Cybersecurity Is Risk Management

Cybersecurity is NOT just a technology problem. The majority of cyber incidents are caused by human action or inaction with the result becoming a risk to business operations and perhaps a risk to the survival of a business. Affected parties include shareholders, stakeholders, customers, executives, and employees of the business.

The direct costs of data breaches are well documented from many sources and news articles. The indirect costs are harder to determine and dependent on the type of business that is affected. There are steps that CEOs and every Board of Directors should take to minimize the risk to their business. It begins with adoption of a Risk Management Program.

Identifying and Measuring Risk

risk2Risks can and should be quantified. If businesses don’t understand the highest risk areas, leadership cannot make business decisions for mitigation of the highest risk and most critical functions to the business. Everything cannot and should not be protected equally. A famous quote from Adolf Galland, World War II German fighter pilot said, “he who protects everything, protects nothing.”

Risk can be determined by understanding threats, vulnerabilities, and impact. To evaluate impact, you have to identify and understand your most critical business functions and the resources necessary to perform them (i.e., business process analysis). Quantifying threats, vulnerabilities, and impact according to their effect on these most critical business processes and the resources necessary to carry them out, will result in a risk score that can be based against a number of risk-management schemas. Risk management should take into account all hazards – natural (weather, disease outbreak, etc.) and man-made (terrorism, crime, insider threat, etc.). Cybersecurity risk management must also give consideration to physical access controls to space, equipment, and hard-copy information. Additionally, personnel security is important to protect against insider threats. In today’s interconnected business environment and the high reliance on digital assets, cyber security is an ever more critical component of risk management.

Standards and Controls

ISO and NIST. There are a number of industry security standards and controls from ISO and NIST that address and can guide cybersecurity and risk management. The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides a solid foundation for best business practices. The ISO27k standards are deliberately risk-aligned, meaning that organizations are encouraged to assess the security risks to their information. There are existing ways to crosswalk the controls to tailor specific approaches to address business risk profile and achieve compliance.

Compliance Concept

For organizations supporting government activities, NIST Special Publication (SP) 800-171, Protecting Controlled Unclassified Information (CUI) in Non-federal Information Systems and Organizations describes fourteen (14) families of controls that are a comprehensive cybersecurity best practice for any business. (This is required for Department of Defense (DoD) contractors to be compliant with the Defense Federal Acquisition Regulation Supplemental (DFARS) by December 31, 2017.) Civilian government contractors are expected to need to comply with these requirements during 2018 based on the Federal Register publication and anticipated to be included in the Federal Acquisition Regulations (FAR). The CUI program is an extended derivative from the larger andmroe comprehensive Federal Information Security Management Act (FISMA) Implementation Project. 

The FISMA Implementation Project was established in January 2003 to produce several key security standards and guidelines required by Congressional legislation. These publications include FIPS 199, FIPS 200, and NIST Special Publications 800-53, 800-59, and 800-60. Additional security guidance documents include NIST SPs 800-37, 800-53, and 800-53A.

Compliance with any of these identified standards includes a human element for risk management. The controls and standards require much more than technology to monitor and manage information security. Compliance requires establishment of governance, policy, implementation of procedures, evidence of practice, and a continuous assessment of security and risk.

Enterprise Security Risk Management (ESRM). As defined by ASIS International, ESRM is a management process used to effectively manage security risks, both proactively and reactively, across an enterprise. ESRM continuously assesses the full scope of security-related risks to an organization and within the enterprise’s complete portfolio of assets. The management process quantifies threats, develops business impact analyses, establishes mitigation plans, identifies risk acceptance practices, manages incidents, and guides risk owners in developing remediation efforts.

Prepare Now.

Risk Management

As evidenced by recent news, even with a comprehensive cybersecurity program, it is highly likely that organizations will be involved in an information/cyber security incident. Organizations must prepare for and mitigate exposure to corporate risks, to include risks to shareholders, stakeholders, customers, executives, and employees of the business.

