Can your business benefit from a part-time CISO?

If you are in a small or medium-sized business, you may not have a full-time dedicated Chief Information Security Officer (CISO).  Many small or medium businesses have a technology department which may also be working on information security management tasks.   In today’s cyber landscape, you should really have someone who is focusing primarily on cyber security and protecting your organization.   Mixing up responsibilities of technology and security may not be the most effective approach in the fast growing world of cyber crime today.

A real story of risks found on a site and how this organization remediated them:

In 2016, we had been asked to conduct a security risk assessment of a large hospital.  

During the site walkthrough, we discovered over 5000 computers running Windows XP still in use all over the hospital.  Windows XP had been officially at End-Of-Life and unsupported in 2014 – two years later, this hospital was still actively using an unsupported, unpatched version of this Windows operating system.  We reported this as a high-risk finding and presented the risks to the Compliance Committee. The Compliance Committee understood the gravity of the situation and approved replacing these 5000 computers within the next 3 months. This was 2016. A few months later, in 2017, the WannaCry ransomware attack struck all over the world, affecting computers similar to this – unpatched, unsupported versions of Windows operating systems!  We are pleased to report that this hospital was not a victim of WannaCry due to the findings of their security risk assessment and their prompt action in remediating the issue.

This is just one example of tasks that would normally be the responsibility of a CISO. The technology department may continue working with older versions of equipment and software because they may not have the budget to replace these. However, a CISO’s responsibility is not only to identify risks but also to escalate them to senior management and the Board and to secure funding to mitigate and remediate risks.

What can a part-time CISO or a VCISO do for you?

Among other things, a part-time or virtual CISO will be responsible for:

• Leadership, strategy and guidance to manage the risks to confidentiality, integrity and availability of your organization’s information assets.
• Advising your C-suite executives and Board of Directors.
• Developing your IT security risk management program and Cyber/IT Security control framework.
• Establishing your security baseline through a baseline risk analysis.
• Conducting or arranging periodic security risk assessments.
• Preparing, communicating and maintaining your security roadmap.
• Arranging periodic vulnerability assessments or penetration testing, phishing tests, social engineering tests.
• Developing your organization’s security policies, procedures and checklists.
• Cyber Incident management including incident response planning, testing and implementation.
• Forensics in the event of a data breach or cyber attack.
• Setting up your organization’s security awareness training and communications.

How to find your part-time or virtual CISO:

A part-time CISO is a cost-effective alternative to hiring a full-time CISO especially if the size of your business does not necessarily warrant a full-time CISO.   Identify a vendor or consultant who has

• wide ranging security experience,
• has the history of working in the CISO role, and
• up-to-date with cybersecurity trends. 

While security itself is a 24x7 task, your Chief Information Security Officer can be part-time and still very effective based on your current security posture, your budget and your business’s security needs.