Expert Security Knowledge Within Your Organization
The Virtual Chief Information Security Officer (CISO)
What is a virtual CISO (vCISO)?
A virtual CISO (vCISO) is just like a full-time, on-site Chief Information Security Officer. They help an organization strategize, plan, and execute a sound, robust and viable information security program. They combine the vision of executive leadership with the needs of securing the organization into a cohesive, actionable plan. There is no difference between a traditional on-site, 40 hour per week CISO and the vCISO except the vCISO isn’t usually on-site constantly. The use of technology today affords us the opportunity to interact with various teams without maintaining a physical presence.
What does a CISO or vCISO do?
Some of the tasks of a CISO include:
- Managing the information security team
- Interacting with executive management
- Attending board of directors’ meetings giving them an update on the state of security in the organization
- Policies, procedures, standards, and guidelines
- Plan them
- Write them
- Present them to management for approval
- Incident response and event management
- Plan awareness training to disseminate the information to the organization
- Publish them and then make yourself available to the organization for clarification on key points
- Plan security infrastructure in alignment with direction from ‘the Board’
This is just a small subset of the almost fifty different tasks that a CISO would be called upon to perform. With today’s tools, all of the above can be handled and managed by a vCISO with minimal onsite interaction.
What scenarios call for a vCISO Service?
- Need the part time skills of a full time CISO
- Need a strategic roadmap for compliance and security
- A shortage of security talent and difficulty retaining security dedicated employees causes significant recruiting & HR “pain”
- Your customers, partners or board members expect that someone has the “CISO” role
- You need to prove you are demonstrably secure to key stakeholders (clients, board, auditors)
- Lack of clear vision of where your security is now and/or where you want to go
- Multiple compliance requirements of note and/or GDPR in particular
- You need security experience in your industry (eg. SaaS, Legal, Financial)
- You need talent capable of liaising with customers, CXO suite, and regulators
- Need for someone with a CSO or CISO title for compliance
- Need for someone with a DPO title for compliance
What does a remote/virtual CISO mean to your organization?
Information security risk has long been the ‘elephant in the room’. Everyone knows it. Everyone sees it. You can’t avoid it but we pretend it isn’t happening, until it happens! What is “it”? The security event…an INCIDENT! A CISO plans for these kinds of events. A vCISO makes the same plans, anticipates issues and problems, and gets the backing of executive management to execute those plans, the one and only difference being that they don’t usually maintain a physical presence at the ‘office’.
Mid-tier and small businesses have long relied on outsourcing to close gaps. From HR, to payroll, to IT, organizations have learned to leverage the expertise of outsourcers to provide critical services when hiring someone full time proves to be counterproductive. The same can now be said for hiring a vCISO. In the past, hiring senior leadership (CEO, CFO, etc.) required an exhaustive search, every day without senior security leadership in place is a day closer to a catastrophic event.
Our vCISO Service Offerings
We serve small to medium size businesses all the way to small enterprises who don’t have the need for a full-time Chief Information Security Officer but still need CISO-level expertise and guidance.
No two organizations are the same. Everyone has different needs and challenges. Crafting an information security strategy and program requires careful thought and meticulous planning. Because no two organizations are the same, our vCISO service has three tiers that can be customized to fit your organization’s needs:
|Provides a trusted senior security advisor to help guide your organization through the construction of an information security program. This service introduces the tenets of information security to the organization. This tier is more for the organization that would like advice on what they need to do with a watchful eye being kept to stay on task.|
|Includes the above Advisory Services We begin the assist you with the construction and management of your information security program with a more hands on approach. This service begins the process of having our skilled information security team not only advising you on the building and maintenance of the security program but providing more hands-on support in the process.This tier is for the organization that wants more assistance than the Advisory Service. This service provides more hands-on support: assisting with the drafting of the security policy (for example) rather than providing critical advice on the policy.|
|“Leave the driving to us” We take over and run the full security program. Treat this as if this was a fulltime CISO hire.The two above tiers take a stepped approach. This tier assumes the full responsibility of building, managing, maintaining and improving the security program for the organization.This tier is for the organization that wants a more proactive team. By leaving the InfoSec practice to our skilled team, it allows the organization to focus completely on their core competencies.|
How will your organization benefit from our vCISO service?
- Cost Savings – Gain the security expertise you need at a fraction of the cost
- Clear Direction – Know where you are and where you are going on your security journey
- Stronger Relationships – Build positive and secure relationships with management, clients, suppliers and other third parties
- Reach Compliance – Know you are maximizing your ability to demonstrate compliance and minimizing the risk of dealing with a breach
- Focus – Have the peace of mind to focus on your business knowing that we are focused on security
- Security Culture – Benefit from security-aware employees who reduce organizational risk and actively support a “security culture”
- Dodge the Security Talent Shortage – Remove the HR expense of finding, paying and retaining top security talent
- Vendor-Neutral advice – An outside perspective is a fresh and objective vantage point for Pivot Point Security to recommend the right course of action.
- Virtual Security Team – Gain “on-demand” access to PPS’s security expertise across virtually all Information Security related disciplines.
Learn More About VCISO:
Our vCISO Team
John Verry, Managing Partner of Pivot Point Security, has led hundreds of high-profile security assessments across a diverse cross-section of noteworthy systems in the government, legal, telecommunications, critical infrastructure, finance and transportation sectors over the last dozen years.
As the leader of our vCISO service offering, John oversees all client engagements to ensure our clients receive the best guidance.
As a certified ISO 27001 Lead Auditor, John is a proponent of the ISO framework to help companies establish, maintain and continuously improve a robust Information Security Management System (ISMS).
As a certified Third Party Risk Management Professional, John established the TPRM line of business at Pivot Point Security and has successfully built many innovative TPRM programs.
John is also the host of Pivot Point Security’s Security Awareness Education platform; he teaches various practical tips & lessons to educate clients on real world information security risks.
Under John’s direction, Pivot Point Security has experienced 18 years of continued growth.
Certifications held by Pivot Point’s vCISO consultants:
- Certified ISO-27001 Lead Auditor
- Certified ISO 27001 Lead Implementer
- Certified ISO 22301 Lead Implementer
- HITRUST Certified CSF Practitioner
- Certified Chief Information Security Officer (CCISO)
- Certified in Risk and Information Systems Control (CRISC)
- Certified Information Systems Auditor (CISA)
- Certified Third Party Risk Professional (CTPRP)
- Certified Information Systems Security Professional (CISSP)
- Certified Business Continuity Professional (CBCP)
- Certified Technical Trainer (CTT+)
- Offensive Security Certified Professional (OSCP)
- Information Technology Infrastructure Library (ITIL)