Good morning. Happy cyber day, wherever you are, whatever time of the day it is. Hey. Today we’re talking about comprehensive services offered by virtual CISOs. What an interesting topic. I’ve been doing virtual CISO work for over five years, and I don’t think there is such thing as a comprehensive service list, but today I’m going to give you some of the scope in which I’ve seen in the virtual CISO space. And the first thing I want to do is just share with you this slide here.
The goal of virtual CISO; So let’s talk about context;
- Help identify cyber risk to a company
- Communicate that risk to the risk stakeholders
- Recommend and remediation to reduce those risks.
If we think about that’s the goal of virtual CISO, then we can pivot and say, what are the comprehensive services offered by a virtual CISO? Because all of those services that are offered by a virtual CISO should support those three goals. I hope that makes sense.
When you’re thinking about comprehensive services, when I think of the word comprehensive, I think of all inclusive. I think, what is it including? And this slide I want to point out, because at the top of it is data. And I always say data is currency.
Data Security & Crown Jewels
To comprehensively identify risk to data, these are the things that should be included in the scope of virtual CISO services. Think of it as a stack, or a role, of things that needs to be assessed and secured in order to protect that data. We have humans a comprehensive virtual seat. Service should include the ability to assess human risk. We’re talking about cybersecurity awareness training, privileged users, entitlement, access, authority, authorization, identification.
Network Security
Next is network. Services should include all the networks, the IP ranges, internal, external, VPN, your gateways, firewalls. Next is endpoints. Endpoint, the definition of endpoint is kind of squishy, but it’s essentially any device that allows the viewing and modification of data. If data lives somewhere, it’s coming down to an end point to be modified or viewed and either saved or moved back. So oftentimes an endpoint is a laptop or a workstation. It could also be a kiosk. We don’t typically think of servers as endpoints because they’re more in the infrastructure. There’s something that store, maintain that data, maybe do some processing.
Application Security
Next is application. Applications are the software that could either be installed on the endpoint, or they could be a software as a service, a SaaS or a cloud application, and there’s something that also has access to data, could be storing data and processing data. Next is cloud. Think of Amazon Web Services, Google Cloud, and Microsoft, Azure. Those cloud environments should be comprehensive in the scope of virtual CISO services. To check the data there, classify the data there, and then look at how to best secure that cloud.
Physical Security
Next is physical devices. This could be the physical building, security cameras, doors, gateways, kiosks, again, things inside the building that could have access to data, so vaults, doors, maybe USB keys, things like that.
Device Security
And then finally, devices. We’re going to throw all these other things into devices, such as a personal device, if you bring a cell phone or a personally owned cell phone or tablet into the environment. Can that access the data? OT, and IoT, Internet of Things. These would be things like sensors, controllers, programmable logic controllers. Those things that interface with the network and can provide a vector to access that data. From a wide scope, these are the things that should comprehensively be in in in scope for virtual CISO services. I hope that makes sense.
Triad: People, Process, and Technology
That’s a high level. What are the comprehensive services that a virtual CISO should offer? They should also offer the service that that scope of work. It also takes into consideration people, process and technology, and this is what we call the triad here, and all three of these things should be considered. What do you think about people? How do you know, what does it mean to have people within the comprehensive scope of virtual vCISO services? We talked a little bit about that, as far as awareness training, privileged roles, but specifically in this slide, we’re talking about roles and responsibilities, because there are a lot of tasks and a lot of assignments, a lot of responsibilities that are required to successfully put in a cybersecurity program to properly reduce the risk to the company. And so we think about people. We think about what are all those security responsibilities? And don’t just think about the security department. Security is everybody’s responsibility, so it permeates to business stakeholders and employees. And this area is really the area of ensuring that all those security responsibilities are assigned roles and that they’re fulfilled, and sometimes that they’re even attested to or documented.
Technology Security Reviews
Technologies. I mean, you know, probably makes sense, comes to mind. You know, the cloud technologies, the firewalls, the endpoint detection and response, the email, threat protection, gateways, those types of technologies.