If your organization is struggling with adoption of a cybersecurity or other security/compliance program, Let Zofia Consulting help you develop and implement the program within a broader business risk management approach. Doing so now will help leadership navigate business operations with a more mindful and prepared posture.

Mark Tanner is a senior advisor for Zofia Consulting and a senior executive with a wide range of experience in law enforcement, intelligence, and business. As a Special Agent of the Federal Bureau of Investigation (FBI) he led criminal and counterterrorism programs, including Southwest Border Initiatives in Arizona and the Foreign Terrorist Tracking Task Force (FTTTF) established after 9/11. He established FBI’s Office of the Chief Information Officer (CIO) while serving as the deputy CIO where he was responsible for enterprise architecture and was the accrediting authority for FBI systems. Following a 23-year career with the FBI has held director and executive level positions in small, medium, and large companies.

Mark manages security related areas such as continuity of operations and information security, including audits and compliance with NIST Special Publications 800-53 security and privacy controls, as well as 800-171 for Controlled Unclassified Information (CUI). He also serves as Co-Chair of the FBI’s InfraGard, Cyber Security Special Interest Group (Cyber SIG) for the National Capital Region Members Alliance.

Mark Tanner holds an accounting degree from East Carolina University and is a Certified Protection Professional (CPP). Federal Computer Week magazine recognized and highlighted Mr. Tanner as one of the ten “new IT leaders” in the federal government, and he was a finalist for the Citigroup Smith Barney CIO of the Year Award. 

Contact Zofia Consulting,

or you can contact Mark directly at


Zofia Consulting Compliance Advisory Services

  • Information Security Management System (ISMS)
  • ISO 27000SERIES, NIST SP800-53, NIST SP800-171 Compliance
  • Cybersecurity Framework
  • Business Continuity Management System (BCMS) 
  • Federal Continuity Directives (FCD) 1 & 2
  • Incident Reporting and Response
  • CUI Strategy Development and Implementation


DFARS Industry Day – CUI Compliance

Our team attended the DOD DFARS Industry Day held on 23 June 2017 in the Washington DC area. Industry Day auditorium was full and we had a chance to reconnect with many of our professional colleagues from many parts of the DoD Contracting community. During Industry Day, it was apparent there were many questions from us, from our clients and from our fellow industry professionals. It was also apparent that Industry as a whole has a lot to do to meet the deadline.


DFARS 252.204-7012 and CUI NIST SP800-171 Compliance?

Yes. Do it. No extensions or excuses. 

If DoD contractors are non-compliant at the end of 2017, there is a real risk of having to stop work.

DoD knows there are challenges, particularly amongst small-to-midsize companies who seem disproportionately impacted by the security controls due to the limited time, staff and resources. Most companies are tasking their Facility Security Officers and/or IT staff with compliance duties on top of their other already busy days. Our colleagues expressed dismay at the unplanned and unexpected high costs of compliance not just in this budget year, but in their added lifecycle costs.

DoD is unwavering in their commitment to getting government contractors to secure industry systems that handle Controlled Unclassified Information (that includes Controlled Defense Information (CDI)).

Below are a few of the highlights we picked up from the meeting.
The objective of the DFARS CUI program is to reduce and protect the attack surface. The DoD is NOT changing any provisions of the regulations that have been published.

DoD has four (4) primary area of focus:

  1. Strong Authentication – this includes multi-factor authentication
  2. Harden Devices – includes:
    • Configuration Management
    • Patch Management
  3. Reduce Attack Surface – limit internet connections and establish trusted internet connections
  4. Defend Every Computer – implementing the same defenses as the DoD

Leadership Involvement is Key.  

Compliance task passed to staff does NOT equal task completed. DoD expects senior executives in companies to understand the cyber threats and get behind US Government efforts to secure their environment. The DoD Office of the Chief Information Officer (OCIO) is overseeing the DoD DIB Cybersecurity Strategy


ALL encryption implemented must have FIPS 140-2 validation. “Equal to” or “better than” encryption was not acceptable.


