“Anything that can go wrong, does.” Remember Murphy’s law? It is just as valid for your company’s exposure to hackers and cybersecurity risks. Every company’s IT team acts the same way as the construction team that builds a factory… But
If you spent months looking for a CISO, our vCISO Services could bridge the gap for a while until you find one.
Join our clients in London, San Diego, Curitiba (Brazil), Dubai, Berlin, Sydney, Sofia, and Barcelona!
Once we start working together, we will generate a Kanban dashboard for you.
It will contain all security domains we will work on and all tasks per domain.
We prioritize and assign tasks to specific people.
Atlant Security works daily with your team, providing the necessary guidance and support.
Because of three reasons: we are faster, cheaper, and better at defense than a single full-time CISO.
We help companies establish a proper password and access management. Password reuse will stop being an issue, you will know who has access and why. Hackers will no longer be able to steal and guess employee passwords.
Our Virtual CISO services will help you establish mitigation controls for 17 types of cyber attacks: account compromise, unauthorized access, ransomware, network intrusions, malware infections, sabotage, security policy violations, and more.
We will provide security awareness training to your team. People will remember it, as it will be relevant to them. Your Virtual CISO will improve security awareness across the whole company.
Microsoft 365 has 280+ security settings. Amazon Web Services and Azure have hundreds of security configuration options, too - your virtual CISO will take care of ALL of them!
We will help you transform your IT infrastructure's security by implementing Server & Network Device Hardening, Desktop Hardening, Network & Web Service security, Data Security, Backups, and more!
You will know how many vulnerable machines/apps exist in your network. We will help you establish and manage a Vulnerability management program, gradually reducing existing vulnerabilities.
Getting access to a corporate account may grant a hacker access to all internal systems. We will implement secure authentication, ensuring the integrity and confidentiality of your communications.
Software development should be a rapid, efficient, and secure process. Our virtual CISO services will help you integrate security into the design, development, testing, integration, and deployment of your code.
Policies and Procedures are the governing laws of a company's business. We create living and breathing documents bringing order and structure to our customers' security practices.
Secure Work From Home is one aspect of remote access, but we also take care of third party partners and outsourced employees, vendors, and guests. Remote access to data is not limited to VPN.
And this is why we expand your defense beyond VPN and add Zero-Trust as your primary defense principle.
Antivirus is just one of the 12 controls we implement to defend endpoints from advanced hacking attacks. We prevent the exploitation of these devices via malicious documents, scripts, 0day vulnerabilities, and more.
We will help you transform your IT infrastructure security by implementing Server & Network Device Hardening, Desktop Hardening, Network & Web Service security, Data Security, Backups, and more!
Every Information Security Program we build and execute for our clients is different. Their teams, infrastructure, applications used, and business objectives are unique, and we often expand our services to serve them better.
Reputation damage and revenue loss can have severe implications for your business. Please don’t leave it up to chance and expose your company to a security breach.
Our part-time Virtual CISO services offer the perfect alternative to the expensive, long-term contracts required when hiring a full-time CISO. We can be flexible around your business needs while still providing a personalized yet cost-effective cyber security strategy so your business doesn’t fall victim to a future threatening security breach.
A Virtual CISO is responsible for building all the necessary security capabilities and defensive measures for your company, such as Security Monitoring, Incident Response, Threat Modeling, Threat Hunting, Security Hardening of desktops, servers, databases and applications, network devices, security awareness training, etc.
The price for having our team be a company’s CISO depends on our security assessment results and the number of people and hours dedicated to defending your company. As all our clients are of different sizes and have different needs, our prices reflect that.
A dedicated full-time CISO usually spends one, two, or even three months to really understand what’s going on in a company, the capabilities of its people, processes, technologies, and assets, because it’s important to be non-disruptive by getting into processes you don’t yet understand, even if you are vigilant to raise the bar in defense of the organization quickly.
If you are looking to cut costs by hiring a part-time CISO, our service is not for you.
