A beautiful piece of music is often attributed to the composer, but it takes effort on the part of many people to create the final piece that an audience applauds. In my experience as a virtual Chief Information Security Officer (vCISO), successful information security looks remarkably similar to a successful concert.
Harmonizing Your Security Team Like an Orchestra
In music performance, there are roles and responsibilities that must be fulfilled for a final piece to come together:
- Composer – Writes the music
- Conductor – Leads the playing of the music
- Orchestra – Plays the music
Similar roles exist in information security management, but with different names:
- Architect – Creator of the strategy and the plan
- Builder – Implementer of the plan
- Operator – Performs the tasks in the plan
In a virtual CISO organization, as with a music performance, somebody needs to be responsible for each of these three functions across every element InfoSec encompasses (asset management, event monitoring, third-party risk management, network security, application security, disaster recovery, legal/compliance, etc., etc.).
Auditing Your Organization’s Security Roles
If a composer fails to write a piece of music that harmonizes the instruments, a conductor ignores a large section of the orchestra, or the cello players decide not to show up, the performance will fail. Information security management works in the exact same way.
Taking this view, can you see holes in your Information Security Organization (ISO)? Take Third-Party Risk Management (TPRM) as an example:
- Who is responsible for your TPRM strategy and plan (architect)?
- Who is responsible for implementing the plan to manage your third-party risk (builder)?
- Who is responsible for completing the tasks in the plan to manage your third-party risk (operator)?
This is a quick way to audit your organization for glaring holes. These gaps usually occur when an organization lacks people with certain skills, experience, or (in many cases) time.
Filling the Gaps
One of the best ways to effectively plug those holes and harmonize the information security orchestra is with Virtual Security Organization (VSO) services. Including services like a virtual CISO, VSO services can fill in any of the gaps you find in your ISO. For example, you can use a virtual security service to perform risk and vulnerability assessments, manage your incident response and business continuity functions, or help to ensure compliance with regulations and industry best practices.
If you recognize open gaps in your ISO or want some expert help with gap assessment, reach out! After a conversation with us, you will know the best next steps to achieve your security goals and objectives.