The relevant section of the DFARS is 252.204.7012 for contractors’ use of cloud services. 252.204.7010 relates to cloud services provided for DoD’s use.

  • The contractor’s cloud service must meet FedRAMP, Moderate controls.
  • Cyber incidents must be reported to comply with CUI. It was noted that the cloud service provider (CSP) may not be aware of all cyber incidents, depending on the configuration, administration, and service level agreement.
  • Access requirements, defined in sections c – g may not apply in all circumstances (i.e., wherein CSP is used for email or other infrastructure)

Implementation Process and Procedures

There were a number of questions on attestation and/or certifying requirements for compliance. Here is the bottom line:

  • DoD will NOT monitor compliance
  • DoD will NOT certify compliance
  • DoD will NOT recognize 3rd party assessments

However, remember by signing the contract that requires CUI compliance, the contractor is making an attestation that they are compliant ( i.e. agreeing that the contract has been/will be executed in his or her presence according to the formalities required by law). Compliance may be:

  • Full implementation of the NIST SP800-171 controls
  • Partial implementation of NIST SP800-171 controls with a Plan of Actions and Milestones (POAM) for full implementation. Remediation schedule must be in place.
  • Partial implementation of NIST 800-171 with some alternatives for full compliance

If a contractor elects to implement and employ “alternative” controls, those alternatives must be equally effective. The DoD, OCIO will evaluate alternative controls and deficiencies for all DoD Services. The DoD goal is a 5-day adjudication of the sufficiency of the alternative control. If the alternatives are found not to be “equal” in compliance, or if the remediation plan is inadequate, the contractor puts their ability to work on the contract at risk.

How to Demonstrate Compliance?

The System Security Plan (SSP) and POAM are the tools to demonstrate compliance. However, government contract officers are NOT bound to accept a System Security Plan and POAM for implementing DFARS regulations as an alternative to timely compliance.

System Security Plan

The SSP should show controls that are:

  • Not Applicable – with rationale
  • Alternative, but equal – with rationale and appropriate artifacts
  • Exceptions
  • Individual, isolated, or temporary deficiencies should be assessed for risk and mitigation applied

The SSP may be required as part of an RFP.  If required it may be/act as one of the following:

  • Used as an evaluating factor
  • Used as pass/fail

Defense Contracting Management Agency (DCMA)

DCMA will oversee that the cybersecurity clauses are included in contracts. They will verify that SSPs are done.

Cyber Incidents

A cyber incident is defined by a compromise. A compromise is when disclosure is made to an unauthorized person in violation of security policy. A cyber incident report should include (at a minimum):

  • Evidence of compromise
  • Information affected
  • Determination if it requires operationally critical support in response

Cyber incident reports are made to DC3 at DC3 analyzes the report and will forward reports to appropriate contracting officer(s). Follow-up action is determined by the Damage Assessment Management Office (DAMO). The requiring activity (DoD Program Manager) will notify company for follow-up acttion.


  • DoD Cyber Crime Center (DC3)
  • DoD, OCIO web site
  • DoD Procurement and Acquisition web site
  • Executive Order 13800, Strengthening Cybersecurity of Federal Networks and Critical Infrastructure
  • DoD Memo, Guidance on Implementation of CUI
  • DoD Instruction, 5000.02, Enclosure 14

Read more about CUI Compliance from our other articles:


There was a lot here, and these are just the highlights. If you need assistance with understanding the DOD DFARS CUI mandate, assessing your status, or with reaching compliance – please contact us for an initial consultation. We are here to help you and have the team standing by to get you compliant quickly. 


  • Information Security Management System (ISMS)
  • ISO 27001, NIST SP800-53, NIST SP800-171 Compliance
  • Business Continuity Management System (BCMS) 
  • Federal Continuity Directives (FCD) 1 & 2
  • Incident Reporting and Response
  • CUI Strategy Development and Implementation




Time to Give Your Incident Response Playbook a Checkup!

