vCISO Cybersecurity Assessment What to Expect

by | Oct 9, 2024 | Blogs

Tony Asher discusses the process and expectations for a virtual CISO cybersecurity assessment. The assessment typically takes 4-6 weeks, followed by 2 weeks for report preparation and an additional week for stakeholder review, totaling 7 weeks. The process involves interviews to understand business goals and technical environments, identifying “crown jewels” and threats. A threat profile and risk assessment are then created, mapping risks to industry frameworks like NIST and HIPAA. A gap analysis highlights areas of maturity and risk, leading to prioritized recommendations and a roadmap for improvement. Asher emphasizes the importance of empathy and thoroughness in the assessment.

Action Items

  • [ ] Provide empathy and patience when working with a virtual CISO during a cybersecurity assessment.
  • [ ] Consider the timeline and process expectations if hiring a full-time cybersecurity resource, which is typically 3-6 months to get up to speed.

Outline

Virtual CISO Cybersecurity Assessment Overview

  • Asher introduces the topic of a virtual CISO cybersecurity assessment and the process they use, called the rapid risk assessment.
  • He explains that the depth of the assessment will determine its duration, with a typical assessment taking four to six weeks.
  • The collaboration between the business stakeholder and the virtual CISO is crucial for a smoother and faster process.
  • Anthony highlights the importance of business stakeholder support in facilitating the assessment needs.

Time Frames and Process Details

  • Anthony outlines the time frames for a cybersecurity assessment: four to six weeks for the assessment itself, two weeks for report preparation, and an additional week for business stakeholder review.
  • The total time from starting the assessment to presenting the final report is approximately seven weeks.
  • He emphasizes the complexity of the assessment, noting that it involves understanding a unique business environment with specific technologies and applications.
  • The need for good quality questions during the assessment is stressed to gain a deep understanding of the business.

Interviews and Business Empathy

  • Asher describes the two types of interviews conducted: business interviews to understand the business goals, organization, and stakeholders, and technical interviews to assess the technology landscape.
  • Business interviews help identify the “crown jewels” of the organization, including important data, access controls, and storage locations.
  • Technical interviews range from simple technology reviews to hands-on examinations of assets and systems.
  • He requests empathy from companies hiring virtual CISOs, acknowledging the high demand and focus required during the assessment process.

Threat Profile and Risk Assessment

  • After interviews, the next step is to build a threat profile, identifying potential harm to the organization.
  • Threats are components of risk, and understanding them helps focus the cybersecurity program on the most critical risks.
  • A risk profile is created by combining threat data with vulnerability information to identify the most critical risks.
  • The risk profile helps determine if any risks exceed the organization’s risk appetite, leading to specific risk recommendations.

Framework Alignment and Gap Analysis

  • The risk profile is mapped to a cybersecurity framework, such as HIPAA, NIST, or CIS standards, to organize and maintain the security measures.
  • Frameworks help transfer the value of the assessment to the organization, ensuring continuity beyond the assessment period.
  • A gap analysis is conducted to identify areas of maturity and gaps in the framework, highlighting areas for improvement.
  • Recommendations are prioritized by severity and risk reduction, and a roadmap is created to guide the organization towards better risk posture.

Final Thoughts and Q&A

  • Asher summarizes the virtual CISO cybersecurity assessment process, emphasizing the importance of empathy and thoroughness.
  • He invites questions from the audience to address any remaining concerns or queries.
  • The goal is to provide a clear understanding of what to expect during a virtual CISO cybersecurity assessment.
  • The session aims to help companies prepare for the assessment process and understand the time and effort involved.

 

A virtual CISO cybersecurity assessment, what to expect? What should you expect when you hire a virtual CISO to assess your cybersecurity program?

I want to show you our method of doing this. We have a process called our rapid risk assessment, and this is currently being rebuilt and rebranded and into another product that we’re offering. Let’s talk about expectations. The deeper a virtual CISO goes during the cybersecurity assessment process, the longer the assessment is going to take.

Another component, and that is the collaboration between the business stakeholder that helps the virtual CISO meet with the people that they need to meet with and get the access that they need to have. When a company invests in the virtual CISO cybersecurity process and facilitates the needs this process can go a lot smoother and a lot faster. There’s a lot less friction when you have a business stakeholder that is supporting the assessment.

