Virtual Chief Information Security Officer

Our Virtual CISOs spearhead your Information Security with proactive risk management  

Do you need a Virtual CISO for your business?

You know that information security is important, but you need a board level resource to manage it. Our Virtual CISO services allow for proactive risk management as we ‘virtually’ sit inside your business. We can spearhead your security strategy, budget, review of risks and regulatory programs. This includes making security decisions, understanding security threats, and optimizing security processes.

Services on this page

Get started with Virtual CISO services

Threat Intelligence & Strategy Planning

A few years ago, a new threat called “juice jacking” appeared in public areas with device charging stations, such as airports. This is when criminals use electronics hidden behind the charging station to infect the device that’s plugged in.

Moreover, any employee travelling or working outside the office who innocently plugged in a phone, tablet, etc. could inadvertently have the device infected, which could then create multiple scenarios to harm the business. So, one solution is to issue mobile employees with company supplied power adapters and enforce a policy that public charging stations cannot be used for company devices. Collectively, measures like these create awareness of the problem with management and employees.

Problem

The number of cyber & social engineering attack methods, information exploitation methods (i.e. fraud), and opportunities for information to be lost or leaked is constantly increasing meaning that ever-changing threats may not be mitigated by existing security measures.

Solution

Virtual CISO services include ongoing monitoring of “threat landscape” to aggregate, analyze, and identify if business is impacted (i.e. risk increased) due to changes in the threat landscape.

Positive Result

Use the result of the analysis to proactively determine how to mitigate the new risk.

Get started with Virtual CISO services

Policy Vetting & Management

Let’s say your company acquires a large client, but they impose security requirements in order to qualify as an approved supplier. Consequently, your company could be disqualified if your security policies are not up-to-date.

Or, consider employees who are permitted to use personal mobile devices for business. What if they lose their device and purchase a new one that is incompatible with company apps? Without a current “Bring Your Own Device (BYOD)” policy, company data is therefore at risk of being exposed.

Problem

The number of cyber & social engineering attacks, information exploitation(i.e. fraud), and opportunities for data leaks is constantly evolving. Therefore, the accuracy and effectiveness of existing security policies will degrade over time.

Solution

So, scheduled reviews of, and updates to, security policies with a virtual CISO ensures they are keeping up with the changing business and threat landscape.

Positive Result

Management and employees are kept aware of policies intended to protect them and the business.

In addition, scheduled reviews and updates ensures ongoing compliance requirements.

Get started with Virtual CISO services

Procedure Vetting & Management

Let’s take a company that allows employees to use their personal phones for business. As such, business email, contacts, calendars, and files are sync’d to the phone. So, when an employee leaves the company, the termination and offboarding procedures need to include confirmation that all company data is removed from their personal devices.

Another example is when a company corresponds with investors and needs 2-way flow of private information. They created an approved procedure for staff to follow; however, security analysts discovered a vulnerability that the platform refuses to fix. An annual review of procedures with their Virtual CISO identified the problem.

Problem

As businesses evolve and grow, new and/or updated software platforms are implemented, devices are updated and replaced, employee roles are created, removed, or changed, vendors and clients are added or removed.

Therefore, normal changes to the business can impact the accuracy of existing procedures.

Solution

So, scheduled reviews and testing of procedures with your virtual CISO, used to keep the business and employees safe and/or respond to both planned and unplanned events.

Positive Result

Knowing that systems function as intended when needed.

Get started with Virtual CISO services

Enhanced Security Awareness Training & Workshops

Despite the company having security awareness training in place, an AR team member at a manufacturing company sent a list of all receivables to someone who impersonated the CFO. The following week, the same criminal then emailed the company’s clients – stating that the company’s payment remittance information had changed… to their own banking details.

Here’s how it happened:

The initial employee found an email “from the CFO” in her junk folder. The anti-spam technology worked correctly in identifying the email as fraudulent and isolated it. But, the employee moved the email to her inbox and replied with client information. Regardless of whether the actions were accidental or intentional, the company had to notify all clients in the list of the data leak.

As a result, the company increased their automated security awareness training, implemented mandatory attendance of live workshops, as well as implemented a policy that outlines potential consequences.

Problem

Most businesses have security awareness training in order to comply with cyber insurance requirements. However, the effectiveness of basic automated training is less than combining automated training with other training methods.

Finally, most security awareness programs do not create adequate accountability for employees so when a preventable incident occurs, employers have no recourse.

Solution

Virtual CISO services keep security top-of mind by embedding it in workplace culture through relevant regular security awareness training, live workshops, and more.

Positive Result

Information is power. Staff that are more aware of risks are more likely to spot problems and less likely to inadvertently cause security incidents.

Get started with Virtual CISO services

Information Asset Workflow Vulnerability Management

A construction materials company experienced a security event resulting in all of their IT systems being down for a week. Their manufacturing and distribution locations limped along until the situation was resolved. The cost was massive: for remediation, lost sales, damaged reputation, and regulatory penalties. But it also meant:

  • They could compromise any business that had purchased material from them.
  • Additionally, businesses that require electronic data interchange (EDI) for transactions were consequently at risk of having their IT systems infiltrated.
  • Organizations who paid invoices to the company electronically were at risk of fraud from the criminal behind the incident. For example, the criminal could use a hijacked email account to redirect payment to themselves. So, even entities that paid by cheque were at risk of old-school fraud attempts.
  • And, if the company used EDI to transact with it’s suppliers, those suppliers were also at risk.

For organizations who had a map of the information flow between themselves and the affected company, they were able to take the steps necessary to protect themselves. However, organizations who did not have such information at hand could not take such steps and were exposed to fraud.

Problem

Inbound and outbound information supply chains are vulnerable to attack. This means that if a supplier or customer is compromised, it could result in your company experiencing a cyber incident as well.

Solution

Create maps of information flow to all external entities (suppliers, customers, partners, employees, create 3rd-party services). You can do this with the help of a Virtual CISO service in order to immediately identify risk when an external entity is compromised.

Positive Result

When a related external entity is compromised, you immediately know what company information may be affected. For example, what passwords need to immediately change, what accounts need to be shut down or have increased monitoring, and heightened awareness of employees of possible fraud attempts.

Get started with Virtual CISO services

Security Guidance & Communication

A company considered a cost reduction measure for hybrid staff, by allowing them to use their personal home computers when working from home. So, when in the office, there would be a pool of computers for people to use.

This increased their security risks because the company had no insight, monitoring, or control over the home computers. There would be no way to prevent unauthorized access to company information from “unmanaged” computers. Also, there are high risks to company systems being infected from a computer it did not own or manage.

Problem

Firms retain external legal and finance counsel to supplement existing resources but few retain external security counsel to supplement existing security efforts.

Solution

Regularly scheduled security consultations ensure that company initiatives and changes include security in the planning process.

Positive Result

Including your Virtual Chief Information Security Officer in the planning process avoids additional cost and productivity delays by adding security after-the-fact.