Virtual CISO (vCISO)

vCISO – Renewing your Cyber security

Many businesses lack vital knowledge, leadership and strategy, but are unable to invest in a full-time CISO to manage matters of data security and risk within the organisation. In an ideal world a full-time CISO would provide the relevant knowledge, expertise and leadership to enable proper cybersecurity and risk management, but many businesses are not sizeable enough to warrant such a large expenditure.

In the wake of so many high profile data breaches, and in the knowledge that such breaches have side-effects that are significantly more damaging than the cost of the breach alone, every organisation worth it’s salt is trying to close the gap between full-scale investment in a CISO, and simply winging it.

A Virtual CISO (vCISO) provides these vital skills for smaller businesses who don’t yet have the need or resources available to take on an expensive executive, by reducing expenditure to only that which is needed to perform the relevant functions, whether that be a couple of days a month, a couple of days a week, or even an ad-hoc arrangement.

Vince Picton, CISSP, has the qualifications and experience necessary to deliver vCISO services on behalf of Unity Metrix Ltd. Having been a company director for many years, is used to consulting on matters of cybersecurity and compliance without losing sight of the commercial aspects of the business. As well as providing thought-leadership, posture, gap and risk analysis, he is well positioned to help with implementation projects like ISO 27001, PCI-DSS, IASME Governance and the like and is a registered IASME Governance and Cyber Essentials assessor.

We offer vCISO services to business in Birmingham, Cambridge, Liverpool, London, Manchester, Milton Keynes, Oxford, Preston, St Albans and the surrounding areas.


Benefits of using a vCISO

  • Hugely reduced staff costs
  • No training costs
  • No PAYE costs
  • No holiday costs
  • No sickness costs
  • Eclectic security expertise
  • Focused and driven in one direction
  • One step removed from IT-related schemes
  • Critical in today’s threat landscape
  • Access to further, specific expertise

Example Projects a vCISO Might Be Driving

The whole point of a vCISO is to help smaller businesses to improve their security posture, without losing sight of other business drivers, goals and needs. Securing the business therefore has to start with understanding how it operates, what constraints exist and what the executive team are looking to achieve

Our vCISO Program

#1 Discovery Phase

Following the initial consultation, the VCISO be involved in the determination of the existing security posture of the business, discovering asset values, risks and vulnerabilities and creating some initial advice to put forward to drive the improved security of the business. The purpose of this phase is to highlight the issues and put forward potential ways to resolve them in order to create a full roadmap and business cases as required. The time this takes is dependent on the size and complexity of the business, but for smaller businesses it is usually something that can be done without too much interference with anyone else.

#2 Pre-Implementation

Once the roadmap and business cases have been signed off the programme will commence. This will usually involve the identification of relevant team members, prioritisation of remedial measures and the drawing up of a full plan of action. It is very important to have complete buy-in from the business owners, managers and any other high-level stakeholders. Armed with a plan of action and the resources identified, the business of securing the organisation can begin.

#3 Implementation

Often the measures identified will require individual project management, and this is something that can usually be handled by the CISO, unless the specific projects are sizeable, in which case internal or external project managers can be drafted in to keep tabs on the individual elements. For smaller businesses most of the orchestration is handled by the CISO.  The time taken to implement the measures can be anything from a day, to many months in the case of a large ISO27001 implementation for instance.

#4 Maintenance & Review

Implementing systems and controls is one thing, but the security industry moves very quickly indeed in order to keep up with the rapidly changing threat landscape. It is pointless implementing systems that are effective on day one and then not periodically reviewing their effectiveness. Changes in the efficacy of implemented systems and the assets that they protect must be determined and resolved in order to maintain protection. To this end regular risk assessments, impact analyses, performance reviews and the like are a critical part of data security success.

Learn how we can help transform your business

Get in touch online via the contact form or give us a call on 01582 380505