With new standards, regulations and a never-ending series of breaches, just what is a Virtual CISO to do? In my day-to-day activities, there are always three things I need to communicate in order to create a successful security program and I'll share those with you in this article.
1) What I Measure
The first thing I do as a Virtual CISO (aka Chief Information Security Officer) and indeed in almost all IT roles, is to define what it is that measures success and failure. For security, this is no different; my metrics ensure that I have a handle on just how vulnerable the organization is and I can then create a simple plan to remove some risks. My KPIs will always include the following in chronological order (I'll include three for brevity):
- Coverage Ratio: The ability to detect and respond to security issues/all the information assets in the company (workstations, servers, mobile devices, cloud VMs).
- Security Hygiene Percentage: The number of applied security settings that will prevent a known attack/the total number of applicable settings that will prevent an attack (there are about 30).
- Vulnerability Rating: The number of CVEs > 8/number of critical assets
2) How Often to Meet
Typically, a Virtual CISO is involved in the life cycle of new services or programs to assess the security impact or to present to stakeholders on the current status of your security. In between those meetings, a once-a-month cadence will allow a CISO to track the implementation of various cyber-initiatives across departments from Engineering, Development, Management and Support.
3) The Kinds of Things I Should Know
Most people understand that a CISO has something to do with security, but what is unclear is what kind of information that they should know, and, what makes a good one. Ultimately, making your workplace secure and communicating that to all stakeholders means a CISO must understand the most important aspects of planning and tracking security, such as:
- Architecture: What is the best way to implement systems and what systems to integrate that will have the biggest impact on the organization as a whole, no matter what the objective is (such as malware mitigation, data theft, unauthorized access, denial of service etc.)
- Standards/Legislation: If you have a new legislation such as GDPR, PCI-DSS, NIST, or the Privacy Act, you will need to understand what to do and how to address it. A CISO's responsibility is to be aware of and understand the status of compliance.
- Threats, Malware, Breaches: To a certain degree, a CISO must understand the threat landscape in order to know where the holes are and have a plan in place to close them. If you have to explain what a man-in-the-middle or low and slow attack is, the likelihood that they are going to secure your environment effectively is quite low.
- Strong Security People: The "C" in the title CISO is about being able to deliver services through people and a strong CISO has a network of individuals that have executed multiple aspects of a security program in the past. If they don't know a go-to for firewall installation, pen-testing or forensic investigation, they won't be effective at enabling what you might be missing from your security program.
A Virtual CISO is an individual who helps bring mature cybersecurity programs to the mid-size organization without requiring a large budget and/or team to implement them. They understand the Standards, Architecture and Security Risks you are facing, can quickly move a weak baseline, and help to communicate your security posture.
IntelliGO Managed Detection and Response (MDR) includes these services to augment the information coming from our platform and risk mitigation center to round out your security program.
Download a sample of our Prevention Posture Assessment (PPA) report and find out how you can use it to determine if you have been breached or can be breached by malware.