<p><b>Edgar Ortiz:<\/b><span style=\"font-weight: 400\"> Cybersecurity and compliance go hand in hand.<\/span><\/p>\n<p><span style=\"font-weight: 400\">If you build strong security controls, you naturally meet most compliance requirements.<\/span><\/p>\n<p><span style=\"font-weight: 400\">For example:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">HIPAA requires access control, encryption, and training<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">PCI requires segmentation, MFA, and monitoring<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400\">Instead of treating compliance as a checklist, we build real security first\u2014compliance becomes a byproduct.<\/span><\/p>\n<p><b>Mike Downer:<\/b><span style=\"font-weight: 400\"> Final question\u2014why are regular assessments so important today?<\/span><\/p>\n<p><b>Edgar Ortiz:<\/b><span style=\"font-weight: 400\"> Because threats change constantly.<\/span><\/p>\n<p><span style=\"font-weight: 400\">An annual assessment gives you a snapshot\u2014but everything can change within weeks.<\/span><\/p>\n<p><span style=\"font-weight: 400\">Modern cybersecurity requires:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Continuous vulnerability scanning<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Monthly penetration testing<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Quarterly reviews<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Annual formal assessments<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400\">Attackers operate 24\/7\u2014your defenses must too.<\/span><\/p>\n<p><span style=\"font-weight: 400\">Cybersecurity isn\u2019t a project you finish. It\u2019s an ongoing practice.<\/span><\/p>\n<p><b>Mike Downer:<\/b><span style=\"font-weight: 400\"> Edgar, this has been incredibly insightful. Thank you for breaking this down so clearly. I\u2019m looking forward to our next conversation.<\/span><\/p>\n<p><b>Edgar Ortiz:<\/b><span style=\"font-weight: 400\"> Thank you\u2014happy to be here.<\/span><\/p>\n<p><b>Mike Downer:<\/b><span style=\"font-weight: 400\"> Thanks again for joining me on <\/span><i><span style=\"font-weight: 400\">Behind the Firewall<\/span><\/i><span style=\"font-weight: 400\">. Until next time\u2014have a great day.<\/span><\/p>\n<p><b>Edgar Ortiz:<\/b><span style=\"font-weight: 400\"> See you next time.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Key Takeaways Cybersecurity is a layered strategy, not a single product Employees&#8230;<\/p>\n","protected":false},"author":1033,"featured_media":884,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-883","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-local-it"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/cmitsolutions.com\/des-moines-ia-1210\/wp-json\/wp\/v2\/posts\/883","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cmitsolutions.com\/des-moines-ia-1210\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cmitsolutions.com\/des-moines-ia-1210\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cmitsolutions.com\/des-moines-ia-1210\/wp-json\/wp\/v2\/users\/1033"}],"replies":[{"embeddable":true,"href":"https:\/\/cmitsolutions.com\/des-moines-ia-1210\/wp-json\/wp\/v2\/comments?post=883"}],"version-history":[{"count":0,"href":"https:\/\/cmitsolutions.com\/des-moines-ia-1210\/wp-json\/wp\/v2\/posts\/883\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cmitsolutions.com\/des-moines-ia-1210\/wp-json\/wp\/v2\/media\/884"}],"wp:attachment":[{"href":"https:\/\/cmitsolutions.com\/des-moines-ia-1210\/wp-json\/wp\/v2\/media?parent=883"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cmitsolutions.com\/des-moines-ia-1210\/wp-json\/wp\/v2\/categories?post=883"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cmitsolutions.com\/des-moines-ia-1210\/wp-json\/wp\/v2\/tags?post=883"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}