Thrive’s Virtual CISO Webinar: Key Takeaways
Thrive recently held its vCISO webinar, hosted by CRO John Holland, who was joined by Andrew Archibald, vCISO, and Dave Sampson, VP of Consulting. In this webinar, Andrew and Dave discussed the role of a vCISO, the importance of implementing a security program, and why organizations must continue to nurture a security program.
Check out the highlights from the webinar below, and get in touch with the Thrive team to learn more about our vCISO offerings.
Dave Sampson, VP of Consulting
On the latest cyber attacks in the news:
When we look at a lot of the attacks this year, we’ve identified some common trends. As we’ve watched the news, it’s clear many of the organizations attacked have no formal security program. There needs to be a formal security program, and that has to start at the executive suite, starting from the top and working its way down. Having a comprehensive security framework behind security strategy is critical, too. Buying a specific tool may require some areas in the framework, like email hygiene, multi-factor authentication, and disaster recovery. When we see news stories and hear of the unpredictability of recovery time, that means the recovery plan probably hasn’t been validated and tested on a consistent basis. Third-party vendor risk has been in the news, too. When you’re providing data to third-party vendors, who is accessing it? If it’s stolen, it’s just as impactful to you as it is to them.
Why a vCISO is the right fit for an organization:
A vCISO coming in on a part-time basis provides the knowledge and the ability to collaborate. Not all organizations need a full-time CISO, and there’s a shortage of full-time CISOs on the market. A vCISO can provide a better cost model and work with executives throughout the organization, and be results-focused. You’re also getting the experience of several individuals. The Thrive consulting team is certified and able to socialize requirements and find the best solutions. We work in different verticals and have the experience to enhance your security posture.
What a vCISO looks like:
This individual will help spearhead a proactive, security-first approach. We have a policy resource library that a vCISO will help modify to meet your needs. A vCISO can also help plan sustainable business operations, and ensure recovery plans are being validated on an annual or semi-annual basis to create a strong cyber security posture.
Andrew Archibald, vCISO
On how Thrive’s vCISO foundation is built:
The Thrive vCISO offering is built on two foundational concepts. The first is the Center for Internet Security (CIS) framework. Thrive has worked with CIS for many years. It’s an easy to understand and approachable framework, yet extremely comprehensive. CIS has added controls around cloud security and remote work in response to the pandemic, as well. It maps to all of the other frameworks, including NIST and ISO. The second component of the vCISO service is built around the ISACA Certified Information Security Manager (CISM) credential and the domains for them. We make sure that there is a robust security culture throughout the organization, as information security is not just a box that is checked. Ultimately, this risk-based information security program is customized to your organization, taking corporate and IT strategy into consideration. We also make sure that recovery measures are in place to respond to, mitigate, and recover from a security incident.
What you get from the vCISO program:
If you don’t have an information security program, we will help develop and maintain a program that complements business strategy and risk tolerance. Some organizations are more willing to accept risk, and others are risk averse, and we take that into perspective when developing a plan. Our offering is based on creating reasonable information security measures to protect corporate assets. This approach is also eminently flexible. Every company has unique security challenges and concerns, and we remain flexible to address challenges and concerns organizations are facing.
On the vCISO process:
We have a 5-step process to implementing and maintaining the vCISO program, starting with Discovery. In this phase, we’re trying to better understand the existing information security program, or designing one if there is nothing currently in place. We look forward to talking with the board of directors and senior leadership, along with the IT experts to get a grasp of technologies and how they are implemented. We want to make sure the appropriate protections are in place in the Risk Assessment phase, and address any glaring deficiencies immediately.
The Current State Analysis includes a 20-40 page report with recommendations to implement ranked by importance, with remediation items managed and tracked appropriately. In the Information Security Program Development phase, we work to develop a security-focused culture, and create an umbrella document, the Comprehensive Written Information Security Program (WISP), that lays out security strategy, and can be shared with auditors if needed. Of course, day-to-day operations and nurturing will continue, providing updates to management as needed and conducting annual policy and procedure reviews, while making sure the risk profile hasn’t drastically changed.
Missed the Thrive vCISO webinar and want to learn more? Click here to gain on-demand access!