One area we often grapple with for our clients is the situation where the organisations size and management team cannot sustain enough ‘need’ for a full time Chief Security Officer or similar role. This role often supports the CIO and Risk teams by aligning the IT systems lifecycle to the risk management lifecycle. Given the marketplace for staff, high cost of permanent security staff and in reality the fact that it’s unlikely they would be fully engaged we started to consider how we could leverage our team of highly skilled consultants to fill that hole.
First of all we called it “vCSO” to suggest we worked as your “virtual” CSO, then we went on to define what that service would entail. We eventually settled on an agreed monthly commitment which would give you a chunk of consulting time and a consistent consultant turning up every week who gets to know your business. What we soon discovered was that the scope of what is required varied so we created a pick list of things that might appear. We then work with you to decide what the focus is and manage to that. The types of areas we tend to cover in these roles are made up of:
- Technical IT project and programme risk management
- Security operations training, definition, management and oversight
- Strategic security advice in support of ISSP and business planning activities
- IT Risk management strategies and models
- Security governance and framework review, advice, development and QA
|
