vCISO? - How to Avoid Buying Christmas Dinner for Your Information Security Guru

I’ve been doing Information Technology work for a long time. Starting with a volunteer job teaching how to use personal computers in 1984, through my time in the Marines, becoming a professional information security trainer, network consultant, on to head of Information Security and eventually CIO for a two billion dollar financial institution, and now joining Parameter Security full-time, it has been quite a journey. In that time, I have learned to deal with a lot of acronyms and abbreviations. Today I would like to focus on just one of them:

vCISO – virtual Chief Information Security Officer

Though it was tempting, I decided to avoid starting out with something like, “You need a vCISO to augment the efforts of your CIO in your PCI InfoSec program to ensure your BIA was accurate enough to assist in generation of your BCP, because we all know if a DR event occurs, and the SHTF, everyone will be MIA, and if you failed to CYA, you will likely find yourself in hot water with HR, the CEO, and will be SOL.” Now, some of those acronyms were just for effect, and I won’t ever be explaining them, at least not in a blog post. But some of them we will certainly tackle in future writing.

A vCISO is a way to augment (or even fulfill completely) your Information Security (InfoSec) strategy and cybersecurity oversight needs. Perhaps you are facing regulatory or compliance issues such as PCI, or you are concerned about things like ransomware, or have supply chain questions. Even better, maybe you are concerned about what you don’t know you don’t know.

There are many InfoSec concerns that can plague small to medium sized businesses, and no easy means to address them. A vCISO can walk alongside you through a discovery process to get an idea of where your security program is, where you want it to be based on your business concerns and goals, and what it will take to bridge that gap. There are many specifics that could be discussed, but then I would have to get into more acronyms, and I said I wouldn’t do that today.

Every client is different and presents unique opportunities. Parameter uses a flexible “boot camp” approach during vCISO engagements: evaluating, teaching, and reporting in an organized fashion. We collaborate with you to set the priority for meeting your needs, but still ensure that all areas are covered to best manage your risk. For example, a client might have a pressing regulatory need that we usually address later in our vCISO process, but because we’ve built our vCISO program to include flexibility and prioritize meeting the client wherever they are, we would be able to build that section early, and return to revise it later after completing due diligence.

In a nutshell, just think of a vCISO as a means to access a resource with InfoSec expertise only gained by years of diverse experience across varying industries, without having to pay for one full time. You use them only when you need them, and don’t have to pay for a full forty hours a week. You save money, and most importantly, as promised: It means one less dinner you must buy at the annual Christmas party.

See you next time!

Jon