|
Interim/Contract Virtual CISO (vCISO) Services - Executive-level security leadership that creates and improves technology and
security postures in enterprise environments.
|
Too much is at stake not to have a Chief
Information Security Officer (CISO). Having robust security leadership from a seasoned CISO is important
in the modern organization; a security leader has the specialized technical knowledge and corporate governance experience
to help build a strong cyber security foundation and the agility to prevent, detect and mitigate evolving threats. Regardless of the reasons why you don't have a CISO in
place at the moment, we provide a Virtual CISO (vCISO) service, which is an outsourced
security advisor that can be a cost-effective approach to having the access your company
needs to a high-end cybersecurity professional. What varies is the amount and the length of time needed. As a vCISO, our focus is to ensure every organization
and business is operating in a secure manner, with all of their critical data and assets properly protected. One
of the major problems is many organizations approach cybersecurity incorrectly; they try to prevent all attacks and be
100% secure, which in today's world is impossible. The proper approach is to identify all the critical assets,
perform a risk analysis on them, design protection layers around those critical assets, and focus on timely detection of attacks
while minimizing and controlling the damage they can inflict. How we do all that to protect an organization is
to build out effective security programs and roadmaps that actually work. vCISOs should have strong leadership skills and an in-depth understanding of information
systems and security. They should also be able to effectively communicate their complex security and IT knowledge to colleagues
with varying levels of technical understanding. vCISOs
have certain job requirements that closely mirror the requirements of a traditional, in-house CISO; these include the following: - protecting the confidentiality, integration and availability of data;
- long-term cybersecurity
strategy development;
- governance, risk and compliance (GRC) program development;
- risk assessment;
- risk
management;
- security awareness and training;
- developing secure business and communication practices;
- reporting
on security operations;
- monitoring security operations;
- defining metrics to measure program success;
- management
of personnel and vendor relationships; and
- integration and management of other third-party security services.
Benefits of
employing a vCISO - Unbiased analysis. As
an external third party, the vCISO may be able to evaluate an organization's existing security program more objectively
than an internal employee.
- Cost-effectiveness. Pay-as-you-go
pricing allows organizations to pay for only the time and services they use. A vCISO is usually drastically cheaper than
having a salaried CISO in house and saves on capital expenditures.
- On-demand service. Using a vCISO provides constant, flexible availability
of security resources. As demands change, clients can alter their services accordingly.
- Long- and short-term benefits. In the short term,
vCISOs can make organizations more secure by identifying immediate risks and introducing or tightening controls.
In the long term, they can help lay the groundwork for a future in-house security program through training and improvement
of core processes and infrastructure.
- Experience. Many
vCISOs have had extensive experience working with a wide array of diverse organizations.
Below are
a few examples of vCISO project engagements - Responsible
for coordinating and overseeing global compliance with policies and procedures regarding the confidentiality, integrity, availability
and security of all information assets. Direct management and interaction with global security and management teams. Ensure
compliance with PCI, HIPAA, GDPR, and other regulatory security requirements, responsible for ensuring all controls are in
place as well as oversee filing of compliance reports with banks and credit card acquirers/processors.
- Implemented security program frameworks with compliance review frequency and
individual responsibility matrices.
- Helped design and implement
a global Microsoft local administrator password security (LAPS) solution, as well as centralized multi-factor access (MFA)
for non-console administrative access to all servers globally and the Microsoft azure cloud clusters resulting in centralized
secure access and security logging.
- Responsible for annual
risk assessments to identify new threats and vulnerabilities and identify appropriate controls to mitigate any new risks.
- Implemented vendor/3rd party security risk assessment programs and documentation
requirements.
- Coordinated multiple global external and internal
penetration tests and vulnerability scan remediation projects resulting in a stronger global security posture of networks,
applications and systems.
- Developed and implemented a cloud
security assessment procedure, providing risk assessment scores for potential cloud providers. Prepared all documentation
for global information security board review.
- Project management
for secure removal of outdated encrypted credit card storage databases. Work included project planning, development of control
methodologies, interaction with secure destruction vendors, and preparation of final project report for auditors and attorneys.
- Direct involvement with annual compliance audits performed by major credit card
company partner, including completion of risk assessment and review of evidence.
- Led internal efforts to understand requirements and obtain compliance certifications for EU-USA and Switzerland-USA
Privacy Shield. Provided internal assessments for alignments with ITAR, FedRAMP, HIPAA, and FFIEC compliance areas.
Prepared summary reports and compliance/responsibility matrixes for customer contracts.
- Performed Infrastructure and security reviews; designed meshed, high-availability firewall
and router enhancements for securing the call center technology environment. Led successful project to integrate Cisco
and Nortel core router, switch and Firewall equipment into the call center infrastructure leading to lower costs, faster throughput
and higher availability.
- Worked with a major USA city’s
infrastructure and security teams to validate security infrastructure design proposals. Developed project plans, communicated
and coordinated changes with city agencies and departments. Leader of teams in successfully testing and implementing
changes providing immediate security to the call center server environment.
- Assisted city technology teams to evaluate firewall ruleset modifications, and to design and test GPO’s for
secure workstation access to call center server applications.
- Reviewed
all areas of corporate technology, interviewed Service Delivery Managers (SDM’s), developed Service Level Agreement
(SLA) metrics, and developed Request for Proposal (RFP) for outsourcing all technology services. Developed, scheduled
and project managed transition of knowledge and duties focusing on ITIL processes from internal teams to outsourced managed
provider.
- Led incident response investigations and performed
hands-on forensic data acquisitions using EnCase and other commercial tools, as well as knowledge of chain-of-custody and
legal requirements for evidence collection and handling. Developed incident response procedures manuals and in-house
training programs for incident handling.
- Developed corporate
compliance training programs, including curriculum requirements, training frequency, targeted groups, and completion metrics
for Management reporting requirements.
|