Part-Time Chief Information Security Officer (CISO)

Techumen by the numbers.

1032

Healthcare Organizations Served

2087

Audits Completed

100%

Pass Rate from HHS/CMS Audits

The Problem

Many companies are at an awkward, adolescent point in their growth. They are large and complex enough to have sophisticated IT security needs, but not so large, or flush with cash, as to need a CISO full-time. A good fit for a part-time CISO is a company that meets one or more of the below points:

  • Has a security department of zero or one, and those are 100% committed to daily operations
  • Is purely reactive to security problems, and can’t seem to get ahead
  • Has rapid expansions of digital commerce channels some in part due to COVID-19
  • Wants a long-term plan to make their security better over the next few months and years, but doesn’t know where to start
  • Is in a regulated industry such as healthcare or finance, and needs a bridge between IT and compliance
  • Receives many inbound security questionnaires from customers and prospects
  • Is growing rapidly and wants to make sure nothing gets missed in the sprint to growth

The Solution

A part-time CISO can be a force multiplier to your internal staff – or, to use a humbler metaphor, the salt that takes the stew from “good” to “delicious!”.   

Many companies don’t need a full-time CISO, but can still benefit from the leadership, experience, wide perspective, and vision that come with decades of experience in security.   

 “Part-time” is a flexible concept, but does have limits. We have found, through experience, that two days per month is the minimum useful commitment. Smaller amounts of time are taken up with logistics, scheduling, and communication and little is left to provide much value. 

One or two days each week is ideal. That way, “The CISO is here on Tuesdays” can be a clear, simple message to send. Similarly, we have found that a 90-day commitment is the shortest useful time period over which a part-time CISO can be useful. 

Needs that can be met in a shorter time frame are better suited for a one-time project with specific deliverables.

The Benefits

Experience: Techumen’s CISOs have decades of experience in the IT field, both technical and strategic. 

We have been CISOs for:

  • hospital systems
  • health plans
  • software-as-a-service companies
  • insurance companies
  • and other businesses.  

This experience, both broad and deep, can be turned to a wide variety of clients and situations. 

Focus: In house staff are, and very rightly, focused on the daily operations of serving customers and keeping the business running. An outsourced CISO can keep the long view in focus and make sure the team is pointed in the right direction – that the important is not sacrificed to the urgent. 

Flexibility: If or when your business plans change, or customers make new demands, or new security risks are announced, or some other change happens (COVID-19), your part-time CISO has the ability and experience to quickly pivot to the new needs.

The Process

We will always start with two items: 

  • A Risk Assessment that shows what are the highest risks to your systems and data, and where the organization stands against laws and regulations on information security 
  • A Program Maturity Assessment that shows how well your security program is functioning. It is vital to planning progress, instilling accountability, and achieving the organization’s strategic goals. (If you already have both of these, we’ll start with a review of what you’ve got). 

The Process

After that, our solutions will be tailored to each client. We will strike a balance between meeting any immediate needs you have and improving your security in the long term. 

We will produce a custom plan for each client, showing the tasks, milestones, and scheduling for each security objective. 

Status Reports will be sent weekly and a site for workpapers will be deployed. 

Some common tasks that we have handled as part-time CISOs:

These questionnaires about security are becoming more common as the risks from business partners receive more focus. It’s important to respond quickly and well, but it takes time away from operations. A part-time CISO can make sure these important, but not urgent, tasks get completed. We’ve both sent and reviewed hundreds of these questionnaires, and this experience lets us process them quickly. It also sends a strong signal to customers and sales prospects to have a CISO, rather than a Director of IT Security.

Need to expand your IT security?

Book a Free 30 Minute Consultation and Lets Make a Plan Together