Top 10 Benefits of a Virtual CISO

No company can afford to underestimate the importance of airtight cybersecurity.

Cyber-criminals continue to develop evermore sophisticated ways to attack organizations and exploit weaknesses. Global corporations invest heavily in protecting theirs and their clients’ assets, and even smaller enterprises should do the same.

Chief Information Security Officers (CISO) can make a monumental difference to an organization’s defence against risks. They are responsible for handling cybersecurity, creating strategies to reinforce systems against the most cutting-edge external threats. They need to ensure that all essential policies and procedures are in place to reduce the organization’s vulnerability.

However, bringing an in-house CISO into your office may not be viable if you lack the space and / or available funds.

Virtual CISOs are an effective, affordable alternative for businesses of all sizes, from tiny startups to international chains. Here are 10 key benefits of hiring one for your company.

1. Low-Cost Expertise

First and foremost, hiring a virtual CISO tends to be far cheaper than employing one full-time.

There are no overheads attached, no benefits to consider, no overtime or sick pay. You don’t have to pay them even when they’re sitting at their desk with nothing to do. You essentially reap all the rewards of bringing an invaluable asset into your organization without paying for anything other than their best work.

2. VCISOs Offer More Diverse Knowledge

Most virtual CISOs will possess a wealth of industry experience, having worked with numerous clients across varied sectors.

They are constantly implementing strategies to protect businesses of different sizes against changing threats, gaining valuable knowledge they can apply to your company’s security needs.

This is much more effective and reassuring than hiring a full-time, in-house CISO who may have only worked within one business environment during their career.

3. A Tighter Focus for Better Value

Your virtual CISO specializes in cybersecurity and keeping systems continually protected, developing strategies to reinforce your infrastructure. This is their core focus, their day-to-day commitment.

This is in sharp contrast to bringing an IT specialist into your company who will no doubt be expected to help other employees regain access to their computer, recover forgotten passwords, and remove low-threat malware after someone downloads something they shouldn’t.

You pay for your virtual CISO’s security expertise only, and their time is dedicated to it entirely without less-important distractions.

4. Less Disruption to Everyday Tasks

Hiring a virtual CISO will free up your employees, allowing them the time to focus on their day-to-day tasks and responsibilities without worrying about compliance or related technical issues.

This helps to ensure every department concentrates on their respective goals, free of security-related worries or tasks beyond their technical knowledge.

5. Invaluable Flexibility

Hiring a virtual CISO offers far greater flexibility than a full-time, in-house employee.

For a start, you don’t have to find a place within your company and budget for a new long-term worker. The additional costs that come with that (salary, insurance etc.) are of no concern either.

Furthermore, though, virtual CISOs will generally create tailored services for your exact needs. Perhaps you only want to hire them for a few months to see how it improves your security before committing to a multi-year arrangement. Maybe you’re planning to train your own IT specialists but need the virtual CISO to protect your company in the meantime.

Bringing a virtual CISO aboard in either of these situations is much more preferable to hiring a full-time employee and letting them go once you feel they have served their purpose.

6. Bespoke Service for your Business

Virtual CISOs are familiar with adapting to suit different companies with unique needs. While a CISO with experience within one or two businesses may be stuck in their ways and expect you to work around them, virtual specialists are happy to offer more bespoke services.

They will provide the ideal solutions for your company and processes.

7. Vital Industry Contacts

Virtual CISOs are more likely to have wide-ranging industry contacts from across their career. They tend to maintain relationships with fellow cybersecurity specialists, gain exclusive information on emerging threats, and build networks of useful connections.

Such contacts mean they will be able to learn more and gain additional support if they encounter a technical issue they haven’t seen before, enabling them to get a handle on the situation with minimal delay.

This might involve making a phone call to a thought leader or a contact on the front line of cyber-crime – solutions that in-house employees with little experience may be unable to offer.

8. Independent Expertise without Bias

In-house CISOs may be susceptible to the same distractions, petty arguments, and office politics as the rest of your workforce. This can lead them to lose focus on the task at hand and potentially develop their own agendas.

Maintaining the highest levels of security could seem less important to a disgruntled employee who feels they aren’t getting the respect they deserve. Virtual CISOs, though, tend to be completely neutral, channeling all their energy into protecting your company no matter what.

9. Minimal Disruption to your Organization

Your virtual CISO can work independently and without supervision. They will no doubt need to learn about your business and your operations, but they certainly don’t require any training or input.

They will be able to work quickly and efficiently, identifying potential vulnerabilities and updating your system for the utmost protection. Your business will be able to continue as normal without any of the time-consuming training or administrative duties involved with hiring a new full-time employee.

