Who needs a vCISO — a virtual Chief Information Security Officer?
Cybercrime isn’t something that happens to ‘other’ organisations any more. SMEs, charities and schools are realising that they are as vulnerable as the big players to suffering financial and reputational loss. As a result, many are taking a more comprehensive and strategic approach to cyber security.
The person to direct that comprehensive, strategic approach is traditionally a chief information security officer (CISO). If he or she sounds expensive, you’re on to something. It’s not uncommon for businesses to be pulled by a desire to take cyber security seriously on the one hand and financial restraints on the other.
This is where a virtual chief information security officer (vciso) can provide a solution.
What are vCISO services?
A vCISO takes responsibility and oversees your whole cyber security programme.
They deliver the operational cyber risk management programme and are responsible for an organisation’s data security and information security governance.
This cyber risk management programme defines, documents and communicates policies, processes and procedures that direct the management of cyber risk.
Because a vCISO is an outsourced ‘on demand’ service, it can be an incredibly cost-effective way to implement a high-level and comprehensive cyber security programme. A vCISO can be called on for support ‘as and when’ and will provide the following:
- Information security governance
- Management of cyber risks
- Legal and regulatory compliance
- Business continuity and disaster recovery
- Human resources – behaviour and information governance
- Supplier and partner security diligence
At Intersys, our vCISO services can work seamlessly with your existing IT and / or security team; or we can provide further resources, for instance a chief technology officer (CTO), to implement the vCISO’s recommendations.
What does a vCISO do in practice?
Above is a broad description of a vCISO’s duties. Below you’ll find more detail about the typical objectives and deliverables. It should provide a good introduction to the scope of that job and, in turn, the factors you must consider to properly protect your organisation form cyber criminals.
Duties cover the following areas:
1) Objective: Risk assessment to identify, evaluate, and manage cyber security threats
Deliverables: Support a board / cyber security steering committee as follows:
- Investigate and assess risks and suggest mitigating actions
- Review adequacy of existing mitigation activities
- Review skills gaps and recommend training where necessary, or mandated (for instance fraud awareness or data protection training)
2) Objective: Data governance, classification controls and information security controls
Deliverables: Advise the board on how to maintain the confidentiality, integrity and availability of hardware, software and data
- Design and maintain group-wide security models, policies and procedures
- Design or review a technological compliance framework, which could include data protection and regulatory legislation for specific sectors such as financial services, pharmaceuticals, education and legal
- Conduct an internal audit to: ensure compliance with codes of conduct; and benchmark against best practice technical security controls (including ISO27001, NIST etc.)
3) Objective: Detection, protection, response and recovery controls
Deliverables: Support the cyber security steering committee and provide advice to their key third-party technology suppliers on appropriate security controls
- Monitor and feedback recommendations to technology infrastructure services, other providers and third parties
- Periodically review security monitoring and logging
- Assess and report material data breaches for submission to sector-specific regulators
- Advise on business continuity and disaster recovery planning and management
How much does a virtual CISO cost?
Much less than a full time, in house CISO. In Intersys’ case, our rates are scalable, based on your number of devices, which means they will almost certainly be affordable to you.
To find out more about our vCISO service, click here. Or get in touch now on +44 (0)20 3005 4440 to arrange a chat with a vCISO professional. We can assess your needs and suggest a course of action that will protect your organisation – at a reasonable price.