Question: What does a virtual CISO do, and when should an org have one?
Aaron Boissonnault, Chief Information Security Officer at Navisite: Virtual CISO (vCISO) services give companies on-demand access to cybersecurity leadership, expertise and guidance. This enables companies to overcome the time-consuming and costly challenge of finding seasoned cybersecurity leadership and expertise to help them build a tailored security strategy; identify gaps in their security program; and put the right teams, tools and processes in place to reduce risk and support continuous improvement.
A good vCISO service should assess cybersecurity risks, develop a security roadmap, develop policies and procedures, help companies align with regulatory compliance and governance goals, and track performance of and continuously improve upon cybersecurity programs. And, a strong vCISO service not only comes with a named virtual CISO, but also with access to the entire cybersecurity team supporting them—all of whom are focused on securing your business from cyber threats.
There are a number of scenarios when a company should consider a vCISO. Cybersecurity is a full-time job and if the IT team is responsible for a company’s cybersecurity, a vCISO can provide much needed strategic insight and alleviate the IT team’s responsibilities. Another scenario is if a company is in the midst of moving its operations and applications to the cloud. A vCISO can provide the expert guidance and support to securely move to and operate in the cloud and offer shared responsibility model expertise. This helps companies put the right security controls in place to significantly reduce risk and fully reap the rewards of the cloud. One last scenario is if a company doesn’t have an up-to-date security plan. A vCISO can help companies develop and implement a tailored cybersecurity plan, which assesses the changing threat landscape, and addresses any potential compliance regulations a company must consider.