10. Ongoing Commitment and Quality

A CISO working as part of your in-house team will end up leaving you at one time or another, whether they are headhunted by a competitor or simply want a change. This can leave you without their expertise if you wait too long to bring a new specialist aboard, and means you have to start afresh again.

You can enjoy greater continuity and seamless service with a virtual CISO. Even if the person(s) assigned to your business leaves the company you hire, there will be no disruption – you may not even realize a change has occurred at all.

Do you have questions about working with a virtual CISO? Our expert team is here to answer them!

6 Top Things to Do in Preparation for the GDPR Implementation

May 25, 2018 – is the full implementation of the General Data Protection Regulation (GDPR).

The GDPR is a European Union (EU) law that sets out the obligations of organizations in order to protect the personal data of EU residents. The law also sets out harsh penalties in case of failure to comply.

Even if your organization isn’t based in any of the EU states, the implementation of the GPDR will still impact your organization as this law has extra-territorial scope.

This means that even if your organization is based, for instance, in Canada, this European law still applies if your organization processes personal data of EU residents. For example, if your organization offers goods or services (regardless of whether payment is made) or monitors the behavior of EU residents, your organization is covered under GDPR. And even if your organization is a small one, that is, it only employs fewer than 250 people, it’s still covered under GDPR.

The personal data referred to by the law refers to any information that can be used to identify a person either directly or indirectly, including name, email address, photo, medical information, bank details, posts on social networking websites and computer IP address.

Here are the 6 top things to do in order to prepare your organization for the upcoming implementation of GDPR:

1. Make Consent Process User-Friendly

In GDPR, your organization will no longer be allowed to use long and legalese terms and conditions to request for personal data consent.

Under the EU law, request for consent must be presented in layman’s terms and the purpose of the data processing must also be presented in clear and plain language. There must also be an easy way for customers to withdraw their consent. In the case of minors, parental consent must be given.

2. Delete Data that No Longer Serves Original Purpose

Under the GDPR, the right to erasure, also known as the right to be forgotten, is enshrined. Article 17 of the EU law provides that data should be deleted when the data no longer serves the original purpose of processing and when the data subject withdraws his or her consent. The law, however, provides that the right to be forgotten must be weighed against "the public interest in the availability of the data".

3. Implement Data Protection as Precautionary Measure, Not as an Afterthought

The GDPR calls for “privacy by design” – a concept now made into law that requires organizations to make data protection as part of the preventive measure, instead as an afterthought or reactionary measures.

The law specifically requires organizations processing personal data to implement appropriate technical and organizational measures in order to protect personal data that it processes.

Organizations, under the law, are required to hold and process only the personal data that’s necessary for the completion of its functions. The law also requires organizations to limit the access to personal data only to those who are necessary for carrying out the data processing task.

4. Be Transparent to Affected Individuals

Part of the expanded rights of EU residents under the GDPR is the right to obtain confirmation from organizations as to whether or not their data is being processed, for what purpose and where. Organizations are also required under the law to provide free digital copy of the personal data being processed to the affected individuals.

5. Determine if Your Organization Needs to Appoint a Data Protection Officer (DPO)

Appointment of a Data Protection Officer (DPO) is mandatory under GDPR only if your organization engages in large-scale systematic monitoring or large-scale processing of sensitive personal data. If your organization doesn’t engage in any of these functions, then there’s no need to appoint a DPO.

6. Be Transparent About Data Breach

Under GDPR, there will be no more concealing of data breaches. Notification is mandatory under this law in case where the data breach is likely to “result in a risk for the rights and freedoms of individuals”. This law requires that data breach notification to the concerned agency must be done within 72 hours after first having become aware of the breach. Notification to affected customers, meanwhile, has to be done “without undue delay” after first becoming aware of a data breach.

Penalties for Non-Compliance

Several factors are taken into consideration in calculating the fine under GDPR. These factors include:

• Nature, gravity and duration of non-compliance, for example, the number of people affected and damage cost
• Whether the non-compliance of the law was intentional or as a result of negligence
• Whether the organization took steps in mitigating the damage
• Technical and organizational preventive measures that had been implemented by the organization
• Prior record of non-compliance
• Types of personal data involved
• How the non-compliance was discovered

The maximum fine that can be imposed for a breach of this law is 4% of the annual global turnover or €20 Million, whichever is higher. The maximum fine is imposed for the non-compliance of key provisions of GDPR such as violating the core of Privacy by Design concepts and failure to get sufficient customer consent to process data.

The penalty of 2% of the annual global turnover or €10 million, whichever is higher, meanwhile, can be imposed in case of non-compliance of technical measures such as failure to report data breach and failure to give affected individuals access to personal data being processed.

"Rapid technological developments and globalisation have brought new challenges for the protection of personal data,” the law states. “The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organisations, while ensuring a high level of the protection of personal data.”