If you look for rapid, efficient, and practical security improvement – then our Virtual CISO service will work wonderfully for you.
“Anything that can go wrong, does.” Remember Murphy’s law? It is just as valid for your company’s exposure to hackers and cybersecurity risks. Every company’s IT team acts the same way as the construction team that builds a factory… But
We help customers secure their Identity and Access management practices in the Virtual CISO Services solution. We help companies identify all business assets, applications, infrastructure elements, and data, and all the people, who have regular or administrative access to them. We also identify potential ways to attack or misuse the access and develop compensating controls for all risks identified.
A critical part of this project is to educate the customer’s whole team on the importance of not reusing passwords and how to use a password manager efficiently.
A vital objective to achieve with any customer is reaching passwordless authentication – something we deliver with a combination of services from Google (FIDO2), Microsoft (passwordless authentication), Yubico, and utilizing biometrics and physical security.
Every company has a different threat landscape due to its data, customers and competitors, and resources.
Because of that, hackers can use different attack methods to compromise the company’s security and achieve its objectives.
They could be after stealing money directly from the accounting department, stealing confidential data, or even holding the company for ransom, as it happened with a famous law firm security breach.
We take a lot into account, but we also cover the fundamental types of attacks with all our customers:
We develop compensating controls for all of the above and implement them for our customers, depending on business priority and risk.
Customers who use our CISO as a Service offering receive regular, high-quality security awareness training, which helps every employee detect suspicious emails and report them.
The training is delivered periodically; we help the customer’s team track its completion. Besides the regular exercise, customers also receive frequent updates on new attack methods that hackers use globally, keeping their team alert and up-to-date.
The human element in every defense strategy could be the weakest link, or it could be your most reliable link – it all depends on how well people prepare before they encounter an attack.
Are you using any major cloud providers – Google, Azure/Microsoft 365, or Amazon Web Services?
We develop secure architecture guidelines and help our customers implement them regardless of which cloud provider they use, even a small, regional one. The mindmap you see here created by Atlant Security is used as the foundation of the elements to be protected in any cloud deployment.
We also offer cloud security consulting as a separate service – so make sure to check it out if you want to start with cloud security only. However, it is more effective to get everything in one package.
Cloud Virtual CISO
Some business cases require that a company hires a virtual CISO service for its cloud-only environment. We already have several clients matching that description – with a 100% cloud-based IT infrastructure; some even host their desktops in Amazon Workspaces.
If you decide to migrate to the Cloud, the skills of a regular CISO are no match for your needs, and it is understandable why you may have trouble finding the right skills in defending cloud environments. Let us help you; our team has all the experience you need!
Here’s a surprise: your printer can act as the most accessible entry point into your network! Just check this PDF from BlackHat: modern printers have an operating system and often contain administrative credentials.
But there is more to security than securing printers!
Windows 10 has 282 security settings, of which 25 are critical. The situation is the same with Windows Server, Exchange, Mac OS, network devices, firewalls, and switches. We take pride in our enterprise system hardening procedures, and we don’t stop there.
The diagram below shows our process when securing our clients:
Very few CISOs go to the length and depth of our Virtual CISO Service offering. Our part-time CISO service is not cheaper than a full-time Chief Information Security Officer’s salary – but it achieves at least three times more than if our customers hired someone full-time.
Every element in your network can and usually does have vulnerabilities. When our clients sign up for our Virtual CISO services, we help them create and manage an efficient vulnerability management program.
Switches, routers, firewalls, servers, desktop computers with various operating systems, and all the installed software have new vulnerabilities posted for them every week.
Do you maintain a record of the following:
Part of our Virtual CISO service is protecting email services on-premise and in the Cloud and safeguarding collaboration tools such as Trello, Jira, Microsoft Teams, Zoom, and instant messaging services our clients use.
The reason they need to be protected is simple: hacking them is easy. It can take less than 2 minutes if you have not made an effort to secure them!
