What Does a vCISO do?

by | Jul 4, 2019 | Blogs | 0 comments

If you want an information and cyber security leader, but don’t’ want to afford or be burdened by a full-time employee, a virtual CISO can be a great solution. 

But without the leadership of a CISO, how do you know what the vCISO should do?

It’s important to note before covering what they do, that the type of people in this role of serving as a vCISO is self-driven, self-starters, and already took the risk of serving other companies with their passion and abilities instead of accepting a role they could have become ‘comfortable’ in. So there is very little risk that you’ll be disappointed by what they do. 

After a qualification process, and initial preparations, a vCISO will usually start an engagement with some type of risk assessment. The assessment will be dependent on the current cybersecurity maturity of the organization they are serving, combined with the specific (if any) goals of the organization. This risk assessment is usually performed by them and done in a quantitative approach to show impact and likelihood. The results are reviewed and agreed upon, or updated, in conjunction with the leadership team so that the risk is accepted and understood across the business. 

Next, the results will be used to identify risk posture and risk prioritization. Focusing on the highest risks, and focusing on the greatest returns per effort. These will be prepared in a road-map and project plan with timelines and goals. 

Sometimes this will be complemented by a skills assessment to determine which efforts can be undertaken internally within the organization with the current labor force, and which initiatives will require outside support. 

Efforts that require outside labor support (people), or require improvement in security capabilities (technology) will be scoped. A vendor review process is initiated and preliminary budget numbers and timelines are collected and reviewed. 

In parallel, the maturity of the cybersecurity program is reviewed for alignment to regulatory and compliance requirements and alignment of an industry-accepted cybersecurity framework model. 

Opportunities for process improvements are reviewed and candidates are elected for focus on improvements. 

Ownership of technologies and processes are identified, documented and trained. And then cross-training, documentation, and long-term support efforts are reviewed and implemented. 

In addition, strategic metrics are collected. These metrics serve as measurements of risk and success or failure of initiatives. They are ideally used to help measure the reduction of risk over time. Sometimes budget numbers can be used in addition to risk metrics to show the cost of the cybersecurity program over time and support the reduction of cost.

Asher Security Solutions

Asher Security can remove the stress of securing your business with our Virtual CISO Service.

We provide:

  • A true gauge on your unique risk measured by an industry experts.
  • A road map that is aligned with industry standards.
  • Reports and metrics showing the ongoing quantitative improvement of your security program.
  • A trusted partnership that can support you and your business.

Check out our Virtual CISO service here:

Virtual CISO Service

 

Submit a Comment

7 Ways to Improve Your Cybersecurity Reporting to Executives and the Board of Directors

A guide for cybersecurity leaders that will help you gain the reputation of a solid leader, while preventing you from making the mistakes I made when I was projected into reporting. This guilde will equip you and remove the stress and anxiety so that you can be clear and bold in your opportunity to prove you're the right person for the role, and your plan is on track!

You have Successfully Subscribed!