Too much is at stake not to have a Chief Information Security Officer (CISO).  Having robust security leadership from a seasoned CISO is important in the modern organization; a security leader has the specialized technical knowledge and corporate governance experience to help build a strong cyber security foundation and the agility to prevent, detect and mitigate evolving threats. 

Regardless of the reasons why you don't have a CISO in place at the moment, we provide a Virtual CISO (vCISO) service, which is an outsourced security advisor that can be a cost-effective approach to having the access your company needs to a high-end cybersecurity professional.  What varies is the amount and the length of time needed. 

As a vCISO, our focus is to ensure every organization and business is operating in a secure manner, with all of their critical data and assets properly protected.  One of the major problems is many organizations approach cybersecurity incorrectly; they try to prevent all attacks and be 100% secure, which in today's world is impossible.  The proper approach is to identify all the critical assets, perform a risk analysis on them, design protection layers around those critical assets, and focus on timely detection of attacks while minimizing and controlling the damage they can inflict.  How we do all that to protect an organization is to build out effective security programs and roadmaps that actually work.

vCISOs should have strong leadership skills and an in-depth understanding of information systems and security. They should also be able to effectively communicate their complex security and IT knowledge to colleagues with varying levels of technical understanding.

vCISOs have certain job requirements that closely mirror the requirements of a traditional, in-house CISO; these include the following:

• protecting the confidentiality, integration and availability of data;
• long-term cybersecurity strategy development;
• governance, risk and compliance (GRC) program development;
• risk assessment;
• risk management;
• security awareness and training;
• developing secure business and communication practices;
• reporting on security operations;
• monitoring security operations;
• defining metrics to measure program success;
• management of personnel and vendor relationships; and
• integration and management of other third-party security services.

Benefits of employing a vCISO

• Unbiased analysis. As an external third party, the vCISO may be able to evaluate an organization's existing security program more objectively than an internal employee.
• Cost-effectiveness. Pay-as-you-go pricing allows organizations to pay for only the time and services they use. A vCISO is usually drastically cheaper than having a salaried CISO in house and saves on capital expenditures.
• On-demand service. Using a vCISO provides constant, flexible availability of security resources. As demands change, clients can alter their services accordingly.
• Long- and short-term benefits. In the short term, vCISOs can make organizations more secure by identifying immediate risks and introducing or tightening controls. In the long term, they can help lay the groundwork for a future in-house security program through training and improvement of core processes and infrastructure.
• Experience. Many vCISOs have had extensive experience working with a wide array of diverse organizations.

Below are a few examples of vCISO project engagements

• Responsible for coordinating and overseeing global compliance with policies and procedures regarding the confidentiality, integrity, availability and security of all information assets. Direct management and interaction with global security and management teams. Ensure compliance with PCI, HIPAA, GDPR, and other regulatory security requirements, responsible for ensuring all controls are in place as well as oversee filing of compliance reports with banks and credit card acquirers/processors.
• Implemented security program frameworks with compliance review frequency and individual responsibility matrices.
• Helped design and implement a global Microsoft local administrator password security (LAPS) solution, as well as centralized multi-factor access (MFA) for non-console administrative access to all servers globally and the Microsoft azure cloud clusters resulting in centralized secure access and security logging.
• Responsible for annual risk assessments to identify new threats and vulnerabilities and identify appropriate controls to mitigate any new risks.
• Implemented vendor/3rd party security risk assessment programs and documentation requirements.
• Coordinated multiple global external and internal penetration tests and vulnerability scan remediation projects resulting in a stronger global security posture of networks, applications and systems.
• Developed and implemented a cloud security assessment procedure, providing risk assessment scores for potential cloud providers. Prepared all documentation for global information security board review.
• Project management for secure removal of outdated encrypted credit card storage databases. Work included project planning, development of control methodologies, interaction with secure destruction vendors, and preparation of final project report for auditors and attorneys.
• Direct involvement with annual compliance audits performed by major credit card company partner, including completion of risk assessment and review of evidence.
• Led internal efforts to understand requirements and obtain compliance certifications for EU-USA and Switzerland-USA Privacy Shield.  Provided internal assessments for alignments with ITAR, FedRAMP, HIPAA, and FFIEC compliance areas.  Prepared summary reports and compliance/responsibility matrixes for customer contracts.
• Performed Infrastructure and security reviews; designed meshed, high-availability firewall and router enhancements for securing the call center technology environment.  Led successful project to integrate Cisco and Nortel core router, switch and Firewall equipment into the call center infrastructure leading to lower costs, faster throughput and higher availability.
• Worked with a major USA city’s infrastructure and security teams to validate security infrastructure design proposals.  Developed project plans, communicated and coordinated changes with city agencies and departments.  Leader of teams in successfully testing and implementing changes providing immediate security to the call center server environment.
• Assisted city technology teams to evaluate firewall ruleset modifications, and to design and test GPO’s for secure workstation access to call center server applications.
• Reviewed all areas of corporate technology, interviewed Service Delivery Managers (SDM’s), developed Service Level Agreement (SLA) metrics, and developed Request for Proposal (RFP) for outsourcing all technology services.  Developed, scheduled and project managed transition of knowledge and duties focusing on ITIL processes from internal teams to outsourced managed provider.
• Led incident response investigations and performed hands-on forensic data acquisitions using EnCase and other commercial tools, as well as knowledge of chain-of-custody and legal requirements for evidence collection and handling.  Developed incident response procedures manuals and in-house training programs for incident handling.
• Developed corporate compliance training programs, including curriculum requirements, training frequency, targeted groups, and completion metrics for Management reporting requirements.