Our whole team is your (Virtual) CISO
The average CISO salary in the USA is $204 000 (forbes.com). With that you usually get to pay a head hunter after waiting half a year to find one – and then, the average life of a non-virtual CISO in a company is one to two years and you have to find a new one. What do you get with one CISO? One head. One set of skills, one person who can easily become complacent for receiving the same salary every month.
That is why we created our Virtual CISO (vCISO) as a service offering tailored specifically for law firms:
- You get our whole team as your CISO – you get people with experience of working on the Microsoft’s security team, people with military and nuclear defense experience – all of them are ready to start creating your Security Program.
- We have people in Europe, USA and Australia – your vCISO will never sleep – and when a new attack happens anywhere for any of our global clients, we can defend all our clients worldwide immediately because we have global monitoring of cyber threats.
- You get higher quality at the same price – We don’t sell “cheaper”. We sell better. At a price at which no on-premise, full-time CISO could compete due to the facts mentioned above. We are changing the game for the sake of our clients.
- KPI reporting on every element of the security program we will build for you – this eliminates the risk of complacency or laziness for our team, as there are clear contractual quality obligations that we follow, along with our own internal quality standards.
- We are unbiased and independent – unlike laziness for our team, as there are clear contractual quality obligations that we follow, along with our own internal quality standards.
- Every improvement or security innovation designed for any of our clients gets immediately available to you – when a CISO works for someone, they usually limit themselves to whatever their superiors ask from them – which is not a lot. We on the other hand have to be competitive on a very aggressive market, even against attackers attacking every one of our clients differently – and the advanced defenses we are forced to come up with are automatically implemented for all of our clients at once.
Strategically Efficient vCISO Service for Law Firms
Monthly KPI Reporting
The security program we will design and implement for you will consist of multiple projects, each of which has its own KPI metrics system. Our team will generate monthly reports based on what has been achieved in accordance with the initial objective.
Independent and Unbiased
We follow the assessment methodology developed by the NSA (NSA-ISAM), augmented with our own vast international experience in security assessments. We let checkbox auditors do their assessments separately – we evaluate only practical, to-the-point and actually impacting defense posture elements.
Does your IT department manage security well? The answer will be no. But how bad exactly is it and which are the most critical changes to be implemented ASAP, before someone has used the loophole to capitalize on it?
First things - First
By the time you have finished reading our report you will already have a clear picture of which weaknesses need to be dealt with immediately and how much will it cost you (financially and otherwise) – as we deliver a clear priority-based timeline for remediation execution.
Security Risk Awareness & Avoidance
Are your associates, attorneys and managing partners on the same page about handling passwords, access, personal and company-owned devices in a secure way? Because we have seen firm leadership using the password Password123 and we have seen associates giving away their e-mail password over the phone…
We will help you monitor your IT (and other departments) progress with the defense measures necessary by continuously auditing their work and reporting on any discrepancies or missed project deadlines.
Continuous Defense Improvement
Ever thought email can be a secure form of communication? Were the e-mail boxes of your employees easy to break into? Not anymore!
You will be able to sell your service as more secure than the competition after the assessment is complete and you start implementing our recommendations. Everyone wants to know their law firm takes their security seriously.
We have helped firms decommission expensive, outdated and obsolete security devices in favor of cheaper and more efficient options.
You are getting a faster and more efficient service.
Getting a Virtual Chief Information Security Officer is gaining popularity among the $500m – $2b businesses
Can a team of seasoned CISOs and security subject matter experts replace the CISO role at an organization by taking the Virtual CISO role?
In 2009 a CISO had to make sure they passed their annual audits and that their Antivirus was working properly. In 2019, a CISO must:
- Ensure patching is on-time for all 9000 different applications, operating systems, firmware and drivers in their environment
- For all the same 9000 elements, maintain daily/weekly/monthly vulnerability management
- Maintain yearly penetration tests, ensure the findings are fixed before the next one
- Choose between a plethora of security vendors selling their Data Leakage Protection, Next-Gen Firewalls, Blockchain and AI-based antivirus, antispam and anti-(insert snake oil salesman keyword here), all of whom essentially sell just a fancy box with a fancy name which the hackers don’t even notice as they come in and take your data
- Herd all your employees into security compliance
- Establish Security Incident Prevention, Detection and Response
- Communicate risks to the board and get adequate funding for their mitigation
The likelihood of finding someone who can successfully contain all the knowledge and is able to achieve your performance objectives mentioned above is incredibly low.