Let’s talk about time. And I think when we think about expectations, we often think about time, at least I do. A good quality cybersecurity assessment will take about four to six weeks, and that is just the assessment. After the four to six weeks, there’s going to be about two weeks to prepare a report and a presentation for most clients that we work with, there is someone within the business that wants to review that presentation before it is shown to the rest of the stakeholders. We have a presentation review or draft process that typically will add another week.

Time frames for a cybersecurity assessment, what to expect. You’re looking at about four to six weeks for the assessment itself. You’re looking at about two weeks for the report preparation, and you’re looking for another week for a business stakeholder to review and approve the draft before it’s shown to business stakeholders. About seven weeks. From the time you hit go, from time where stakeholders get that final presentation, you’re looking at about seven weeks. I hope that’s helpful. This is our process, what is going on for four to six weeks.

High quality virtual CISO will make this seem simple. It is not simple. It is extremely complicated. We are invited into an environment that we’ve never been in before. It’s architected in a way that is unique to your business, and you have a buffet of technologies, applications, user roles that you have built into your business, that I can almost guarantee you will be one of a kind. So, to step into that environment and to start to assess it, and we have to do it in two ways. We have to do it in a in a way that we take all of our training and all of our experience and all of our industry best practice, and we’re considering that, and we have to marry that with what I call business empathy, and just because there’s a right way and maybe you’re not doing it that way, doesn’t mean that anyone deserves a slap upside the head more than not. There is a reason why that business has decided to do the things that they’re doing. They have hired intelligent people, they’re not stupid. They chose it intentionally. And it’s really important that we approach it empathetically, and we approach it that way by asking questions instead of pointing fingers.

Empathy takes time. Empathy requires good quality questions, and so when you look at our risk assessment process, the first thing we do is we start with interviews. And I’m going to change this slide here really quick, because there’s actually two different types of interviews we do.

We perform business interviews to understand what is the goal of the business, what is the organization of the business, and who are the stakeholders in the business that I would understand what the most important data is to help us get an idea of what are the. Crown jewels for this organization.

  • Who accesses those crown jewels?
  • Where are those Crown Jewels stored?
  • How are they backed up?
  • Where do they go? Do they stay within the company?
  • Do they go outside of the company?

There are all kinds of questions, but really a whole set of interviews. It could be from three to performed as many as, I think, 18 interviews with one company during one assessment. And these interviews are anywhere from 30 minutes to an hour in which we are dynamically trying to speak that person’s language in a way that helps us understand data, data storage and data movement, and how it’s related to the other aspects of the business.

  • What their strategy is, what their plan is, how they like to work, what applications they like to work with?
  • Do they like to work in the office?
  • Do they like to work remote?
  • Do they like to work in a coffee shop or a boat or something like that?

The second set of interviews is technical interviews. Sometimes this could just be, “What technology are using? Can I get access?” And the other end of the spectrum, it’s, no, you can’t get access. So, who can we spend time with, looking over their shoulder and examining things? Where are these assets that give us the right information?

I just want to think, trying to think, if I’m giving a disclaimer here, I want to that empathy that I talked about. I want to try to reverse the empathy. I want to try to ask for empathy. If you’re a company who has hired a virtual CISO or maybe a cybersecurity expert to audit your environment, do an assessment in your environment, have empathy on them, because it does take a lot of time. This is four to six weeks of high demand, highly focused time. We have one dedicated resource per assessment. We never have one person doing two assessments at the same time, because it’s just too much. It’ll get mixed up. So be patient. And if that’s hard, I would just ask you to consider if you were to hire a person, if you were to have the finances and the resources at the company to hire a full-time cybersecurity resource. What process would you expect them to follow, and how long would it be until you expected them to have a standardized level of knowledge about your company? Oftentimes, I’m hearing I would expect them to come in and do some level of assessment, ask a lot of questions, and I expect them to be up to speed in three to six months. So, when we’re doing an assessment in four to six weeks, we kind of get the idea of how much pressure it is and focus on that an extreme amount.

