Too much is at stake not to have a Chief
Information Security Officer (CISO). Having robust security leadership from a seasoned CISO is important
in the modern organization; a security leader has the specialized technical knowledge and corporate governance experience
to help build a strong cyber security foundation and the agility to prevent, detect and mitigate evolving threats.
Regardless of the reasons why you don't have a CISO in
place at the moment, we provide a Virtual CISO (vCISO) service, which is an outsourced
security advisor that can be a cost-effective approach to having the access your company
needs to a high-end cybersecurity professional. What varies is the amount and the length of time needed.
As a vCISO, our focus is to ensure every organization
and business is operating in a secure manner, with all of their critical data and assets properly protected. One
of the major problems is many organizations approach cybersecurity incorrectly; they try to prevent all attacks and be
100% secure, which in today's world is impossible. The proper approach is to identify all the critical assets,
perform a risk analysis on them, design protection layers around those critical assets, and focus on timely detection of attacks
while minimizing and controlling the damage they can inflict. How we do all that to protect an organization is
to build out effective security programs and roadmaps that actually work.
vCISOs should have strong leadership skills and an in-depth understanding of information
systems and security. They should also be able to effectively communicate their complex security and IT knowledge to colleagues
with varying levels of technical understanding.
vCISOs
have certain job requirements that closely mirror the requirements of a traditional, in-house CISO; these include the following:
- protecting the confidentiality, integration and availability of data;
- long-term cybersecurity
strategy development;
- governance, risk and compliance (GRC) program development;
- risk assessment;
- risk
management;
- security awareness and training;
- developing secure business and communication practices;
- reporting
on security operations;
- monitoring security operations;
- defining metrics to measure program success;
- management
of personnel and vendor relationships; and
- integration and management of other third-party security services.
Benefits of
employing a vCISO
- Unbiased analysis. As
an external third party, the vCISO may be able to evaluate an organization's existing security program more objectively
than an internal employee.
- Cost-effectiveness. Pay-as-you-go
pricing allows organizations to pay for only the time and services they use. A vCISO is usually drastically cheaper than
having a salaried CISO in house and saves on capital expenditures.
- On-demand service. Using a vCISO provides constant, flexible availability
of security resources. As demands change, clients can alter their services accordingly.
- Long- and short-term benefits. In the short term,
vCISOs can make organizations more secure by identifying immediate risks and introducing or tightening controls.
In the long term, they can help lay the groundwork for a future in-house security program through training and improvement
of core processes and infrastructure.
- Experience. Many
vCISOs have had extensive experience working with a wide array of diverse organizations.
Below
are a few examples of vCISO project engagements:
Interim Chief
Information/Security Officer (CIO/CISO)
Global Company Providing Web Application Software
and Cloud-Hosted Solutions (Current Engagement)
Large USA Physician-Owned and Physician-Led Acute Care Medical Group
Financial Services Company
Public Company and Global Leader of Cloud Insurance Software Solutions
Global Industry
Leader-Consumer Food Business
Industry-Leading International Program Marketing and Customer Loyalty Rewards Program
Incentive Transaction-Processing Network
Industry-Leading Platform as a Service (PaaS) Provider
High-Profile National
USA Law Firm
CLEC Telecommunications Company
- Responsible
for coordinating and overseeing global compliance with policies and procedures regarding the confidentiality, integrity, availability
and security of all information assets. Direct management and interaction with global security and management teams. Ensure
compliance with PCI, HIPAA, GDPR, and other regulatory security requirements, responsible for ensuring all controls are in
place as well as oversee filing of compliance reports with banks and credit card acquirers/processors.
- Implemented security program frameworks with compliance review frequency and
individual responsibility matrices.
- Helped design and implement
a global Microsoft local administrator password security (LAPS) solution, as well as centralized multi-factor access (MFA)
for non-console administrative access to all servers globally and the Microsoft azure cloud clusters resulting in centralized
secure access and security logging.
- Responsible for annual
risk assessments to identify new threats and vulnerabilities and identify appropriate controls to mitigate any new risks.
- Implemented vendor/3rd party security risk assessment programs and documentation
requirements.
- Coordinated multiple global external and internal
penetration tests and vulnerability scan remediation projects resulting in a stronger global security posture of networks,
applications and systems.
- Developed and implemented a cloud
security assessment procedure, providing risk assessment scores for potential cloud providers. Prepared all documentation
for global information security board review.
- Project management
for secure removal of outdated encrypted credit card storage databases. Work included project planning, development of control
methodologies, interaction with secure destruction vendors, and preparation of final project report for auditors and attorneys.
- Direct involvement with annual compliance audits performed by major credit card
company partner, including completion of risk assessment and review of evidence.