Our vCISO team will build or re-build your security program
Protecting business-critical data needs to be aligned with business need. On top of that, which elements would you like to have as part of your security program?
We help organizations improve processes like threat management, building an Identity Management Program, establish Prevention, Detection and Response to cyber-attacks and even provide security awareness training for executives, regular employees and IT departments (all of them need different levels of detail and different knowledge).
Traditional security program building takes too long. You need to figure out what is the right path, what are the tools and techniques you’re going to use to really jump ahead in it.
We have seen some old processes and old technologies being used – and the people using them thought that just because it was in use for so long it was still effective and relatively risk-free. There are also providers of products and services
Instead of having to train your own staff and grow your own internal capabilities – now you can access a senior resource part-time, maybe a day a week or 4 hours a week to be able to speed things along.
Some organizations decide to buy things like security appliances and software – and within 2 years of going that path they start to realize that the value of the things they bought is not what they expected it to be. Sometimes you budget for a product but then realize you also need to find the right people to operate it or train them – and their compensation was not budgeted at all! That ends up considerably slowing the whole process down.
We can navigate that kind of a minefield and ensure that everybody is thinking of that kind of variables before making decisions and investing in a technology or solution.
Virtual CISO Services Price
The price for having our team as your virtual ciso-as-a-service depends on the results of our security assessment of your company and the amount of people and hours dedicated to defending your company. As all our clients are of different size and have different needs, our prices reflect the same. If you want an answer now: the price is slightly higher than what you would pay for a full-time CISO, because you get more people, more technology, more know-how and experience and a higher quality of service, which does not go on vacation nor could leave you for a higher-paying job.
Comparing a full-time CISO to a virtual CISO
A dedicated full-time CISO usually spends one, two or even three months to really understand what’s going on in a company, the capabilities of its people, processes, technologies and assets, because it’s important to be non-disruptive by getting into processes you don’t yet understand, even if you are vigilant to quickly raise the bar in the defense of the organization.
From there one could determine the level of maturity an organization is at and build a strategy.
Differences and Similarities
The goals are identical, but there are some differences and similarities between a CISO and a virtual CISO (vCISO, to shorten it up and match our service name).
- We as the vCISO provider don’t get to be at the company every day.
- We don’t have the time to sit back for 30, 60 or 90 days and learn the organization before we start acting and delivering value.
- There are certain expectations from leadership – we get paid for results rather than just being there for compliance.
- The speed of project and control implementation is higher with a virtual CISO due to less incentive to procrastinate – we get paid for results.
- Our goal is to help business run safely and efficiently
- The resources needed to achieve a certain level of defense are very similar: you need to buy the same software and hardware
How do we deliver the vCISO service?
Depending on the maturity level of the organization we might start with different projects. The first thing we usually start with is something like a NIST CSF (NIST Cybersecurity Framework) assessment and how the organization matches its requirements. In most cases we run our Cybersecurity Risk Assessment service which includes elements from NIST CSF but is based on the NSA-ISAM (NSA Information Security Assessment Methodology). Sometimes we go deep and include breach susceptibility (penetration testing).
Using the results and the report from it we establish a baseline for the client – in parallel to understanding the environment and culture at their company.
At this point we also look at the deliverables set in front of us by the client (if any) and prioritize according to the risk to the business. We identify the major priorities for the first 3 months – the biggest items on our list are usually the risks identified that are presenting a direct threat to the organization.
After identifying those and beginning to work on them, we develop a 2 to 3-year strategy for the larger organizations and a one-year strategy for the smaller ones, detailing everything we can tackle from a budget and resource perspective.
We also utilize any input the organization might give us from their own assessments – usually those are like the CIS Critical Security Controls – but these rarely go into as much detail and depth as our assessment does.
The limitations we are presented with from the customer’s side are usually time, people and resources that are available for security – and so with the results of our assessment we strategically prioritize them together with the client. There are many cases when we can request for more people and resources to realistically cover the risks identified before they are able to materialize.
