What is a Virtual CISO (vCISO)?
A vCISO is an outside senior security expert who, in alignment with the company's strategies and objectives, leads the information security program at a company.
The vCISO works alongside existing IT and security teams with the goal of improving the confidentiality, integrity, and availability of services and data supporting business operations. The vCISO collaborates with and influences other business units as necessary to improve the information security posture of the business.
As a function of leading the information security program in the business, the vCISO assesses risks, updates policies, develops plans, and develops programs in order to align security with the dynamic threats and the dynamic nature of the business.
Depending on the company's org chart, the vCISO may answer to the Board of Directors, the CEO, the CTO, or the COO. Sometimes, the CISO even reports to the CFO due to the risk avoidance nature of the CISO. The CISO should not report to the CIO, since the CISO should be holding the CIO accountable and may have opposing objectives.
Cybersecurity is about iterative improvement.
The threat landscape is changing. There are new vulnerabilities, new threat actors, and new threats every day. Your business is evolving, with new compliance requirements, new people, new technology, and new risks.
In order to address this dynamic situation, the cybersecurity of your business, there must be continuous improvement, continual striving toward maturity, and continual buy-in from the top of your company.
A vCISO serves that role: driving cybersecurity forward in your organization.
Security vs. functionality
The most secure systems are turned off and unplugged. We are seeking a level of security that we call usable security. Implementing security is not an easy job. Your business has requirements and priorities that your vCISO will focus on while reducing your risk as much as possible.
Every piece of technology that your business add, and every additional functionality and usability you add (apps for customers to place orders, apps for employees to have remote access, etc.) adds risks and vulnerabilities to your system.
For this reason, the goals of the CIO usually oppose the goals of the CISO. The CIO is often expected to innovate the business, driving digital transformation, and pushing boundaries. The role of the CISO is to reduce risk to the business.
Unlike many security professionals, Tensile Advisors will take the time to understand your business needs and align ourselves with your strategy, your objectives, and your team.
In order to be effective in securing your organization, we know that we need to enable progress and build relationships with your operational teams and executives. It supports our mission to be seen as a business driver.
|Services||Cyber Informed||Cyber Maturity|
|Security Architecture Review||Quarterly||✔||✔|
|Controls Mapping for Compliance||Lead, Execute, Advise||Ongoing||✔|
|Strategy & Planning|
|Top-Level Cybersecurity Strategy||Create, Update||Ongoing||✔||✔|
|Information Security Program||Create, Update||Ongoing||✔||✔|
|Information Security Steering Committee||Create, Lead||Ongoing||✔||✔|
|Incident Response Plan||Create, Update||Ongoing||✔||✔|
|Disaster Recovery Plan||Create, Update||Ongoing||✔||✔|
|Information Security Policies||Create, Update||Ongoing||✔||✔|
|Reports and Slides for Executives||Create, Update||Quarterly||✔||✔|
|Board Presentation||Create, Present||Quarterly or Annually||✔|
|Vulnerability Management Program||Create, Lead, Advise||Ongoing||✔|
|Tabletop Exercises (Incident Response, Disaster Recovery)||Create, Lead, Advise||Semi-Annually||✔|
|Engagement with executive team, IT teams, and security teams.||Advise||Ongoing||✔||✔|
|Cyber Awareness Training and Phish Testing Program||Lead||✔||✔|
|Internal security teams or external MSSPs or MSPs.||Recruit, Lead, Advise||Ongoing||✔|
|Gap Remediation Plan||Lead, Advise||Ongoing||✔|
|Third-Party Risk Management||Lead, Advise||Ongoing||✔|
|Gap Remediation Project||Lead||Ongoing||✔|