As Spring turns to Summer and the cyber threats heat up just like the weather. It’s time to give your Incident Response (IR) playbook a checkup – same as your A/C system.

Here are the areas to do a quick check in your IR Playbook.

  • VERIFY CONTACT INFORMATION. Your IR Playbook should include all responder and stakeholder contact information as well as alternate phone numbers and email addresses for possible out-of-band communications (in the event your internal emails are compromised). Your contact list should also have alternative responders and stakeholders identified in the event of primary personnel are unavailable.

The below information is the recommended minimum for contact information data. Please ensure hardcopy and alternate media backup!

IR Function/Role

– Name
– Phone Number
– Mobile Number
– Home Number
– Home Address
– Office email
– Alternate email
– Alternate Contact
– Alternate Contact Phone
– Alternate Contact Mobile
– Alternate Contact Home Number
– Alternate Contact Home Address
– Alternate Contact Office email
– Alternate Contact Alternate email

  • AUTOMATED NOTIFICATION. If you use an automated notification methodology like “Send Word Now” or some other critical notification system, now is the time to test and validate all the phone numbers and email addresses as well as the alternate responder and stakeholder’s contact information.
  • TEST AND EVALUATE. When testing, make sure everyone is aware that it is a “Test of the Incident Response Notification System.” They will get and need to respond to all alerts to confirm contact information is up to date.
  • VALIDATE RESOURCE AVAILABILITY. If you leverage “ad-hoc” resources in your IR program (i.e. forensic examiners) now is the time to validate these resources are still available and agreeable to the continued responsibility – their managers need to approve this commitment prior to the actual need. Include their information like the above in your IR playbook – include them in the test and notification system directory as well.
  • INFRASTRUCTURE CHANGES. Your checkup should include a review of any infrastructure changes or additions to validate your continued security controls (i.e., port scans, whitelist/blacklist settings, anti-virus versions, patch management, etc.) and capability to identify compromises. You also want to validate any Cloud applications and security event reporting – is the cloud provider sending you information for you to integrate into your analysis engines – there could be some trending that might be identified as targeting both on and off premises systems.
  • BUSINESS OPERATIONS CHANGES. The IR Playbook and Operational Procedures Manual should be reviewed and validated yearly or when any significant changes occur in business operations. For example, recent business changes such as a merger or acquisition should trigger the review and changes to the notification contact list as well as a review of the BCP.
  • BUSINESS CONTINUITY PLANNING. Your playbook should identify the mission critical applications as identified in your Business Continuity Plans (BCP). Having IR Playbook information linked will ensure you address the responses needed for the appropriate systems should prioritization become an issue. Keeping the BCP up to date will provide immeasurable support to IR activities, reduce confusion, and mitigate risk.
  • LEADERSHIP INCLUSION. It’s important to have your IR playbook supported by senior leadership. Ensure corporate leadership is on the automated notification system. Inclusion will accomplish a second objective – providing situational awareness and gaining decision-maker engagement with consistent and timely information delivery.

If you are having challenges updating or creating your Incident Response Plans, Operational Procedures, or Business Continuity Plans, the Virtual CISO Program at Zofia Consulting can assist getting all required plans, processes, and procedures in order.

Chuck McGann
Senior Advisor, Zofia Consulting LLC
Former CISO United States Postal Service

Contact Chuck McGann

Charles L. (Chuck) McGann, Jr., is nationally recognized information security professional and senior advisor to Zofia Consulting. Chuck leads the Virtual CISO™ Program at Zofia Consulting and focuses on small to mid-sized organizations providing guidance in solidifying Cybersecurity programs and compliance requirements.  Chuck’s broad range of experience from Policy and Procedures creation and review through Incident Response and Threat Mitigation ensures companies are prepared to handle any variety of cybersecurity challenges.

