Virtual CISO

Are ‘Virtual CISOs’ a Good Idea?

Type “virtual CISO” into Google and you’ll get ~240,000 hits, with the top 10 being mostly vendors who offer this as a service. I have no doubt much of the remaining pages are the same.

In other words, just about every security vendor out there is seeing a need, and they want to be the ones to fill it. As a corollary, if organisations weren’t crying out for the service, no-one would be offering it.

I am no different, in that I too see a massive gap in senior leadership security expertise that no one in-house can fill. Due to price constraints, it is quite often inappropriate to fill such a senior and specialised role on a full-time basis. Where I differ is the length and function of the v-CISO, as I cannot see how an indefinite ‘outsourcing’ is in my client’s best interest.

Let’s face it, once you outsource the function of something, it is a very small step to try and outsource the responsibility for it too. And finally, if you got away with that, an attempt at shirking the accountability is never far behind. This is where both organisations asking for help, and v-CISOs alike, make their biggest mistake.

The v-CISO should never be a long-term proposition, which is why I call my service an ‘Interim Security Chief’. While this may seem like semantics, it’s the difference between doing the work for you, and enabling you to do it for yourselves.

First and foremost, a v-CISO should be a teacher and a mentor, not [necessarily] a ‘doer’. Yes, they can design big-picture processes, from secure architecture to governance charters, but they had better not be expected to own them. A good v-CISO is nothing more than an consultant at the senior management level, and any deliverables must be sustainable long after they have moved on.

That said, I see nothing wrong with a v-CISO remaining part of ‘steering committees’, providing ongoing security awareness training, or even taking part in incident response testing. But, once the CISO functions have been absorbed internally, the v-CISO becomes part of the cycle for continuous improvement only. They stay around to provide strategic input on industry trends and the changing threat landscape, they don’t dictate the enterprise goals.

What You Should  Expect From a v-CISO

These are the three main things you should expect from a v-CISO, take particular note of the transience of each deliverable.

  1. Governance Charter Development – There is no security program without Governance, and there is no better platform onto which the v-CISO can pass on their operational function. This committee can in fact replace the v-CISO in due course, but may bring them back in as a trusted advisor or SME. The members of the governance committee will share the CISO function amongst themselves based on individual capability, and their meetings will bring it all together.
    o
  2. Policies & Security Awareness Training – Along with governance, policies are intrinsic to a security program, and along with the formation of that committee, represent the most important part of a v-CISO’s role. Unless the polices are in place, and all employees appropriately trained, nothing else they try to do will work effectively.
    o
  3. Process Development – Security programs consist of a number of critical processes, all of which must be developed, tested, tested again, and take their place in the never-ending cycle of improvement and business as usual. These are the big ones:o
    • Risk Management – Includes the enterprise-wide risk assessment and risk treatment procedures.
    • Vulnerability Management – Keeping up with the threat landscape.
    • Vendor Due Diligence & RFPs – Significant aspects of the security program will likely be outsourced to skilled providers, so the right questions must be asked.
    • Event Management & Incident Response – Bringing all the controls together into a business saving process.
    • Disaster Recovery & Business Continuity – What to do if everything goes completely pear-shaped.

Anything else the v-CISO does will depend on the organisation’s needs and the v-CISO’s skill-set.

But what about Strategic Advice, Board Level Interface, Regulatory Compliance Lead and a whole host of other fancy names / clichés? Yes, these are all important, but are utterly meaningless until the basics are in place.

Any security program put in place by a v-CISO must be in-line with the business’s goals, appropriate to their needs, and sustainable in their absence. So if you’re on the market for a v-CISO, you had better know what you need, or you’ll get what a salesperson thinks you asked for.

[If you liked this article, please share! Want more like it, subscribe!]
o

Outsourcing

[X]aaS, The Outsource of Everything

[blank] as a Service. There are so many XaaS services available now that we are running out of letters:

  • AaaS – Authentication as a Service
  • BaaS – Back-End as a Service
  • CaaS – Communication as a Service`
  • DaaS – Desktop or Data as a Service
  • EaaS – Encryption as a Service
  • FaaS – Failure as a Service [I know, couldn’t believe this one myself]
  • …and so on.

As much as I have an issue with buzz-words and inventing acronyms, I cannot deny the trend that; Unless it’s a core function, don’t do it yourself.

Retailers should outsource payment acceptance, insurance companies should outsource cyber due diligence, and every business should outsource some of its security risk management.

Sure you can change the oil in your own car, you may even be able to perform some basic plumbing, but why would you? There’s an excellent chance that a professional can do it better, and in the long-run cheaper, than you. What’s more important; saving money, or saving your time?  I guess the answer is different  for everyone, but a business does not have the luxury of experimentation to the degree we do. False economy, while relatively trivial for us, can be make or break to a business.

