Making a case for the VirtualCISO
Few company directors have a deep knowledge of corporate law, or a detailed understanding of investment planning or tax implications. They employ offsite experts to ensure that they keep on the right side of the relevant legal requirements and to stay abreast of changes in regulations as and when they occur. Yet when it comes to data security many businesses attempt to manage with their own resources, relying on whoever has been assigned the role of Chief Information Security Officer (CISO); sometimes with disastrous consequences.
The cost of data breaches can run to hundreds of thousands. Even sole traders are not immune from the devastating financial consequences of a reported breach. The Payment Card Industry (PCI) will call in investigators if a trader is linked to a case of data fraud or theft and that trader has no choice but to pick up the bill. In addition, there is the cost of reputational damage. Some are however almost totally unaware of the risks they face until they hear of the breach, yet they are completely responsible for the data in their systems and have a legal obligation to keep it protected.
In larger companies, responsibility for data protection falls to whoever has been given the mantle of Senior Information Risk Owner (SIRO) or Chief Information Security Officer (CISO); and while most are aware of their responsibility to protect customer data, the details of how and why this should be done may elude them. When it comes to SMEs and sole traders, the CISO role is often just one of a portfolio held by the managing director.
For the majority, both in large corporations and SMEs, the actual language of information security (commonly referred to as cyber) makes the process appear baffling. Its standards are riddled with acronyms which often just add to the air of impenetrability: PCI DSS, GDPR, IASME, ISO 27001. As a result, there are times when discussions around a board table may sound like a Monty Python sketch when no one actually knows what anyone else is talking about, but the reality is far from amusing.
In fact, not only is a company’s reputation and financial viability at stake if a data breach occurs, but legislation is coming into force in May 2018 which will make adherence to a new European-wide standard compulsory for everyone. So the question is, if company directors do not think twice about instructing corporate lawyers and accountants to act on their behalf, why would they task their in-house team with something as fundamentally important as information security? Or worse, with ever tightening budgets, ignore the challenge altogether?
The prospect of employing a balanced CISO team, with a comprehensive range of expertise, may sound prohibitively expensive. But it isn’t if a range of experts are in-sourced on demand via a virtual team model. Or a fully outsourced model is considered, delivered by an industry leader.
The role of SIRO is one that is can now be delegated to specialists who take on the full responsibility on behalf of a client company. At SRM we have developed the VirtualCISO, a totally bespoke service, providing as much or as little as required depending on the individual company. Some may know exactly what they need and have the technical expertise to deliver it, while others may simply want to have the whole problem removed from their desks, in the certain knowledge that everything is being dealt with on their behalf.
With VirtualCISO a company board – or a sole trader – can understand their responsibilities and company risk profile, prioritise mitigating actions, confirm adherence (or not) to industry/sector standards and regulations, and find out how best to proceed in ensuring compliance in a cost effective manner. In this way they will also be evidencing that they put the needs of their clients first, thus maintaining or gaining reputational and financial advantage amongst their competitors.