What R-Score Means as a Public-Private-Educational Initiative

On August 24

HYCU along with key industry partners across security, solutions partners and academia, introduced R-Score.

R-Score represents a first of its kind assessment tool that scores an organizational ransomware recovery readiness similar to the way Fair and Isaac set up the FICO scoring system more than thirty years ago. We spoke to Kevin Powers, JD, who is the Founder and Director, Cybersecurity Graduate Programs at Boston College and a Cybersecurity Research Affiliate at MIT Sloan School of Management (CAMS) to learn more about why being best prepared and ready to recover in the event of a ransomware attack is so critical.

Q: Why is R-Score an interesting initiative?

KP: What really sparked my interest in the beginning was the opportunity to have a true collaboration between private industry, government, and academia in developing a free, public resource to address the cyber threats faced today, specifically ransomware.

At Boston College through our Cybersecurity and National Security graduate programs and also my work at MIT as a research affiliate, we’ve been working with the government as well as private industry and academics in trying to come up with ideas to get everyone in the room together to address these cyber threats in order to help organizations protect their business operations and data.

And that’s exactly what we did with R-Score. Similar to the Boston Conference on Cybersecurity, which is an event we jointly host at Boston College with the FBI, where we bring together senior executives from all industries and government sectors to hear from the leading experts and practitioners in cybersecurity to discuss best practices to address the current issues at hand.

You've seen a number of initiatives coming from various groups and industries. Recently, President Biden convened a summit of private sector and education leaders to discuss the whole-of-nation effort that is needed to address the rise in cybersecurity threats including ransomware threats. To combat these threats, we have to work together. I couldn’t agree more, what’s needed is an all-hands approach. That's what got me really excited about R-Score and that's why I'm so happy to be involved with this initiative.

Q: Where do you see some of the near-term use cases or applicability for R-Score?

KP: I think right out of the gate, for private and government - local, state, and federal – organizations, R-Score provides a user-friendly tool that provides you an easy-to-follow dashboard that answers the key questions for any organization as it relates to ransomware - "Where am I now? If I was hit with ransomware today, how quickly can I recover and get back to operational readiness?" That information alone puts most organizations ahead of the curve. From a use case perspective, it has powerful application. If, for example, I'm on a director of a board or if I'm a senior executive, I can look at it and say, "Based on our R-Score, we have to address this issue now." Or, "It looks like we're okay, but we need to improve our ability to defend against and mitigate an attack and this is how we can do so,” based on the insights provided by R-Score.

Q: We know you do a lot of work in the industry and also with private companies. So where do you see it as far as a board-level discussion at this point in time?

KP: This is increasingly becoming more of a Board level conversation and it has been for a while now. When we started our program at Boston College (and is true today), the whole idea was to bridge the communications gap between the IT department and senior level executives and the board of directors. There's still a disconnect there. The CISO's have their job. They're doing a great job by the way, but it's still down to communication. Sometimes the CISO's don't know what to present to the board, or they do but they're not doing it in a way that's easily digestible. Then you have board members and senior executives talking, "Hey, I get the threat of cybersecurity” but it's then looked on as an IT issue. I’ve been saying this for a while now, "Cybersecurity is not a tech issue. It's actually a business, enterprise risk management issue that needs to be run from the top down, not the bottom up." We really have to get a better way to communicate at both levels, from the IT department to the senior executives to the Board and across the whole enterprise.

Whether you’re in the C-suite, on a board, or managing a business or IT unit, I think R-Score provides an easy way for you to get an easily digestible, non-technical dashboard view as to your current status as it relates to protecting your business operations and sensitive data from a ransomware attack. As such, once you see your score, you can take the necessary measures to improve your cybersecurity posture.

Q: Where can readers learn more about what you are focused on and the events you will be doing in the coming months?

KP: Well, we’re kicking off the Academic year with the first of our “Cyber & National Security Webinars” at Boston College on September 16th. The webinar is focused on “Cybersecurity Risk Management: Ransomware Planning, Response, Mitigation, and Recovery” and our panelists are: Supervisory Special Agent Doug Domin, Criminal Cyber Squad with FBI - Boston Division, and Simon Taylor, the CEO and Founder of HYCU, Inc. Ransomware will be a key topic of discussion, no doubt. More information is available on our webpage at: www.bc.edu/mscybersecurity

Also, there’s been a lot of talk and interest in cloud security and we’re focusing, in the classroom and through our webinar series, on that. People think, "Oh, I'm going to move everything to the cloud, and we're fine. We reduce the risk. We reduce the cost." Well, you do reduce both, but the liability sticks with you and there's a lot that takes place when you go from a network to the cloud. There are a number of things to consider - How do you configure it? How do you manage it? Who's holding the data for you? What are the contract ramifications? And then it comes down to people thinking, "Hey, it's in the cloud. We're all backed up, right?" That's typically not the case.

You look at any of the advisories and guidance coming from the Federal government, whether FBI, CISA, FTC, among others, and they begin with “back up your data.” I think back to 2017 at our first Boston Conference on Cyber Security, when we had FBI Director Comey as the keynote for the Conference. One of his main takeaways for the attendees was “backup your data.” No doubt, backing-up your data is a critical piece of the puzzle.

I’ll also be presenting at MIT Sloan School of Management on September 24th with Simon Taylor. It’s a virtual event where we’ll be discussing ransomware recovery strategies.

And, of course, it’s down the road a bit, but we’re already planning the 6th Annual Boston Conference on Cyber Security (BCCS 2022), which is scheduled for March 2nd and will be “in-person” again at BC.

To read more about R-Score and Professor Kevin Powers’ involvement, you can check out his recent conversation with Boston College News at “GetRScore helps organizations assess ability to recover from ransomware attack.” To take the R-Score and find out what your readiness is to recover from a ransomware attack, visit www.getrscore.org.