Virtual CISO Services – St Albans
Many businesses lack vital knowledge, leadership and strategy, but are unable to invest in a full-time CISO to manage matters of data security and risk within the organisation. In an ideal world a full-time CISO would provide the relevant knowledge, expertise and leadership to enable proper cybersecurity and risk management, but many businesses are not sizeable enough to warrant such a large expenditure.
Benefits of using a vCISO:
- Hugely reduced staff costs
- No training costs
- No PAYE costs
- No holiday costs
- No sickness costs
- Eclectic security expertise
- Focused and driven in one direction
- One step removed from IT-related schemes
- Critical in today’s threat landscape
- Access to further, specific expertise
Our St Albans Virtual CISO Program
The whole point of a vCISO is to help smaller businesses around St Albans to improve their security posture, without losing sight of other business drivers, goals and needs. Securing the business therefore has to start with understanding how it operates, what constraints exist and what the executive team are looking to achieve
Getting To Know You
Initially the VCISO will meet the team and try to gain an understanding of how the executives see the role of data security in the business, where they see potential flaws and how they perceive value in the risk management process.
Following the initial exercise the VCISO be involved in the determination of the existing security posture of the business, discovering asset values, risks and vulnerabilities and creating some initial advice to put forward to drive the improved security of the business. The purpose of this phase is to highlight the issues and put forward potential ways to resolve them in order to create a full roadmap and business cases as required. The time this takes is dependent on the size and complexity of the business, but for smaller businesses it is usually something that can be done without too much interference with anyone else.
Once the roadmap and business cases have been signed off the programme will commence. This will usually involve the identification of relevant team members, prioritisation of remedial measures and the drawing up of a full plan of action. It is very important to have complete buy-in from the business owners, managers and any other high-level stakeholders. Armed with a plan of action and the resources identified, the business of securing the organisation can begin.
Often the measures identified will require individual project management, and this is something that can usually be handled by the CISO, unless the specific projects are sizeable, in which case internal or external project managers can be drafted in to keep tabs on the individual elements. For smaller businesses most of the orchestration is handled by the CISO. The time taken to implement the measures can be anything from a day, to many months in the case of a large ISO27001 implementation for instance.
Maintenance and review
Implementing systems and controls is one thing, but the security industry moves very quickly indeed in order to keep up with the rapidly changing threat landscape. It is pointless implementing systems that are effective on day one and then not periodically reviewing their effectiveness. Changes in the efficacy of implemented systems and the assets that they protect must be determined and resolved in order to maintain protection. To this end regular risk assessments, impact analyses, performance reviews and the like are a critical part of data security success.
A Virtual CISO (vCISO) provides these vital skills for smaller businesses around the St Albans area who don’t yet have the need or resources available to take on an expensive executive, by reducing expenditure to only that which is needed to perform the relevant functions, whether that be a couple of days a month, a couple of days a week, or even an ad-hoc arrangement.
Vince Picton, CISSP, has the qualifications and experience necessary to deliver vCISO services on behalf of Unity Metrix Ltd. Having been a company director for many years, is used to consulting on matters of cybersecurity and compliance without losing sight of the commercial aspects of the business. As well as providing thought-leadership, posture, gap and risk analysis, he is well positioned to help with implementation projects like ISO 27001, PCI-DSS, IASME Governance and the like and is a registered IASME Governance and Cyber Essentials assessor.