Okay, so again, we’re talking about virtual CISO cybersecurity assessments and what to expect. I’m just going to go back to my slide here after the interviews are done, which I won’t recap everything we’ve done in the interviews, but the goal is to find the crown jewels. Everything about the crown jewels business strategy, okay, those are probably two very summarized points that come out of that. Then we do a threat profile. When you think about risk, threat is a component to risk that you have to understand. The analogy I have it in another video, so I won’t get into it too much here. But threat is not a risk. Threat is a component of risk, and threat is something that’s out to get you, something that could potentially harm you. The example that I like to use is a family. You’re out hosting a neighborhood picnic in your backyard, and you learn that there is a dog with rabies running around the neighborhood. The threat is the dog with rabies. It doesn’t mean that it’s going to attack your family. It doesn’t necessarily mean it’s a risk. You might have controls up. You might have protections up, but we do need to do a threat profile, because each company has threats that are out to get them, and it’s very important that we qualify those threats. And if we don’t qualify those threats, then, as a cybersecurity professional, we are taking on every single thing in the world that could ever infinitely happen to you, and that is way too much. We need to narrow it down, whittle it down to the applicable, most critical threats that are out to get you, and that’s going to really help us focus the program and invest the time and the resources most appropriately. So we build a threat profile, and then after that, we compound that with the vulnerability data, and we’re going to build a risk profile.

Risk is ultimately at the end of the day; this is the table steaks. This is what you want to see.

  • What are our most critical risks and are they acceptable or not?
  • Are any of these risks exceed our risk appetite?

And if they do, then later on, we’re going to make those risk recommendations.

Next thing we’re going to do is we’re going to map it to a framework. There are many cybersecurity frameworks out there. When you think of a framework, think of like HIPAA, the NIST cybersecurity framework. That’s my favorite. The CIS standards are, is a great framework you’ve got also a NIST 800-171 those are frameworks. Frameworks sometimes slide or overlay into regulatory or privacy, things like GDPR, PCI, DSS. But really what a framework does is it equips the customer. It helps transfer all this work that a cybersecurity professional is doing. It helps ensure that that resource is now owned and maintained by the customer, because you don’t want to lose all the value as soon as the assessment’s over and that cybersecurity assessment is done when we align it with a framework.

We take something that’s extremely complex, cybersecurity, mile wide, a mile deep, and we organize it. And by using an industry framework, we’re already leveraging something, some work that someone already has done, and we’re taking your businesses security, and we’re aligning with that, so everything fits on shelves and bins, and it’s beautiful. It’s really nice. We want to make sure that there is a framework that makes sense for your business.

Then we do a gap analysis. Although we already permeated risks before, what we’re doing now is we’re doing a gap analysis from your risk against that framework. And why is that important? Well, it really shows you a couple things. Number one, a framework will help score your maturity, and risks are more important than maturity. I’ll talk about that some other time, but it helps see gaps in the framework, because what I find as a virtual CISO, when I come into a business and I do a cyber security assessment as a virtual CISO, that the people in the roles of that company will do things that they enjoy doing very well, and those are the things that they focus on. And there’s also things that they’ll ignore because they don’t do very well. And so what we see is some areas are very mature and some areas are not mature at all, and that’s the gap that we’re talking about. Those are the gaps that we want to identify so we can make sure that you’re enabled to improve those so all that comes out into a recommendations.

Recommendations are prioritized by severity and risk reduction, and then all that will be built into a roadmap.

And a roadmap is basically here are the people, the process and the technology that we recommend over the course of a certain amount of time, based on funding and priority to move you closer to where you want to be from a risk posture. So that’s what you can expect from a virtual CISO cybersecurity assessment, and I hope that helps let me know what kind of questions you have down below.

 

 

7 Ways to Improve Your Cybersecurity Reporting to Executives and the Board of Directors

A guide for cybersecurity leaders that will help you gain the reputation of a solid leader, while preventing you from making the mistakes I made when I was projected into reporting. This guilde will equip you and remove the stress and anxiety so that you can be clear and bold in your opportunity to prove you're the right person for the role, and your plan is on track!

You have Successfully Subscribed!