What is CISOaaS?
Chief Information Security Officer-as-a-Service (CISOaaS) provides information security leadership from an appropriate pool of expertise and technical resources from within IT Governance. CISOaaS provides security guidance to senior management and drives the organisation’s information security programme.
The service can:
- Provide your organisation with a cost-effective way of maintaining information security systems and managing risk;
- Offer an extension to your organisation’s information security capabilities; and
- Deliver an ongoing security presence and ensure risks and incidents are reduced before they can cause unacceptable business losses.
CISOaaS can help an organisation identify its current information security maturity, the threat landscape, what needs to be protected and the level of protection required, as well as the regulatory requirements it needs to meet. The CISO will put together an information security strategy ensuring that the basics are implemented and maintained, risks are reduced and the maturity of information security will be raised.
Unsure if you need a CISO?
If your organisation wants to get serious about security, employing a CISO is a vital step. For more information about the advantages of having a CISO, and how our CISOaaS may benefit your business, get in touch with one of our security experts today.
Speak to an expert
Did you know?
Gartner predicts that the global spend on security will be £71 billion in 2018, an 8% increase on 2017. To extract the most value from their expenditure, organisations need to have a strong understanding of information security.
IT Governance’s CISOaaS can provide optimal capabilities to tackle your cyber security strategy and help ensure that your security budget is effectively spent.
Why employ a CISOaaS?
Organisations that are serious about security face the challenge of finding a CISO who has the right skills and knowledge. Someone must own the security and compliance strategy, but the requirement can extend beyond the expertise of operational IT and security managers.
However, investing in a full-time CISO can have its disadvantages, too. What happens when the CISO is ill, goes on holiday or is not up to date with the latest legislation or cyber threats?
A lack of security talent can also keep a full-time CISO from functioning effectively and seeing the bigger picture. Most CISOs will face the serious challenge of having too few team members and not enough experienced talent.
The benefits of our CISOaaS
A CISOaaS model can help you acquire this expertise without the drawbacks. It allows your organisation to cost-effectively access strategic security experience and technical skills, gaining all the benefits without the capital expenditure (salary, hiring costs, sick pay, holiday pay, training costs and potential redundancy payments).
This enables your organisation to build and maintain an ISMS (information security management system) and take a risk-driven approach to protect sensitive assets, supported by your in-house IT team.
- Access a pool of experienced, specialised, senior cyber security professionals
- Access resources quickly and eliminate the need to attract and retain talent.
- Lower your costs by only paying for the support required.
- Reduce your risk by enhancing your cyber and information strategy with a clearly defined roadmap.
- Gain experience to educate and present to all types of senior executives, board members and non-technical senior staff.
- Our independent perspective and credibility can help secure cross-business support and achieve your information security goals.
The cost advantage of CISOaaS
The cyber security skills shortage is not only real – it is one of the biggest challenges IT leaders face today. As cyber security risks become more complex, it is difficult to find trained personnel who are both cyber information security professionals and affordable. PayScale reports that average pay for a CISO in the UK is £100,000 (including bonuses). In SMEs, at the top end this can stretch to £250,000.
Long-term retention of those employees is almost impossible as they are always being poached by other organisations.
It will likely take 3–5 months and an investment of 15–20% of the right candidate’s first-year salary to find them.
£20,000 hiring cost
* Based on CISOaaS being engaged for two days a month annually at current prices.
Given that a breach is a matter of when, not if, organisations that hire a CISO can protect their cash flow. A Ponemon Institute study found that the appointment of a CISO reduced the cost of a breach by £5 per record.
Our engagement process
A typical CISOaaS engagement will involve:
Every CISOaaS assignment differs in scope and objectives. Your requirements will depend on your current protection level, risk appetite and infrastructure.
CISOaaS will perform an assessment to identify the regulatory, legislative and contractual requirements that the organisation must meet. The organisation will also be audited using a standard framework.
CISOaaS will conduct a threat assessment and identify what needs to be protected and the level of protection. On completion of the security profile, a strategy and roadmap will be developed for the board to approve to reduce the risk to the organisation and improve the maturity of its information security capability.
CISOaaS will implement the roadmap by initiating identity management, access control, inventory management and any other projects listed in the roadmap.
A reassessment will be conducted to determine the success of the implementation phase and to identify whether the risk profile has changed and the impact this has on the strategy and roadmap.
CISOaaS will establish business-as-usual activities that could be undertaken on an hourly, daily, weekly, monthly, quarterly, half-yearly or annual basis.
Is the service right for me?
You should consider this service if your organisation:
- Operates a lean IT function and you need to protect your digital assets with limited resources, without opening new positions;
- Needs an effective way to lay the foundation for a permanent CISO function;
- Is under pressure to upgrade its cyber security strategy;
- Needs an interim measure when trying to recruit a permanent staff member; and/or
- Is designing the right architecture to mitigate the risks posed by cyber crime.