I see a time where the economies of scale, combined with the abundance of competition will enable service providers to give far better service at a much lower price-tag that you could possibly hope to achieve in-house.  Doing one thing and doing it well should automatically provide the necessary scalability of service, appropriate innovation and business transformation capability necessary to run a competitive venture in the 2010s and beyond.

Even in the cybersecurity industry, there is significant confusion on how to choose the right vendor or technology, and this will only increase exponentially in the era of The Outsourcing of Everything.  Inevitably there will come along a new type of service provider; the Service Provider Integrator. In the same way you cannot manage your security if you have 15 different management stations, you cannot run your business if your service providers are not performing seamlessly, and in full support of your business goals.

In the Information Age, where entire businesses can be run in the virtual world, a competitive edge lasts weeks, not years, and only the organisations who can effective balance risk and innovation, and then transform their business processes in support of that innovation, will succeed.  And with everything outsourced, only the companies who are best able to chose, then integrate the most effective and flexible services, can hope to compete. The best Service Provider Integrators will be able to create entire white-labeled businesses from any concept.

In one of my earlier blogs; How Information Security Enables Transformational Change, I made the statement; “Information in context is knowledge, success however is in the correct application of that knowledge.”. The drive towards specialisation will accelerate in every service to be provided. It will be the organisations that are best able to correlate both the management information gathered over years of providing a specific services to multiple organisations, along with the ability to apply those skills to prospective clients, who will run away with the business. This will eventually create new Googles and Amazons, but they are where they are for a reason;

Good service.

[If you liked this article, please share! Want more like it, subscribe!]

========================

Update 22-Oct-13 09:23: Don’t normally add bad language to my posts, but this is too funny not to; www.foaas.com. My thanks to Steve R!

 

Vendor Due Diligencce

Vendor Due Diligence: Assessing Cloud / Service Providers

There is a lot of confusion about how to treat Cloud providers from a vendor due diligence, or compliance assessment perspective.  I’m not sure why, they are just another service provider. The Cloud, in and of itself, adds nothing.

My thoughts on The Cloud are not a secret; Don’t Get Me Started On ‘The Cloud’, but it needn’t be all negative.

So you have – or you want to – outsource/d some aspect of your business function, usually an ancillary part, unless your business is almost entirely white labeled (like in e-commerce for example), and must therefore ensure that the service provider treats your data and/or systems the same way (or better) than you do.

In theory, the only reason you would not be able to measure your service/cloud provider against a defined standard, is if you don’t have one.  You have one, right?  That, by itself, precludes your compliance with ANY standard or accepted good practice.

All too often the real issue is that organisations are trying to outsource their problems (PCI compliance for example), and not focusing on their business needs in general.  While you can outsource almost every business function you can never outsource responsibility.  You can even outsource some of the liability (cyber-insurance for example), but it’s your name that will be dragged through the mud if things go wrong.

It bears repeating; You can NEVER outsource, or in any way deflect, the responsibility for the protection of the data you control.

The way to look at this is to see all 3rd parties / vendors as just a different department of your organisation.  You should have THAT kind of control, and it’s up to you to ensure that they are meeting their commitments.  Service Levels Agreements (SLAs) are a difficult concept, especially for Cloud providers, but that should not your problem, it’s should be theirs.

Here’s a lengthy but good article from IBM on SLAs; Best Practices to Develop SLAs for Cloud Computing

They may have just chosen to jump on the cloud bandwagon, and see this as a way to multiply their client base using the same, or retro-fitted, infrastructure (you need built for purpose).  Calling it a cloud service is, in this case, another phrase for smoke and mirrors.  However, there are some excellent cloud/service providers out there, and you will know them by the way in which they answer, or in some cases entirely pre-empt, your concerns.  They will:

  1. come to you with detail about how they will manage your systems / apps etc, and this will almost certainly support your policies or compliance. Ideally the services will be independently certified as compliant (against PCI for example, and if relevant).
  2. have no problem incorporating your policies or regulatory reporting needs into their service.  They may already exceed yours in this respect if they follow the concept of go-with-what’s-hardest-and-everything-else-is-covered.
  3. have various levels of SLA already defined from which to choose.  Be VERY wary of any cloud / service provider who has no pre-defined SLAs.
  4. have a seamless way for you to measure them against the SLAs.  The old misquoted cliche; You can’t manage what you can’t measure, while irritating, is completely appropriate here.
  5. be able to assist, or train you, to find everything you need during a compliance assessment.  YOU must be able to answer your auditors/assessors questions, you can’t just point at your vendor.

If you don’t have a vendor due diligence program, you need to get one.  If you don’t have a set of defined policies and business need SLAs, get them.  And if you don’t know how to go about any of this, ask someone who does!

Just like in Top 10 Roadblocks to PCI Compliance, not knowing how to do something is not an excuse, there are quite literally hundred of experts who can help you.

Find one.

[If you liked this article, please share! Want more like it, subscribe!]