Virtual CISO Services – Cambridge
Many businesses lack vital knowledge, leadership and strategy, but are unable to invest in a full-time CISO to manage matters of data security and risk within the organisation. In an ideal world a full-time CISO would provide the relevant knowledge, expertise and leadership to enable proper cybersecurity and risk management, but many businesses are not sizeable enough to warrant such a large expenditure.
Virtual CISO – Renewing your Cyber Security
The title of “CISO” did not exist until 1995, when Steve Katz took on the pioneering role at Citibank. The same year also saw the first use of the term “ethical hacking”, by IBM Vice President John Patrick. It is not possible to accurately determine how many cyber incidents there were in that year, but we do know that viruses, or more specifically, worms, were the main cause of data loss in the cyber world, and they numbered no more than a few thousand at worst.
Fast forward 25 years and we are running businesses amongst hundreds of millions of viruses, malware, trojans, ransomware, hackers, crackers and the like stealing billions of records every year and costing businesses a vast fortune. In fact it is estimated that 1.3 million new pieces of malware are created every single day, with attacks growing 150% per year and resulting in 20 million breached records in March 2021 alone. Businesses have to look at this problem from a new defensive perspective; a good anti-virus suite falls a million miles behind what is needed, but what is that exactly? Enter the CISO…
Whether a business has 10 employees or 10, 000, the risks are largely the same. Risks stem from not only a technical perspective, but also from an administrative one; after all 80% of all data loss occurs as a result of one of those employees! The job of the Chief Information Security Officer is to ascertain exactly what risks are present in the business, what targets they apply to, how they might be mitigated, what systems, processes, technical solutions or other actions might ameliorate the risks to an acceptable level, what the costs involved are and whether there is a business case to progress with solutions. They provide insight and leadership and are a critical part of any modern business.
Some of the things a CISO gets involved with are: managing aspects of IT infrastructure and physical security. Implementation of governance systems like IASME, Cyber Essentials and ISO27001. Reviewing and monitoring security systems performance and efficacy. Driving good practice and providing thought leadership around matters of data security.
We offer vCISO services to business in Birmingham, Cambridge, Liverpool, London, Manchester, Milton Keynes, Oxford, Preston, St Albans and the surrounding areas.
Benefits of using a vCISO:
- Hugely reduced staff costs
- No training costs
- No PAYE costs
- No holiday costs
- No sickness costs
- Eclectic security expertise
- Focused and driven in one direction
- One step removed from IT-related schemes
- Critical in today’s threat landscape
- Access to further, specific expertise
Our Cambridge Virtual CISO Program
The whole point of a vCISO is to help smaller businesses around Cambridge to improve their security posture, without losing sight of other business drivers, goals and needs. Securing the business therefore has to start with understanding how it operates, what constraints exist and what the executive team are looking to achieve
Getting To Know You
Initially the VCISO will meet the team and try to gain an understanding of how the executives see the role of data security in the business, where they see potential flaws and how they perceive value in the risk management process.
Following the initial exercise the VCISO be involved in the determination of the existing security posture of the business, discovering asset values, risks and vulnerabilities and creating some initial advice to put forward to drive the improved security of the business. The purpose of this phase is to highlight the issues and put forward potential ways to resolve them in order to create a full roadmap and business cases as required. The time this takes is dependent on the size and complexity of the business, but for smaller businesses it is usually something that can be done without too much interference with anyone else.
Once the roadmap and business cases have been signed off the programme will commence. This will usually involve the identification of relevant team members, prioritisation of remedial measures and the drawing up of a full plan of action. It is very important to have complete buy-in from the business owners, managers and any other high-level stakeholders. Armed with a plan of action and the resources identified, the business of securing the organisation can begin.
Often the measures identified will require individual project management, and this is something that can usually be handled by the CISO, unless the specific projects are sizeable, in which case internal or external project managers can be drafted in to keep tabs on the individual elements. For smaller businesses most of the orchestration is handled by the CISO. The time taken to implement the measures can be anything from a day, to many months in the case of a large ISO27001 implementation for instance.
Maintenance and review
Implementing systems and controls is one thing, but the security industry moves very quickly indeed in order to keep up with the rapidly changing threat landscape. It is pointless implementing systems that are effective on day one and then not periodically reviewing their effectiveness. Changes in the efficacy of implemented systems and the assets that they protect must be determined and resolved in order to maintain protection. To this end regular risk assessments, impact analyses, performance reviews and the like are a critical part of data security success.
A Virtual CISO (vCISO) provides these vital skills for smaller businesses around the Cambridge area who don’t yet have the need or resources available to take on an expensive executive, by reducing expenditure to only that which is needed to perform the relevant functions, whether that be a couple of days a month, a couple of days a week, or even an ad-hoc arrangement.
Vince Picton, CISSP, has the qualifications and experience necessary to deliver vCISO services on behalf of Unity Metrix Ltd. Having been a company director for many years, is used to consulting on matters of cybersecurity and compliance without losing sight of the commercial aspects of the business. As well as providing thought-leadership, posture, gap and risk analysis, he is well positioned to help with implementation projects like ISO 27001, PCI-DSS, IASME Governance and the like and is a registered IASME Governance and Cyber Essentials assessor.