If your organization is considering a vCISO engagement, or you’re looking to replace your current vCISO provider, you may already recognize there are multiple ways to view this role and its responsibilities. I’ve been supporting our clients as a virtual Chief Information Security Officer (vCISO), and have seen firsthand how different organizations view information security.
Virtual CISOs Must Take a Holistic Approach
A major reason why different businesses want different things from their vCISOs is effective information security takes more than a vCISO. Your vCISO’s effectiveness will be only as good as the effectiveness of “the village”—that is, the guidelines, services and practices that make up your InfoSec program.
Therefore, a core element of any vCISO engagement should be to look holistically at the client’s overall security posture to determine strengths, weaknesses and priorities for addressing current risks. From there, the vCISO and key stakeholders can decide on the best way to augment current resources to ensure coverage of all key security responsibilities and deliver what the business needs “first and foremost” to achieve its goals in the most practical and cost-effective manner.
For example, a financial services firm may seek to engage a vCISO to help them move towards ISO 27001 certification to better manage regulatory requirements around PCI, GLBA, SOX and now the EU’s GDPR. In alignment with that overarching goal, a “gap assessment” may reveal that current identity and access management practices are insufficient for mobile banking and expose the firm to unacceptable risk. A further finding is that the Business Continuity Plan might pass a client audit, but would not be sufficient in an actual disaster. The vCISO would coordinate with the IT Director to address the IAM issue, and work with business leaders and the Incident Response Team in concert with an in-house or virtual Business Continuity SME to tune the BCP.
This requirement to seamlessly ensure that all elements of your information security program work in concert with each other is why we offer a complete suite of virtual security solutions in addition to vCISO. These on-tap services ensure our clients get not only the top-down security guidance and governance a vCISO provides, but also the precise mix of supplementary support their goals, risks and current security posture dictate.
Again, this “village” dynamically supports and enables the vCISO. And the real value of the vCISO role, at least in my experience, is to understand and orchestrate how all the “villagers” can best flow together in the context of everything going on security-wise in the organization.
Trust the Experts
Whatever your security and compliance goals, a holistic, evolving and risk-driven security posture is the strongest and most cost-effective approach to security. Pivot Point Security is in business to create the kinds of opportunities and relationships that drive this approach.
That can mean achieving security certification or engaging a vCISO… Or maybe it all starts with a simple vulnerability assessment. I invite you to contact us and let’s start putting a program together that will really protect your business and its information assets.