The toughest part of a CISO job is fighting fires all day – usually involving lots of politics and inter-team friction on minute items that an external resource usually doesn’t deal with – we have the chance to focus on deliverables and since the client is paying for our time, they also do that and in the end we turn out to be more effective than a hired full-time resource.
We are very client-driven – irrespective of vertical our various clients have different needs and priorities and different states from a security program perspective
It’s all about protecting business data and ensuring that the business can still be profitable while still protecting it.
One of the things we love most about the service we deliver to our clients is the knowledge transfer part of it. We consult every day – and we see consulting as providing our experience gained with various clients to every client we work with.
We love to see how an organization is transformed from one not having a security program or having a very weak one into a kind of a digital fortress – a very efficient and secure business unit.
What kind of clients are typically most interested in a virtual CISO service?
It depends a lot on their business, but small to medium size operations at some point realize they need someone to take care of security. Usually those are businesses between $500 million to $2 billion. These are typically organizations that don’t currently have a dedicated person or even someone on their team who is well versed in cybersecurity. There are also clients who are a little more mature from a security program perspective but need our assistance going faster.
For them, our team can come in and speed up some of the initiatives to get their maturity level up quicker.
What are the costs involved?
The first point we usually get into when people look at the virtual CISO option is cost – it’s generally going to be less expensive to have a virtual one. A CISO typically makes around $200 000 per year and most organizations generally have not budgeted that amount for someone to take care of security. Sometimes you can’t even find a good one on the market to begin with!
Hiring and keeping the right talent is expensive and risky – many people leave within a year or two and you would have to go through the same process all over again – which can take up to six months even with a good recruitment or head-hunting team.
Let’s not forget that’s just the salary – excluding the price of any software, hardware and external help they need to order – such as penetration testing, incident response, EDR, SIEM and all kinds of other security services.
If you decide to go out and get a dedicated CISO, you will also need to get headcount below them.
Let’s do the math, budgeting for a CISO position:
- The average CISO makes around $200 000 per year.
- The average security firm also needs to hire people to man the security tools in a company (especially those larger than 1000 people): someone has to maintain all those firewalls, SIEM (Security Information and Event Management), Antivirus engines, antispam, Data Leakage Prevention, exploit mitigation, Enterprise Detection and Response tools (EDR), vulnerability management and patching tools… consider each of the new hires costing the company $50 000 – $80 000 per year.
- All the tools mentioned above have licensing costs. The SIEM alone can cost in a range of $40 000 per year.
- Hardware and storage costs for all the data needed to be processed and stored for security purposes
With our service, you get to use our whole team of seasoned professionals under one service name: Virtual CISO.
The cost savings are obvious. Let’s take recruitment for example:
Any head-hunting company charges one or two monthly salaries for finding a CISO and the same applies to other people in the security department.
The average lifespan of a CISO in a company is 1-2 years (source: ISSA.ORG). That means that every 18 months you will have to spend $20 000 – $40 000 on finding a new CISO and another $5000 – $8000 for each additional team member.
With our service you are saving roughly $40 000 every 18 months just on recruitment costs and you’re getting a higher quality of service. Add to that the cost of re-training every new hire, as they spend up to three months (paid!) while learning about their new job and requirements.
Multi-national corporations with a lot of different sites might not be the ideal customer for us as they would probably already have a security team and a senior security person in place, but even they can use our organization and service to augment the resources and time allotted to their CISO and speed projects up by a huge margin.
Depending on where the organization is, from a cost perspective it might even be viable to only do quarterly engagements with a vCISO team or even only be brought in to speak to the board and exchange strategic guidance. The way we’ve built the service allows us to be super flexible in the way we deliver value with it.
Another benefit of the Virtual CISO service is that, depending on the maturity of the organization, a lot of the activities can be done on a project-by-project basis.
For example, if we are building an Incident Response Capability for your company – it can be part of an ongoing long-term plan or as a project.
The next step as a decision point is which way to go in risk ownership – if something goes wrong, such as a security incident, especially if it is a major one, usually the CISO gets fired. With a vCISO service the company delivering it has defined responsibilities and execution is agreed with the client’s senior management – so if any contractual obligation was not followed, there is a certain liability on the vCISO part, whereas the liability of a CISO is limited to their employment.
