Scribd
Upload
368 views2 pages

vCISO Implementation Guide

This document outlines a 7-step roadmap for implementing a virtual Chief Information Security Officer (vCISO) relationship. Step 1 involves determining if a vCISO would be beneficial. Step 2 is to identify needs and objectives. Step 3 is deciding what is wanted from the vCISO relationship. Step 4 is how to onboard the new vCISO. Step 5 is how to operationalize the vCISO role. Step 6 is to measure the vCISO's success. Step 7 defines the benefits of a successful vCISO engagement.

Uploaded by

A
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
368 views2 pages

vCISO Implementation Guide

This document outlines a 7-step roadmap for implementing a virtual Chief Information Security Officer (vCISO) relationship. Step 1 involves determining if a vCISO would be beneficial. Step 2 is to identify needs and objectives. Step 3 is deciding what is wanted from the vCISO relationship. Step 4 is how to onboard the new vCISO. Step 5 is how to operationalize the vCISO role. Step 6 is to measure the vCISO's success. Step 7 defines the benefits of a successful vCISO engagement.

Uploaded by

A
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

vCISO - Implementation Roadmap

Step
1 month #1
to completion

Step
Determine - Would #1: Context
a vCISO be Beneficial?

Possible pain points...


▢ Need CISO level expertise & guidance but lack budget/need for a full-time person
▢ Growing client security expectations and demands (e.g. questionnaires, ISO 27001, SOC 2)
▢ Struggling to attract/retain key information security team members
▢ Management is “uncomfortable” with current information related risk level
▢ Growing compliance challenges (e.g., GDPR, CCPA, DFS500, HIPAA, PCI)
▢ Determined that “outsourcing” security is a better business model
▢ Need to evolve controls rapidly to avoid another breach/incident
Step #2

Identify Your Needs & Objectives

Your current situation...


▢ Need the part time skills of a full time CISO
▢ Need a strategic roadmap for compliance and security
▢ A shortage of security talent and difficulty retaining security dedicated employees
▢ Your customers, partners, or board members expect that someone has the “CISO” role
▢ You need to prove you are secure to key stakeholders (clients, board, auditors)
▢ Lack of clear vision of where your security is now and/or where you want to go
▢ Multiple compliance requirements of note and/or GDPR in particular
▢ You need security experience in your industry (eg. SaaS, Legal, Financial)
▢ You need talent capable of liaising with customers, CXO suite, and regulators
▢ Need for someone with a CSO or CISO title for compliance
▢ Need for someone with a DPO title for compliance

Step #3

Determine What You Want in Your vCISO Relationship

Decide what is important to you...


▢ vCISO, a security team, or both?
▢ Cultural fit with my management and technical personnel
▢ Industry and/or relevant subject matter expertise (e.g., app dev)
▢ Experience, track record, individual, and corporate certifications
▢ Short term or long term relationship?
▢ Geographic location and/or time zone
Step #4

How You Successfully “On-board” Your New vCISO

Your vCISO needs to...


▢ Understand the business, its objectives, and IT vs. Information Security’s role in achieving those objectives
▢ Understand the required scope/context of the Cybersecurity program (information being protected,
personnel, key processes, technology, key vendors, laws/regulations, etc.)
▢ Understand current and near term planned IT/IS projects
▢ Understand current InfoSec Responsibilities and Accountabilities (RACI)
▢ Understand the operation and maturity of the current InfoSec controls
▢ Understand management’s expectations and reporting structure
▢ Understand near term expectations on liaising with customers, vendors, regulators, and/or C-Suite

Where to turn... when Information Security matters


vCISO - Implementation Roadmap

Step
1 month #5
to completion

Step #1: the


How You Operationalize Context
vCISO Role

Expect your vCISO to...


▢ Document the scope of the Information Security Program to ensure that everyone is on the same page
▢ Conduct a “Rapid” Risk Assessment to identify risks requiring remediation
▢ Understand gaps in the current information security program and identifies gaps of note requiring remediation
▢ Establish a RACI chart for the Information Security Organization to ensure responsibilities are clear
▢ Establish an initial prioritized security roadmap
▢ Establish a 90-Day plan based on the security roadmap

Step #6

Measure Your vCISO’s Success

Your organization needs to...


▢ Measure effectiveness based on the 90-Day plan objectives and deliverables including goals, metrics, and
leading indicators for the Security Organization; for example:
▢ Get 100% of critical vendors through Vendor Risk Management by 12/31/18
▢ Reduce Phishing failure rate to <7% by 09/30/18
▢ Understand and address missed goals/metrics/leading indicators
▢ Ensure that the risk register is updated quarterly so that the roadmap and 90-day plan reflects evolving risk

Step #7

Your Benefits of Success

De�ine “success” for your vCISO engagement...


▢ Customers trust that their information is safe in your hands
▢ Management can sleep better at night
▢ Organizational resiliency
▢ Security-aware employees who actively support a “security culture”
▢ Positive and secure relationships with clients, suppliers, and other third parties

To gain on-demand access to the right Information


security resources at the right time, reach out!

[email protected] (732) 419-8052

Where to turn... when Information Security matters

You might also like