01 Feb It’s Cyberwar, And Your Company Has No General
If you can’t hire a Chief Information Security Officer (CISO), then rent one
– Dr. Eric Cole, Virtual CISO
Reston, Va. – Feb. 1, 2019
Why companies lose the cyberwar … and what they can do about it.
There is a reality that every organization must face — you are a target and security is your responsibility. Everyone views cyberattacks like they do illnesses, accidents and robberies; those are things that happen to someone else — until they happen to you.
Any organization is going to get compromised because there is a fundamental truth — we are at war. There is a cyberwar that is ongoing 24 hours a day, 7 days a week, and every organization is at risk. As with any war, those that have an appropriate strategic plan win and those that have no clear vision are losing. This clearly explains why so many organizations are losing and having significant breaches — they do not have a general in charge of their war plan. In cybersecurity, this general has the title of CISO (Chief Information Security Officer).
What is a Chief Information Security Officer (CISO), really? What makes a good one? To find out, download your free copy of “Do You Know CISO?” today.
It is also important to note that many organizations have a CISO, but without the proper support, training, and buy-in from the executives, the person has little chance of success. When a company gets breached, the board wants action and targeting the CISO can seem like a way out. Bottom line is this accomplishes nothing, and the better approach is to have an experienced CISO in place and well supported.
With the increase of breaches and the importance of cybersecurity to a point that it is being discussed in boardrooms, many organizations are starting to recognize the value of an effective CISO. The problem is that while companies recognize the importance of cybersecurity and the criticality of a CISO, they have no idea how to structure this position, who to hire, and the metrics for success.
The challenge in finding a qualified CISO is exacerbated by the fact that there are very few people who have extensive experience in this position. Not many executives can accurately say that they have been a CISO for 10 years because in most cases this position did not exist.
There is an opportunity available that many companies are overlooking. Hiring a virtual CISO.
With the virtual CISO, your organization receives expert advice in understanding what the role of a CISO is within an organization. By defining clear metrics with a strategic plan, there can be proper alignment with the executives and clear communication to the technical team on how to properly implement security. The foundational item to providing this proper balance is to create a security dashboard with the appropriate technical metrics tracked and translated into business terms that can be used to drive the business.
A perfect example of the lack of a well-defined CISO with an appropriate security plan, integrated into a dashboard, is the current set of large-scale breaches that have occurred. The question that puzzles everyone is how does a billion-dollar organization that spends a significant amount of monetary and human resources on security miss the obvious.
In almost all the major breaches, there was a server that was accessible from the Internet, missing patches, containing critical data that was unencrypted. How does this happen? Simple — there were no metrics or dashboards. Fundamental components such as asset inventory and configuration management got overlooked. With a properly trained CISO, this would not have happened. This is the exact problem that the virtual CISO solves for your organization.
What to do if your organization is not confident in your CISO—or if you don’t have one? To find out, Download your free copy of “Do You Know CISO?” today.
Allowing the virtual CISO to be contracted rather than employed creates numerous benefits that progressive companies and organizations are beginning to experience.
Top 5 reasons to rent a CISO:
- A virtual CISO is often working with multiple business / organizations across different industries. This allows them a top-level view of what the current threats are and how they are being countered. This overview is paramount in creating a level of awareness an in house CISO simply does not have. Often, they are tunneled into the current initiatives, leaving the organization vulnerable to new strategies and attacks.
- A virtual CISO is generally producing results from a very clearly defined measure of success, metrics or dashboard. As it is not an employee role, the issue of ‘wearing multiple hats’ does not happen. Whereas an in house CISO can be troubleshooting all types of issues that any IT department could manage. But because they are there with the expertise, they are often pulled into tasks and initiatives that have nothing to do with their role. The streamline of focus and responsibility allows for a more secure organization when working with a virtual CISO.
- A virtual CISO should be able to provide you with a clear process and plan of action for what they know are the top strategies in minimizing vulnerabilities and quickly defending against threats. These are proven and tested processes that will alleviate the ‘figuring it out’ for executives and teams. Shifting from “scratching your head” to “action” is important because the adversary already knows what it’s doing.
- A virtual CISO will generally have a community of resources that an employee simply wouldn’t have. Either they are working with a firm that offers this service or they are staying connected and continuing their education with other virtual CISOs. Why is this important? Because in community you have deeper levels of knowledge and awareness. Bottomline: threats are identified quicker, problems are solved quicker.
- A virtual CISO should be able to communicate the complexities of technical language to executives. This is a big part of creating a partnership in keeping the organization safe and ensuring everyone knows and implements their role. This level of communication creates a sense of stability for executives and teams.
Now that I’ve convinced you to hire a virtual CISO, ensure they can provide these 5 benefits.
– Dr. Eric Cole is a renowned security expert with over two decades of experience in IT and network security. He is the author of several books and textbooks, including Advanced Persistent Threat, Hackers Beware, Hiding in Plain Sight, Network Security Bible 2nd Edition, and Insider Threat, and has presented at many major conferences. He served as a member of the Commission on Cyber Security for the 44th President, Barack Obama, and also sits on several executive advisory boards.
Secure Anchor provides high-touch cybersecurity services that help organizations prevent security breaches, detect network intrusions, and respond to advanced threats. Using a proven methodology developed by noted author, speaker, and trainer, Dr. Eric Cole, Secure Anchor’s recommendations are tailored to the needs of the organization, prioritized, and actionable.