Chuck is the former Corporate Information Security Officer (CISO) for the United States Postal Service (USPS). In this capacity, he secured one of the largest maintained intranets by any organization in the world, with over 200,000 workstations; over 45,000 retail terminals; more than 16,000 servers and over 220,000 Mobile Delivery Devices. The USPS infrastructure encompasses over 600 business applications that support all aspects of business operations as well as movement of the mail.

In his 28 years with the Postal Service, Chuck held numerous positions, Including: Manager, Information Systems, Acting Postmaster, Business Systems Analyst, Business Project Leader, Distributed Systems Security Specialist, Manager, Information Security and Incident Response Team Manager.

Over his distinguished career has received numerous awards and recognition. He belongs to various national, regional, and local organizations such as the Government Technology Research Alliances’ group, FBI InfraGard, National Security Agency (NSA), and Information System Audit and Control Association (ISACA) to name a few.

Controlled Unclassified Information (CUI) Program Compliance: What Government Contractors Need to Know


Why Do We Need a CUI Program?

Over the last decade, there has been a dramatic convergence of hostile criminals operating online, rapid technological advancement, increasing digital government-industry communications, insider threats and other persisting threats of espionage to government and industry. News outlets are full of stories about information being stolen from private citizens, corporations and governments around the world attributed to external and internal bad actors. From a government perspective, these threats will remain an ongoing concern. These threats fuel U.S. Government efforts to lock down and protect sensitive government information. Industry must ensure they are accountable for sensitive U.S. Government information they are charged to work with. This U.S. Government interest is showing no signs of diminishing as expressed by the new and expanding regulations appearing across government. Industry leaders that want to do business with the U.S. Government will have to comply with these regulations to assist in protecting sensitive assets now and into the future.

What is CUI?

First and foremost, the CUI Program is about doing what’s right, due care, and good business practices. When followed, you will not only be protecting CUI, but also your sensitive company information and that of your customers. CUI replaces and standardizes previously used labels such as Sensitive But Unclassified (SBU), For Official Use Only (FOUO), Law Enforcement Sensitive (LES), etc. The specific definition can be found at the National Archives and Records Administration (NARA) CUI is information the U.S. Government creates or possesses, or that an entity creates or possesses for or on behalf of the U.S. Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

Executive Order 13556 “Controlled Unclassified Information” established the CUI program, which is a system that standardizes and simplifies the way the Executive branch handles unclassified information that requires safeguarding or dissemination controls, pursuant to and consistent with applicable law, regulations, and government-wide policies. The program emphasizes the openness and uniformity of government-wide practices. Its purpose is to address the current inefficient and confusing patchwork that leads to inconsistent marking and safeguarding as well as restrictive dissemination policies, which are often hidden from public view. In short – this is the US Government-wide approach to creating a uniform program on handling sensitive government information.


In 2015 and 2016, the US Government implemented significant policy changes that impact DoD Government contractors with how they protect their own internal networks and compete for DoD contracts. The US Government response resulted in a change to the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. The National Institute of Standards and Technology (NIST), Special Publication 800-171  (NIST SP800-171) was published in June 2015 and has been made a rule for the DFARS in May 2016.[i]

According to the rule, NIST SP 800-171 “defines the requirements necessary to protect CUI Basic on non-Federal information systems” and agencies “must use NIST SP800-171 when establishing security requirements to protect CUI’s confidentiality on non-Federal information systems.” The rule confirms that contractors handling CUI will be required to comply with standards outlined in NIST SP800-171. The requirements for Executive branch agency became effective in November 2016 by publication in the Federal Register

According to the NARA Executive Agent the rule is to be adopted for the Federal Acquisition Regulations (FAR), one year from the Implementing Directive (32 CFR 2002).

There are 14 control families specified in the NIST SP800-171, Protecting CUI in Nonfederal Information Systems and Organizations.

