Part Time CISO

Our CISO Part Time Services by The Numbers

1032

Healthcare Organizations Served

2087

Audits Completed

100%

Pass Rate from HHS/CMS Audits

The Problem with Full-Time CISO

Many companies are at an awkward, adolescent point in their growth. They are large and complex enough to have sophisticated IT security needs, but not so large, or flush with cash, as to need a CISO full-time. A good fit for a part-time CISO is a company that meets one or more of the below points:

Has a security department of zero or one, and those are 100% committed to daily operations
Is purely reactive to security problems, and can’t seem to get ahead
Has rapid expansions of digital commerce channels some in part due to COVID-19

Wants a long-term plan to make their security better over the next few months and years, but doesn’t know where to start
Is in a regulated industry such as healthcare or finance, and needs a bridge between IT and compliance
Receives many inbound security questionnaires from customers and prospects
Is growing rapidly and wants to make sure nothing gets missed in the sprint to growth

The Solution to CISO Part Time

A part-time CISO can be a force multiplier to your internal staff – or, to use a humbler metaphor, the salt that takes the stew from “good” to “delicious!”.

Many companies don’t need a full-time CISO, but can still benefit from the leadership, experience, wide perspective, and vision that come with decades of experience in security.

“Part-time” is a flexible concept, but does have limits. We have found, through experience, that two days per month is the minimum useful commitment. Smaller amounts of time are taken up with logistics, scheduling, and communication and little is left to provide much value.

One or two days each week is ideal. That way, “The CISO is here on Tuesdays” can be a clear, simple message to send. Similarly, we have found that a 90-day commitment is the shortest useful time period over which a part-time CISO can be useful.

Needs that can be met in a shorter time frame are better suited for a one-time project with specific deliverables.

The Benefits Part-Time CISO

Experience: Techumen’s CISOs have decades of experience in the IT field, both technical and strategic.

We have been CISOs for:

hospital systems
health plans
software-as-a-service companies
insurance companies
and other businesses.

This experience, both broad and deep, can be turned to a wide variety of clients and situations.

Focus: In house staff are, and very rightly, focused on the daily operations of serving customers and keeping the business running. An outsourced CISO can keep the long view in focus and make sure the team is pointed in the right direction – that the important is not sacrificed to the urgent.

Flexibility: If or when your business plans change, or customers make new demands, or new security risks are announced, or some other change happens (COVID-19), your part-time CISO has the ability and experience to quickly pivot to the new needs.

You Don't Need Full-Time CISO

We will always start with two items:

A Risk Assessment that shows what are the highest risks to your systems and data, and where the organization stands against laws and regulations on information security
A Program Maturity Assessment that shows how well your security program is functioning. It is vital to planning progress, instilling accountability, and achieving the organization’s strategic goals. (If you already have both of these, we’ll start with a review of what you’ve got).

The Process of CISO

After that, our solutions will be tailored to each client. We will strike a balance between meeting any immediate needs you have and improving your security in the long term.

We will produce a custom plan for each client, showing the tasks, milestones, and scheduling for each security objective.

Status Reports will be sent weekly and a site for workpapers will be deployed.

Some common tasks that we have handled as part-time CISOs:

These questionnaires about security are becoming more common as the risks from business partners receive more focus. It’s important to respond quickly and well, but it takes time away from operations. A part-time CISO can make sure these important, but not urgent, tasks get completed. We’ve both sent and reviewed hundreds of these questionnaires, and this experience lets us process them quickly. It also sends a strong signal to customers and sales prospects to have a CISO, rather than a Director of IT Security.

Performing an audit of your IT infrastructure is the easy part. The difficult and more important parts are a) determining what to audit and b) doing something with the results. Out of all the security controls in place in your organization, which are worth the time and trouble of auditing? And, what, if anything, should be done with the results? We have over 10 years’ experience in Big 4 audit firms and can run a lightweight, yet effective IT audit program that isn’t just make-work.

As Ronald Reagan said, “Trust but verify”. You may think you’re doing a great job on security, but you should have an external assessment done at least annually to double-check. We have managed the penetration test programs for Fortune 500 companies and can tell a high-quality test from a checkbox exercise. More importantly, we can translate the technical findings of a pen test into business risk, and prevent your staff from fixing items that are low risk.

When was the last time you exercised your Disaster Recovery plan? How well is your staff recognizing phishing attempts? Does everyone know what to do in a business continuity situation? “People” are both the last line of defense and the first responders to any security incident, and it’s worth investing in training them. A part-time CISO can also answer any on-the-spot questions that arise in the course of business.

Need to expand your IT security?

Book a Free 30 Minute Consultation and Lets Make a Plan Together

Techumen provides cyber security and regulatory compliance audits, assessments, and consulting for healthcare organizations.