Author: Chris Morecroft
Chris Morecroft is Managing Director Europe at ValidDatum
What is a vCISO?
A virtual Chief Information Security Officer (vCISO) is an outsourced security expert who can remotely set up and lead strategic security initiatives at a client organisation. A virtual CISO is a service provided as a managed security service provider (MSSP) which replicates the function of a Chief Information Security Officer.
A vCISO is a well-seasoned professional who has been in the trenches with vast amounts of experience. They can “hit the ground running” having the ability to commence work immediately, delivering highly visible / high impact “quick wins”. Their CISO experience spans across multiple organisations. Subject Matter Expertise in InfoSec concepts, techniques, and Compliance.
vCISO are under strict confidentiality agreements, ensuring that your customers and even staff are not necessarily aware that the security expert is only retained.
Why use a vCISO?
There is a growing awareness that there is a significant shortage of experiences and skilful information security staff, with companies having to offer top rate pay in addition to a variety of other benefits to attract these individuals.
Often, due to the rapid change in InfoSec and threats, the incumbent security team have insufficient or out of date experience in dealing with operational change issues, legal matters, regulators or even company strategy in terms of information security or the organisation is too small to be able to fund a full time CISO.
The CISO has an impact on every process in an organization in some way—from the way employees use their emails, to which websites they can visit, to how they store important documents.
Changes to an organisations’ IT infrastructure regularly adds stress and demands with the increased involvement of the information security function.
When a company looks to:
- implement growth,
- change or transformation within their business
- address Security Operations Centre weaknesses
- Fix Major Vulnerabilities from recent events including ransomware attack/ Datal breaches/leakage
Undoubtedly there is a requirement for the information security team to be involved and often instrumental in this work however this can add pressure and stress to resources who are already working at full capacity.
The vCISO Service is customisable to each organisation’s requirements and budget. The vCISO can play several roles in your organisation dependent on the current and possible future requirements, and the service can be defined to meet your specific needs and adapted over time but typically includes:
- to identify gaps/weaknesses to fix tactical security weaknesses
- be present for stipulated timeslots at your company offices, for meetings, to help define strategy, to review deliverables and progress projects and initiatives – as if they were a member of your organisation.
- direct access to the vCISO during occasions when they are not scheduled to be in the office, by telephone or email, giving you an apparent CISO function for incidents, events, and information security crises.
- Chair and participation in Information Security steering groups and committees.
- Provide representation of information security at board level or in meetings
- Interface with regulators, banks, and other compliance regimes.
- Provide expertise to speedily address and resolve security incidents and breaches.
- Oversee Managed Security services such as Threat and Vulnerability Management.
- Working with client business managers to conduct risk assessments and develop security policies, and with senior management to develop an overall enterprise security plan.
- Consulting with the IT organisation to evaluate and implement effective security technologies and architecture
- Managing, monitoring and maturing security processes (identity and access management and threat and vulnerability management).
- Documenting and communicating enterprise security policies.
- Developing and implementing an overall enterprise security strategy, program, technical security controls and architecture.
- Measuring and reporting on the effectiveness and efficiency of security activities including performance metrics.
- Develop multi-year strategic information security roadmap plans aligned with the business strategy.