Years ago, when Loffler started providing comprehensive cybersecurity risk assessments, we saw how excited organizations were about improving IT security.
But then a couple of months would pass, and we’d often hear an unfortunate update: “We let our cybersecurity initiatives die down due to lack of focus.”
What had been an important initiative in cybersecurity was overrun by the daily to-do list. We realized organizations needed help in holding themselves accountable for improving cybersecurity, and we decided to provide a way to manage tasks and keep the momentum going.
Given today's ever-changing cybersecurity threat landscape, all organizations must assume that their IT environment will be compromised at some point.
While large organizations may hire a Chief Information Security Officer (CISO) to oversee cybersecurity, many small and medium businesses (SMBs), can't afford to hire someone in this position.
That’s where virtual Chief Information Security Officers, or vCISO services, become an attractive option, because they can provide needed cybersecurity guidance that fits within an SMB’s IT budget.
What Is a vCISO?
A vCISO makes cybersecurity expertise available to SMBs at an affordable cost. Working with a vCISO is a guided process to build or improve a cybersecurity program, with the flexibility to address an organization’s specific regulatory and compliance concerns.
A vCISO is a credentialed and experienced security professional with deep technical expertise, and the vCISO service is offered in a fractional consumption model, so organizations only pay for what they need. The work product is based on industry-standard cybersecurity frameworks. This makes it simple for SMBs to gain cybersecurity expertise at an affordable price point.
While there are several types of these virtual engagements available, vCISO services help organizations build an information security program that meets the increasingly strict requirements of cybersecurity insurance underwriters, regulatory bodies, cybersecurity frameworks, security best practices and third-party risk assessors.
How a Virtual CISO Improves Cybersecurity Programs for SMBs
Cybersecurity has become extremely complex over the last few years. New threats emerge daily, and the profit motive is high for hackers. Current threats have included:
- Encrypting ransomware
- Phishing
- Stolen/compromised credentials
- Wire fraud scams
- Cryptojacking
- Data breaches
- Disrupted Denial of Service (DDOS) attacks
- IOT (Internet of Things) attacks
To reduce cybersecurity risks, organizations need more than prevention systems such as firewalls, IPS (Intrusion Prevention System) and anti-virus. They also need to prepare policies and procedures and manage ongoing vulnerabilities.
Hiring a CISO in-house is the most effective way to ward off cybersecurity threats. But many SMBs do not have the budget to maintain a person in this critical role. That’s why many turn to a virtual engagement with a vCISO to cover their needs.
Virtual CISO Responsibilities
In addition to baseline vCISO engagement offerings, a managed service provider can also focus on cybersecurity offerings that benefit their clients most.
Loffler has chosen to add two security concentrations under our vCISO program: Managed IT Security Policies and Vulnerability Management
vCISO Managed IT Security Policies
Quick and easy implementation of information security policies can be an elusive goal for many organizations. With vCISO services that manage IT security policies, organizations can speed up the creation process and add an auditable annual policy review to their toolbox.
Managed Policies include:
- Customized information security policy packages that meet standard requirements
- Policy portal with workflows and notifications to manage policy approvals and reviews
- Annual review of policies guided by the vCISO team
VCISO Vulnerability Management
Find emerging vulnerabilities, sensitive data, misconfigured systems, unknown/unauthorized systems, unsupported systems, dark web attacks and missing patches that meets cybersecurity requirements of a formal vulnerability management program.
Vulnerability Management includes:
- Regular (typically monthly) internal and external vulnerability scans
- Agent-based approach to ensure full coverage for work-from-home, hybrid and mobile workers
- Scanning of laptops, desktops and servers against common security baselines
- Advanced dark web monitoring
- Monthly engagements to formulate and review remediation plans
How to Get Started with vCISO Services
Contact Loffler to schedule a free one-hour vCISO consultation and find the program that is right for you.
A vCISO will identify gaps in your current security strategy and score your environment to establish a baseline. They will then develop a prioritized action plan, develop a budget, guide your progress toward the plan based on priority and budget and re-assess annually to track progress against the initial baseline.
Randy is a CISSP who leads the Cybersecurity and IT Consulting team at Loffler Companies. He is focused on applying his 25+ years of IT experience to help his clients measure, understand and manage information security risk through the vCISO managed consulting program.