vCISO
What is a vCISO?
The vCISO is a security practitioner who uses the culmination of their years of cybersecurity and industry experience to help organizations with developing and managing the implementation of the organization’s information security program.
At a high level, vCISOs help to architect the organization’s security strategy, with some helping to also manage its’ implementation. Internal Security staff may still exist, either reporting to or working with the vCISO and their team to execute an impactful security program.
Additionally, the vCISO is usually expected to be able to present the organization’s state of information security to an organization’s board, executive team, auditors, or regulators.
CyberGrape's
'SUPER' Approach
Phase 1 : S - Start Up
Phase 2 : U - Understand
Phase 3 : P - Prioritise
Phase 4 : E - Excecute
Phase 5 : R - Results
Phase 1 : S - Start Up
Before starting the role, we prepare thoroughly by conducting company research, reading annual reports, investigating whether there are headline breaches related to the company and exploring the executive team’s critical members.
Phase 2 : U - Understand
We meet with important stakeholders to learn about the business, issues and areas with room for improvement. Examine board reports, assessments, audit findings, existing strategy documents, policies, and metrics to understand critical risks and issues.
Phase 3 : P - Prioritise
We focus on identifying the quick wins and complex capabilities that take time to rollout. This way, we can rapidly secure credibility with key stakeholders while giving ourselves enough time to plan more complex initiatives. We typically identifying two projects that we can complete or show meaningful progress on in the first three months. We remain open to feedback and constantly refine the plan as new information emerges.
Phase 4 : E - Excecute
Deliver on some of the quick wins we have identified. Put in place agreed plans to address some of the longer-term issues. Organize our team by creating security team roles and responsibilities, setting up our management system, and ensuring governance effectiveness.
Phase 5 : R - Results
Re-confirm key actions we’re taking and identify any progress made where we might need our key stakeholders’ help and feedback. Complete an executive assessment report of critical risks and issues.
Phase 1 : S - Start Up
Phase 2 : U - Understand
Phase 3 : P - Prioritise
Phase 4 : E - Excecute
Phase 5 : R - Results
Phase 1 : S - Start Up
Before starting the role, we prepare thoroughly by conducting company research, reading annual reports, investigating whether there are headline breaches related to the company and exploring the executive team’s critical members.
Phase 2 : U - Understand
We meet with important stakeholders to learn about the business, issues and areas with room for improvement. Examine board reports, assessments, audit findings, existing strategy documents, policies, and metrics to understand critical risks and issues.
Phase 3 : P - Prioritise
We focus on identifying the quick wins and complex capabilities that take time to rollout. This way, we can rapidly secure credibility with key stakeholders while giving ourselves enough time to plan more complex initiatives. We typically identifying two projects that we can complete or show meaningful progress on in the first three months. We remain open to feedback and constantly refine the plan as new information emerges.
Phase 4 : E - Excecute
Deliver on some of the quick wins we have identified. Put in place agreed plans to address some of the longer-term issues. Organize our team by creating security team roles and responsibilities, setting up our management system, and ensuring governance effectiveness.
Phase 5 : R - Results
Re-confirm key actions we’re taking and identify any progress made where we might need our key stakeholders’ help and feedback. Complete an executive assessment report of critical risks and issues.
Why are vCISO
Services pPopular?
Cybersecurity has moved to the forefront of organizational concern. With the rise in cyberattacks, data breaches, sophistication in attacks, and the focus locked in on an organization’s information, organizations wanting to put a comprehensive set of controls and technologies in place need a CISO. A vCISO allows organization to quickly fill a vCISO role, without needing to go through the hiring process.
According to salary.com, the average CISO costs over $200,000 a year. While nearly every organization needs a CISO, not every one of them can afford one. A vCISO allows organizations to avoid the expense of employing one in-house full-time, only paying for the services and time used.
A vCISO has implemented information security programs for many clients in a diverse set of industries and sizes, giving them a broad range of expertise that can be applied to your organization.
Rather than needing to hire someone locally (which limits your options) or need to help pay for a candidate to move, the vCISO works as a consultant, working from just about anywhere, giving the organization exposure to more potential candidates.
While not every vCISO works the same, this is a contractor who will perform the tasks based on an agreed upon scope of work. So, you’re paying for the services you want from them.
Use cases
for a vCISO
The departure of a business’s existing CISO may be untimely with regard to current security initiatives. A seasoned vCISO can come in, provide value in reviewing the current cybersecurity strategy and help recruit, select and transition to a full-time CISO.
When a full-time CISO is too costly for an SMB, a vCISO works part time to provide enterprise-caliber expertise to craft a security program and the organization would, otherwise, not be capable of developing.
Organizations with or without a current CISO many not have the expertise on a specific compliance mandate and how it translates to creating policy and process to secure protected information. A vCISO that specializes in a given compliance regulation can assist to develop a strategy and execution plan that meets the specific mandates – think PCI DSS experts helping retail businesses or a HIPAA savant supporting a healthcare org.
Whatever the organization was doing 6 months ago to protect against cyber risk is likely not as effective today. A vCISO can help organizations of every size by taking a look at the current budget, how it’s spent, and help identify ways to more effectively and efficiently spend it to create a more secure stance.
