By Ciarán Johnson, Head of CISO Services on February 13, 2019

Helping Address Security Risks: My Personal Experience as a vCISO

Cyber Risk and Assurance, Careers

When I was appointed the new Head of CISO Services at Integrity360, I recalled Yul Brynner in the original 1960 Magnificent Seven. The film tells the story of a small community working together to try and protect itself from a gang of bandits.

The elders of the community send out for a specialist’s help. The first, Yul Brynner, then gathers six others to help fight the bandits. While I don’t expect to be on the big screen for it, I would hope that our specialist skills can help clients fight off their risks.

ISACA, (formerly known as the Information Systems Audit and Control Association) a global security advocacy group, predicts there will be a global shortage of 3.5 million cyber security job openings by 2021. To further complicate the labour shortfall, security professionals at enterprises understand they’re in demand and it’s understood that employees will be receiving offers from other organisations.

Current environment of organisational data security
Pressures from existing and new regulations, customer demands and the constant stream of news headlines regarding data breaches are making data security a core issue. It wasn’t too long ago that the board of directors met once or twice a year, were briefed on the technical security measures in place, they checked the boxes and moved on.

Times have quickly changed. Data breaches hitting the headlines on a near daily basis have contributed to the rise in influence of the security of an organisation’s data assets at every board meeting.

Add in the requirements of the GDPR – both data protection and information security – and you can begin to understand the challenges in protecting your customers’, your employees’ and the company’s data. We’ve already seen that the first fines issued under GDPR were due to weak security practices, as I wrote about in a previous blog. The board, its directors, senior management and all employees are responsible for the effectiveness of those security policies.

A different approach to data security
Data security doesn’t encompass just your technological defences or your swipe card-controlled entrances. It can be quite complex if your organisation has a number of complex and intertwined processes. 

Security can impact the very activities that your teams rely on daily, but that doesn’t mean it should disrupt routine operations – it should enhance them. Getting the right balance is challenging but rewarding, and it may require a suite of security services that aren’t just ‘out-of-the-box’ solutions.

It takes a risk-based approach. One where your particular circumstances are assessed and understood, and appropriate defences are implemented at the right points in the enterprise’s operation or IT infrastructure.

Quite a number of organisations have an IT person responsible for IT security. While this is seen as essential as so many processes are dependent on technology, it may be too narrow of a view. This approach may also not provide sufficient information to senior management, the CEO, or the board for their decision-making processes, or the shareholders that have the survival of the business at heart.

A Chief Information Security Officer (CISO) can provide this assurance to all the stakeholders. By empowering strategic and operational leadership to reduce the data security risks to the organisation, a CISO can be a key asset for your organisation. However, they are difficult to source and potentially expensive.

Maintaining a full-time CISO on staff can be costly, especially when most organisations may only need 30 or so hours per month of this type of specialist service. Dividing the responsibilities among 'many-hats' can be a high-risk approach as there is never enough time for the non-revenue generating hat that these individuals wear. And while it is a non-revenue generating service, it remains an essential one that, if not addressed appropriately, could lead to significant financial, operational and reputational impacts.

Enter the virtual CISO (vCISO or vISO) – also known as CISO-as-a-Service. We’ve seen significant growth in organisations moving their data and applications to the cloud, using a third-party service that specialises in IT services to enhance the technology service within the company and reduce the cost. So why not use the same approach with information security risk and governance?

There are numerous benefits of having an independent and qualified vCISO or vISO:

  • Can hit the ground running.
  • Has a reduced need for security training.
  • Estimates to produce cost savings of 30 to 40 percent in comparison to a full-time hire.
  • Increased understanding of how data security risk impacts the organisation directly through a clear conveyance of those risks in business terms.
  • Provides independent expert opinion on, at times, complex issues.

An effective vCISO can establish a comprehensive strategy, draft policies or procedures and implement tactical and operational security controls while also understanding the risk environment the organisation operates in.

Reasons to hire a vCISO
There are a number of times that you should consider using a vCISO:

  • Your organisation has a vacancy for its security position.
  • You have a newly appointed CISO/ISO who may need mentoring.
  • Your current CISO/ISO lacks the time or expertise to take on ever-changing demands of the position.
  • Your CEO or board of directors is seeking a cyber risk advisor.
  • You need supplemental expertise to fill gaps in your current programme.

The vCISO should be able to work with the CEO, COO, CFO, CRO and CIO on how to raise their information security maturity level. 

In my own experience during recent vCISO engagements, I’ve started with a vision for the organisation, established an information security governance structure (or embedded it as part of an existing senior management forum), as well as provided them with the tools, support and information they need to make risk-based decisions on the protection of their client and corporate data.

Through this they’ve achieved a healthy middle ground by not wholly outsourcing the decision-making process while still being able to utilise an experienced and qualified security professional. A vCISO service can be delivered as a long-term or short-term solution.

How to get started with a vCISO today
To establish the correct level of service, a provider completes an initial assessment of current capabilities. The report provided to the client then recommends a number of variations tailored to address your organisation’s needs. As no two services are the same, it’s important to ensure that the services selected are the right fit for the risk level and budget of your organisation. 

Want to know more?

If you’re interested in learning more about vCISO services please get in touch by filling out a contact form. If you don’t feel like a vCISO is what your organisation needs after a chat, do remember Integrity360 provides a wide range of services to help you address your security gaps:

  • Security risk or maturity assessments
  • ISO 27001 planning, pre-audit preparation or implementation from start to finish
  • User awareness training
  • Policy creation and updates
  • Security metrics & reporting
  • Vulnerability management implementation
  • Security incident management (including CSIRT creation)
  • Information security committee membership/counsel
  • 3rd party security risk governance

New call-to-action

This blog and its content is provided as a general guide to the subject matter. You should always seek specialist advice about your specific situation – no two organisations are alike.