HomeAbout UsCISO ServicesCompliance Services

Interim/Contract Virtual CISO (vCISO) Services

- Executive-level security leadership that creates and improves technology and security postures in enterprise environments.

 

Too much is at stake not to have a Chief Information Security Officer (CISO).  Having robust security leadership from a seasoned CISO is important in the modern organization; a security leader has the specialized technical knowledge and corporate governance experience to help build a strong cyber security foundation and the agility to prevent, detect and mitigate evolving threats. 

Regardless of the reasons why you don't have a CISO in place at the moment, we provide a Virtual CISO (vCISO) service, which is an outsourced security advisor that can be a cost-effective approach to having the access your company needs to a high-end cybersecurity professional.  What varies is the amount and the length of time needed. 

As a vCISO, our focus is to ensure every organization and business is operating in a secure manner, with all of their critical data and assets properly protected.  One of the major problems is many organizations approach cybersecurity incorrectly; they try to prevent all attacks and be 100% secure, which in today's world is impossible.  The proper approach is to identify all the critical assets, perform a risk analysis on them, design protection layers around those critical assets, and focus on timely detection of attacks while minimizing and controlling the damage they can inflict.  How we do all that to protect an organization is to build out effective security programs and roadmaps that actually work.

vCISOs should have strong leadership skills and an in-depth understanding of information systems and security. They should also be able to effectively communicate their complex security and IT knowledge to colleagues with varying levels of technical understanding.

vCISOs have certain job requirements that closely mirror the requirements of a traditional, in-house CISO; these include the following:

  • protecting the confidentiality, integration and availability of data;
  • long-term cybersecurity strategy development;
  • governance, risk and compliance (GRC) program development;
  • risk assessment;
  • risk management;
  • security awareness and training;
  • developing secure business and communication practices;
  • reporting on security operations;
  • monitoring security operations;
  • defining metrics to measure program success;
  • management of personnel and vendor relationships; and
  • integration and management of other third-party security services.

 

Benefits of employing a vCISO

  • Unbiased analysis. As an external third party, the vCISO may be able to evaluate an organization's existing security program more objectively than an internal employee.
  • Cost-effectiveness. Pay-as-you-go pricing allows organizations to pay for only the time and services they use. A vCISO is usually drastically cheaper than having a salaried CISO in house and saves on capital expenditures.
  • On-demand service. Using a vCISO provides constant, flexible availability of security resources. As demands change, clients can alter their services accordingly.
  • Long- and short-term benefits. In the short term, vCISOs can make organizations more secure by identifying immediate risks and introducing or tightening controls. In the long term, they can help lay the groundwork for a future in-house security program through training and improvement of core processes and infrastructure.
  • Experience. Many vCISOs have had extensive experience working with a wide array of diverse organizations.

 

Below are a few examples of vCISO project engagements:

 

Interim Chief Information/Security Officer (CIO/CISO)
Global Company Providing Web Application Software and Cloud-Hosted Solutions (Current Engagement)
Large USA Physician-Owned and Physician-Led Acute Care Medical Group
Financial Services Company
Public Company and Global Leader of Cloud Insurance Software Solutions
Global Industry Leader-Consumer Food Business
Industry-Leading International Program Marketing and Customer Loyalty Rewards Program
Incentive Transaction-Processing Network
Industry-Leading Platform as a Service (PaaS) Provider
High-Profile National USA Law Firm
CLEC Telecommunications Company
 

  • Responsible for coordinating and overseeing global compliance with policies and procedures regarding the confidentiality, integrity, availability and security of all information assets. Direct management and interaction with global security and management teams. Ensure compliance with PCI, HIPAA, GDPR, and other regulatory security requirements, responsible for ensuring all controls are in place as well as oversee filing of compliance reports with banks and credit card acquirers/processors.
  • Implemented security program frameworks with compliance review frequency and individual responsibility matrices.
  • Helped design and implement a global Microsoft local administrator password security (LAPS) solution, as well as centralized multi-factor access (MFA) for non-console administrative access to all servers globally and the Microsoft azure cloud clusters resulting in centralized secure access and security logging.
  • Responsible for annual risk assessments to identify new threats and vulnerabilities and identify appropriate controls to mitigate any new risks.
  • Implemented vendor/3rd party security risk assessment programs and documentation requirements.
  • Coordinated multiple global external and internal penetration tests and vulnerability scan remediation projects resulting in a stronger global security posture of networks, applications and systems.
  • Developed and implemented a cloud security assessment procedure, providing risk assessment scores for potential cloud providers. Prepared all documentation for global information security board review.
  • Project management for secure removal of outdated encrypted credit card storage databases. Work included project planning, development of control methodologies, interaction with secure destruction vendors, and preparation of final project report for auditors and attorneys.
  • Direct involvement with annual compliance audits performed by major credit card company partner, including completion of risk assessment and review of evidence.