Process
The one that also gets forgotten is process. A virtual CISO, comprehensive services should include process. We should always be looking at documenting the process, building processes that are industry best practices, that they’ve somehow been recommended and that they fit our business model, and then finally, that they could be executed. Well, have we attested to the efficiency and the effectiveness of performing those processes? So those are some of the things I know we’re still kind of talking at a high level here.
Auditor vs Validator
Something else I want to bring up when you’re thinking about a virtual CISO. And what are the comprehensive services they offer. Some virtual CISOs will act more like an auditor. When you look at this, they’re going to ask questions. They’re going to create dialog. And that’s a good thing. Questions, a good quality question. I can’t underscore that. I bring it up all the time. Good quality questions are the catalyst for improvement. When you think about who you want to work with, just consider, do you want someone who’s going to ask you questions and kind of be that catalyst for dialog? Or the other end of the spectrum. Do you want someone who’s going to ask a question and then say, show me. I’m sure maybe you have, I’ve heard a lot of stories about, you know, assessments done by professionals where they come in and they have a lot of talks, but they never asked to see the evidence. They never say show me what you just told me. They don’t validate it. And with increased regulations right now, especially if you’re a public company or you have to achieve some type of regulatory standard, we’re seeing higher penalties and exposure of companies that attested to doing something because someone asked them, maybe on a form or a questionnaire, and when they went to check they actually weren’t doing it. Do you want someone who can help get into those technologies and actually validate that those answers are being done? I hope that helps. Detting it up, you know, let’s just say that, you know, that’s the good foundation for what comprehensive services a virtual CISO should offer.
Organization, tracking, and frameworks
Here are some of our services. These are some of the services that that that I do as a virtual CISO. So, we’re going to look into the we break it down into management pillars. And I don’t want to create another framework. That’s the last thing we need in cybersecurity right now. But one of my gifts, one of the things that.
One thing I do well is I take a lot of information, a lot of complex information, and I organize it. And this is the way that I organize my clients, cybersecurity, and I make sure that everything’s taken care of. There are about 20 pillars here, and as a part of the comprehensive virtual CISO services, we actually review each of these. We have the first one is IAM. It stands for identity and access management. It’s a little redundant, because the ‘M’ is for management. We actually know what industry best practices are. And then we go in and we check the client environment to see how they’re doing identity and access management. We compare those two for gaps, and we make recommendations, and then we rank those of like, which ones are the most critical and which ones are low. And then, out of all those, which ones can we implement quickly with low financial resource? What are like, the easy wins, or some people say the low hanging fruit, and which ones need to be more of a strategic initiative. We’ll go down asset management, policy management, data classification management, EDR management, which is endpoint detection and response cloud, ETP, which is email threat protection, patch management, perimeter management. Think of firewalls, gateways, proxy servers, maybe even while filtering. Next is vulnerability management, data management. That’s a really big one. Remember, everything comes back to data. Data is currency, third party risk. Third party vendors are another name for that, encryption, change control, reputation management, insider risk governance, risk visibility management. This is, how do we take that risk? How do we show it to the people that need to see it, and in what forms? Because oftentimes we’ll do more reports to it. Leaders that are going to be more technical, more in depth, probably have more verbose reports. And then as we go up to the executive level, those reports are very brief. They’re very simplified, and they have clarity what we’re trying to communicate. And then finally, reporting and metrics. These are some of the control pillars. When you think about what are the comprehensive services offered by virtual CISO, I would say that the virtual CISO is someone who;
- Identifies risk within the company
- Communicates that risk to, risk stakeholders
- Recommends risk remediation efforts.
Those things should be centered on data, because data is currency, and they should be comprehensive across people, technology and process, and they should go to the depth of all the security controls, those 20 pillars that I just showed you in a way that reviews security best practice and permeates easy wins and strategic wins, and if you’re responsible for regulatory compliance, also aligns those things with the proper regulatory compliance. And I smile because it’s a lot of work, man, it’s a lot of work. And if you’re trying to do this good for you, keep doing it. Keep working hard. I hope that answers the question, what are comprehensive services offered by a virtual CISOs.
Recent Comments