Top 5 vCISO Takeaways of 2019

As the end of the year rapidly approaches, everyone does their best to reflect upon the prior year (or decade, since it is the end of one of those as well) and see what they might have learned from the past year. What were the top songs, top movies, and top vacation destinations, just to name a few. We here at Compass IT Compliance are no different, but when we start to review the past twelve months, we look at what we’ve learned regarding all the security successes and failures we saw, and how we can improve in 2020.

Without a doubt, one of our fastest growing segments is the Virtual Chief Information Security Officer, or vCISO. We have talked in prior blog posts of the role it can play, and what the benefits are of having a vCISO or a CISO. Now that we’ve kicked off 2020, we are looking back at many of the vCISO engagements in 2019 and finding that there are some common areas that most of our clients need assistance with. So, here are the top 5 vCISO takeaways for 2019:

1. Know Your Environment – The first step in building a good security posture is understanding what the business is, where the data is, who has access to it, how it is used, and who is responsible for security in your company. You might be surprised to know that many of these questions can’t be answered easily, but they are all critical in building a baseline of what needs to be secured, how it needs to be protected, and even who should be aware of the security responsibilities (this is a trick question, the answer is everyone, just to varying degrees). Even a genius security person will not be able to make much progress without a good understanding of the environment
     
2. Rate Your Risk – Once the environment is reviewed and goals and objectives are determined, a good security team will identify risks and rate them. This will be critical to designing a roadmap on how to reduce and remediate gaps in the environment. And rating the risk is just as critical as identifying the risk in deciding what to tackle first. Is having a vendor management program more important that making sure systems are patched? Is that incident response plan more important that having a penetration test performed? Creating a risk register to rank the risk, and then decide what to tackle in what order is a business decision based on resources and timelines as well as the severity of the risk
     
3. Engage the Enterprise – Not the starship sadly, but your entire organization. Let’s face it, in most cases when you’re talking security to the information technology staff, many of them are already drinking the Kool-Aid, and it is easy to get buy-in. But can you explain to the CFO why there needs to be a security budget? Does the CEO understand why you keep sending him those test phishing emails? Here’s the bottom line: You’re going to need the movers and shakers in the organization to buy into a good security program. The difference between a stack of policies and a good security program is the inclusion of everyone understanding their roles and responsibilities. The best CISO in the world isn’t going to help your company improve security without the team leaders as part of the charge, and if the users share passwords with each other, you are sunk before you’ve begun!
     
4. Listen to Your Clients – Compass IT Compliance has quite a few clients that are in the service industry. Because of this, they have clients of their own. Over the last 12 months, there has been an explosion of these clients asking for security due diligence before signing a contract. Most of them send a questionnaire that has 100 to 300 security questions on it. They ask these questions and solicit evidence so that they feel confident they will not suffer a security breach by signing with your company. Take a look at some of these questionnaires. If you can answer yes to 75% or more, you’re probably in good shape. If you answer no or you’re not sure 50% of the time, not only do you probably have some work to do, but your client may have just given you guidance on what to work on next!
     
5. Ask for Help – In this day and age, no one is an expert on all things security. That’s why Compass IT Compliance has a team. We have forensics people and pen testers, people that know PCI, HIPAA, business continuity, and incident response. We have people that are great with governance, and people that look at code for issues. The landscape is constantly changing, and it is important to be able to know what the current threats are and how to protect against them. A CISO is always looking to the horizon to protect not only the threats of today, but threats of tomorrow as well. If a company lacks these resources for whatever reason, looking at a vCISO could be both a practical and fiscally sound decision

Obviously, this just scratches the surface of a vCISO role, and every organization is different. The vCISO can work on everything from creating an information security program to building an incident response plan to managing vulnerability management and more! But these are a few key items we see repeated over and over in our engagements, and they are critical to the success of a strong security posture in an organization. Compass IT Compliance offers a variety of security consulting packages and virtual information security officer services to help you build and manage and your security infrastructure. Contact us today to learn more!