On average, the longevity of a CISO in a company is around 2 years – because they can lose their job for all kinds of reasons, security incidents being just one kind. This is yet another reason to go with a virtual CISO – you get to keep improving your security program with the same team, avoiding some of the political and interpersonal relationship risks present when tensions between CIO, CEO and CISO arise.
For a security program to be successful, every employee of the organization needs to stand behind the security strategy laid out in front of them – including the IT team, the leadership team, everyone should care and participate equally, trying not to click on phishing links, reporting suspicious activities, trying not to bypass security measures and instead report when they are ineffective so the security team would find better ones in terms of usability and efficiency.
From a vCISO perspective, our responsibility is to help everyone onboard to stop seeing security as the ‘department of No’ but as a department which supports business and ensures its survival in the long run.
Our message is: “Here is our assessment of the situation, here are the risks, here are the potential remediation actions from a risk perspective – accept, mitigate, transfer, etc.”.
Then the response method, based on the options provided, is with the client’s leadership team.
Who should the vCISO report to?
In most cases, especially in organizations with a less mature security program, the CISO function reports to the CIO – and it might be the most effective form of reporting for them, as being inside the team is oftentimes better than being outside the IT team and telling people what to do without seeing the impact of your suggestions on their projects directly.
If the networking team in the company also does security (which is often the case because… they take care of the firewall and in many companies the Antivirus and the Firewall are the only security they have), when a vCISO comes it they are viewed as a threat – as the networking team is going to be afraid the security reports are going to claim Networking is not doing a good enough job – and so it is really important for us to understand the personnel culture right from the start and then be able to tactfully diffuse things – and over a short period of time to be able to build trust.
Often, even after the service is already brought in the company, we still need to sell ourselves to the internal teams and team members – and we do.
Relationships are important both inside and out of the organization, that is the same for us as the service provider. We have a huge network of friendships, acquaintances, vendors and industry professionals. We always leverage that network to offer a more streamlined and cost-effective service.
On the other hand, when a CISO stays for a long time in the same position and in the same company, their professional network starts becoming stale and offers less and less leverage over time.
One of the great benefits of working with our company is the talent we have – even if one is not a PCI expert when our clients fall under PCI compliance, we can always bring in a phenomenal PCI expert from our team to help them. We also have people on the technical side of things – penetration testing, forensics, incident response, security assessments – and at any point in time, any stage that a customer’s project is, we utilize them at the right time to make our vCISO service most effective, this works much better for our clients than depending on that one CISO.
Another point is sharing industry knowledge with other consulting companies – 99 percent of the time we’ve got the same attackers, we defend the same types of infrastructure and have about the same technology and we all have the desire to share success stories to help others mitigate the threat we just dealt with.
Together at Atlant Security we also share information internally all the time in our daily meetings, internal chats – the speed of information flow is much faster than a CISO can afford to read during their daytime job activities.
Our primary responsibility is to communicate risk to the business and provide the right tools and expertise to act accordingly.
Assistance with your migration to the Cloud
Almost everyone these days is using one or many cloud services – businesses even migrate all their infrastructure and data to the cloud. The digital transformation movement is very fast and technologies change quickly – quicker than many full-time employees are comfortable with.
That is where our virtual CISO services come in – to bridge the gap between the data and services you need to migrate and the internally available resources.
We always have the needed skills and personnel available and will speed your cloud migration significantly, reducing friction and risk.
We might be in an organization on Monday and work with their own set of business drivers and political obstacles to mature their security program – and on Tuesday it could be a completely different organization, in a different vertical with different business needs and requirements and it is challenging, but on the other side by overcoming different challenges we add to the whole team’s experience – and all our customers get to benefit from that.
From our experience, every time someone tells us they know something is wrong but they’ll fix it later, it never happens. But there are things that can be done right away! For example, 2-factor authentication.
Can a company outsource their complete set of security needs to a third party?
It’s important to understand that you can’t do everything at once. You need to identify the Number 1 priority, the thing that will bring the most impact quickly in improving the security within the organization.
No company out there can offer a full set of managed security services unless the client in general outsources most of their processes – their whole IT organization – to a third party.
If there is onsite infrastructure, someone, even if it is a member of the IT department, must be onsite and take care of things as instructed by our vCISO team.