Access Control Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
Awareness and Training Ensure that managers and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, or procedures related to the security of organizational information systems.
Audit and Accountability Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity.
Configuration Management (i) Establish and maintain baseline configurations; and (ii) establish and enforce security configuration settings for information technology products.
Identification and Authentication Identify information system users, processes acting on behalf of users, or devices and authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
Incident Response Establish an operational incident handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities.
Maintenance (i) Perform periodic and timely maintenance on organizational information systems; and (ii) provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.
Media Protection Protect information system media, both paper and digital.
Personnel Security Ensure that individuals occupying positions of responsibility within organizations (including third-party service providers) are trustworthy and meet established security criteria for those positions.
Physical Protection Limit physical access to information systems, equipment, and the respective operating environments to authorized individuals and protect the environment of facilities
Risk Assessment Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.
Security Assessment Periodically assess the security controls in organizational information systems to determine if the controls are effective in their application and monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.
System and Communications Protection Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
System and Information Integrity Identify, report, and correct information and information system flaws in a timely manner.

How Do I Assess Compliance?

There are tools and technologies that can assist in measuring and monitoring compliance, but the first step is typically an assessment by a subject matter expert to evaluate current policies and procedures of an organization against the NIST SP800-171 control standards. This assessment will identify control families that are met, partially met, and not met by current practices. The process toward full compliance will include:

  • Determine overall capabilities against the NIST SP800-171
  • Assess gaps in achieving compliance
  • Document a Plan of Action and Milestones (POAM)
  • Develop and Implement mitigation strategies
  • Test system with remediation(s) in place
  • Fully employ remediated system and document performance
  • Enhance training and awareness to keep staff informed of requirements
  • Document all in a Systems Security Plan
  • Ensure artifacts/evidence of compliance are available and documented for each control
  • Ensure compliance with reporting guidance for reporting incidents

What if I Can’t Comply?

Compliance concept with icons, virtual screen, businessman touching button

Bottom line: If you are not demonstrably compliant with evidence and artifacts, you may not be able to compete for federal government contracts. Remember the deadline is December 31, 2017!

All is not lost. Most small to medium-size businesses have basic access controls and physical security protections in place. Many other controls are practiced, but not well documented or applied consistently. In many instances, compliance is simply an exercise in cleaning house and getting documentation in order. In other cases however, particularly with companies never having experience with compliance mandates, the work can be extensive requiring months of work and tens of thousands of dollars to bring systems up to NIST SP-800-171 security standards. Regardless of where you are in the process, there is no more time to waste.

The DFARS 252.204-7012 states, “the contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017.” Don’t treat this lightly, CUI government regulations have the force and effect of law. 

The burden is on the contractor to ensure that they meet legal and contractual obligations for handling CUI. Failure to comply may result in contract challenges, protests, and loss of award, as well as debarment, suspension and ineligibility for future government contracts. Failure to accurately report the status of compliance could result in charges of fraud and criminal penalties.

You are not alone in this endeavor and Zofia Consulting, LLC is here to help you. Please contact us and let us help you navigate the best solution for your company to get you compliant quickly and efficiently.

Mark Tanner is a senior advisor for Zofia Consulting and a senior executive with a wide range of experience in law enforcement, intelligence, and business. As a Special Agent of the Federal Bureau of Investigation (FBI) he led criminal and counterterrorism programs, including Southwest Border Initiatives in Arizona and the Foreign Terrorist Tracking Task Force (FTTTF) established after 9/11. He established FBI’s Office of the Chief Information Officer (CIO) while serving as the deputy CIO where he was responsible for enterprise architecture and was the accrediting authority for FBI systems. Following a 23-year career with the FBI has held director and executive level positions in small, medium, and large companies.

Mark manages security related areas such as continuity of operations and information security, including audits and compliance with NIST Special Publications 800-53 security and privacy controls, as well as 800-171 for Controlled Unclassified Information (CUI). He also serves as Co-Chair of the FBI’s InfraGard, Cyber Security Special Interest Group (Cyber SIG) for the National Capital Region Members Alliance.

Mark Tanner holds an accounting degree from East Carolina University and is a Certified Protection Professional (CPP). Federal Computer Week magazine recognized and highlighted Mr. Tanner as one of the ten “new IT leaders” in the federal government, and he was a finalist for the Citigroup Smith Barney CIO of the Year Award. 

