These questionnaires about security are becoming more common as the risks from business partners receive more focus. It’s important to respond quickly and well, but it takes time away from operations. A part-time CISO can make sure these important, but not urgent, tasks get completed. We’ve both sent and reviewed hundreds of these questionnaires, and this experience lets us process them quickly. It also sends a strong signal to customers and sales prospects to have a CISO, rather than a Director of IT Security.
Performing an audit of your IT infrastructure is the easy part. The difficult and more important parts are a) determining what to audit and b) doing something with the results. Out of all the security controls in place in your organization, which are worth the time and trouble of auditing? And, what, if anything, should be done with the results? We have over 10 years’ experience in Big 4 audit firms and can run a lightweight, yet effective IT audit program that isn’t just make-work.
As Ronald Reagan said, “Trust but verify”. You may think you’re doing a great job on security, but you should have an external assessment done at least annually to double-check. We have managed the penetration test programs for Fortune 500 companies and can tell a high-quality test from a checkbox exercise. More importantly, we can translate the technical findings of a pen test into business risk, and prevent your staff from fixing items that are low risk.
When was the last time you exercised your Disaster Recovery plan? How well is your staff recognizing phishing attempts? Does everyone know what to do in a business continuity situation? “People” are both the last line of defense and the first responders to any security incident, and it’s worth investing in training them. A part-time CISO can also answer any on-the-spot questions that arise in the course of business.
How confident are you that your projects will be on time and under budget? Setting and enforcing project standards is another important, but not urgent, task that a part-time CISO is ideally suited for.