You can contact Mark directly at



Download a PDF copy of this Article

[i] Contractors may hear about the CUI compliance mandate by a couple different monikers – “DFARS Compliance”; “7012 Compliance”; “NIST SP800-171 Compliance” and more. These terms all reference the same CUI compliance mandate.

Corporate Threat and Security – An Intro


Increased interest in holistic corporate security from our clients has inspired us to take our show again on the road! Our clients are tired of the piecemeal approach to business operations, cybersecurity, compliance, hiring, training, etc. They want a comprehensive “playbook” for integrating appropriate measures into day-to-day functions and operations.

We are traveling to provide tailored executive seminars to address these leadership concerns in business operations, physical security, personnel security and cybersecurity. Attached a short presentation derived from recent “brown bag” discussions.

If your company or activity needs assistance understanding how basic security practices can improve business results and performance, please contact us. We are happy to tailor an executive seminar for you brought to you by the best in the business. From there we can discuss what specific areas of interest we can assist you with.

This slideshow requires JavaScript.


The entire presentation is here:  Threat and Security – Intro for Companies

Please respect the Creative Commons licensing below. If you would like to use the content – please let us know at We can provide more detail and context than exists in just a slide or two.

Thank you!

Creative Commons License
Corporate Threat and Security by S. Michelle Farr, Zofia Consulting, LLC is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Relationship of Behavior to Security



Personality-based, or behavioral, assessments help reduce the subjectivity involved when employers only use interview techniques. An accurate personality-based assessment can provide objective insights into key personality traits intrinsically related to workplace dynamics and performance. The insights help key talent functions avoid mistakes related to bias, politics, “gut decisions,” and chance. These types of errors can produce a litany of organizational issues that can devastate business results and compromise security and performance.


Zofia Consulting, working with our 42 Group, leverages taxonomies, psychological profiling, real-time data, and machine learning combined with decision support systems to identify threats to client assets and resources. This unique combination of factors assists our clients in evaluating weaknesses in their systems and also opportunities for engagement and risk mitigation.


When used correctly, behavioral assessments lead to better hires and higher levels of performance, job satisfaction, improved security, morale, and long-term staff retention.

Interested in learning more? Send us a note!

Heidi Webb Joins Zofia Consulting Advisory Board for 42 Group


Ms. Heidi Webb

The CEO of Zofia Consulting today welcomed Ms. Heidi Webb, of Cornerstone Montgomery, to be the first appointed member of the Advisory Board for 42 Group.  

Ms. Webb joins 42 Group after an intensive search for a leader with strong experience in the nonprofit domain who could assist the Group’s efforts in solving complex programs in mission areas ranging from childhood education, behavioral health, group advocacy, research, development operations, veteran’s issues and more.

“As 42 Group grows, we wanted to ensure we are leveraging the best talent in the field – and Heidi exemplifies all that we look for and need for our engagements” said Michelle Farr of Zofia Consulting, LLC (The parent company of 42 Group).

Ms. Webb began her career securing 8(a) minority status for government contract-seeking technology firms, and helped secure contracts with the Department of Education and the Department of Defense. Sixteen years ago, Ms. Webb transitioned her capacity building skills to the nonprofit arena. Her expertise is in major gift solicitation, board development, strategic visioning, partnerships, event planning and management, grant writing, and government funding.

Ms. Webb’s leadership and coaching results in strong, effective, and collaborative development departments. In addition to her work, she volunteers extensively. Heidi Webb is an active Rotarian and has served on benefit committees for fundraising events for American Cancer Society, Duke Ellington School for the Arts, and the Larry King Cardiac Foundation and more. She also served as Campaign Chair for a Maryland State Legislator.

For more information about Ms. Webb, Zofia Consulting, and/or 42 Group – please fill out our contact form for Zofia Consulting or for 42 Group.