By becoming your CISO, we constantly monitor all your email accounts and services for signs of unauthorized access. Even with 2-factor authentication enabled, breaches are still possible. That is why it is critically important to integrate proper security monitoring with any security control.
Penetration testing is an essential element in every Information Security Program and is part of our Virtual CISO as a Service offering.
However, penetration testing is often without any strategic planning or a comprehensive Information Security Assessment. It is crucial to execute a penetration test after completing the significant efforts to build your Information Security Program.
If attack simulation is the first stage of a company’s security efforts, the penetration test results will only show the lack of security controls. In that case, it will be a complete waste of time and resources.
Secure Software Development is more than following an industry best practice or guideline.
It is about culture.
The culture of enterprise architects designing secure solutions; Development leads requiring specific standards of secure coding from their developers;
QA testers knowing which security vulnerabilities to look for – logical and technical, the IT administrators building secure development, testing, and deployment environments for everyone working on the product;
Security testing is when the product has to be declared safe and secure by its clients and users.
We help startups and software development companies build and nurture this culture.
Our Virtual CISO as Service experts carefully examines every client’s business before working on their security policies and procedures.
Our Virtual CISO Services can create many policies and procedures for you. For example, we could create a “Security Hardening Procedure” for your IT department, which is not on the image below or combine several policies into one. Still, it takes decades of expertise and experience to know which business processes need extra security in a policy or a procedure. It all depends on a customer’s business requirements and what makes sense.
Can a team of seasoned CISOs and security subject matter experts replace the CISO role at an organization by taking the Virtual CISO role?
In 2009 a CISO had to make sure they passed their annual audits and that their antivirus worked correctly. In 2019, a CISO must:
The likelihood of finding someone who can successfully contain all the knowledge and achieve your performance objectives mentioned above is incredibly low.
Protecting business-critical data needs to be aligned with business needs. On top of that, which elements would you like to have as part of your security program?
We help organizations improve processes like threat management and building an Identity Management Program. We also help them to establish prevention, Detection, and Response practices. And we even provide security awareness training for executives, regular employees, and IT departments (all of them need different content).
Traditional security program building takes too long. You need to figure out the right path and the tools and techniques to jump ahead in it.
We have seen some old processes and technologies being used – and the people using them thought that just because it was in use for so long, it was still effective and relatively risk-free.
Instead of training your staff and growing your internal capabilities, now you can access a senior resource part-time, maybe a day a week or 4 hours a week, to speed things along.
Some organizations decide to buy things like security appliances and software – and within two years of going that path, they start to realize that the value of the stuff they bought is not what they expected it to be. Sometimes your budget for a product but then realize you also need to find the right people to operate it or train them – and their compensation was not budgeted at all! That ends up considerably slowing the whole process down.
We can navigate that kind of a minefield and ensure that everybody thinks of that kind of variable before making decisions and investing in a technology or solution.
The price for having our team be a company’s CISO depends on our security assessment results and the number of people and hours dedicated to defending your company. Our prices reflect that as all our clients are of different sizes and have additional security requirements. The price is slightly higher than what you would pay for a full-time CISO because you get more people, more technology, more know-how and experience, and a higher quality of service, which does not go on vacation nor could leave you for a higher-paying job. It starts at $40k per year for smaller companies, and for companies with thousands of employees, it may reach $300k per year or more, depending on any additional services and licenses a large company may need.
Get a Cloud Virtual CISO/CISO as a service instead of spending months searching for a good Information Security Manager. We bill clients annually or monthly because we essentially become a part of your team and deliver results on a project basis, targeting specific defense objectives. But since so many people ask us for the price, we can say that the price for smaller projects is higher and is around $200 an hour. For larger projects, where the work is distributed over a long time and involves much more billable hours, the price can be as low as $100/hour. Virtual CISO consulting services rates strongly depend on the project’s complexity.
You can expect to invest between $5200 and $9000 if your business has only cloud infrastructure and you have between ten and a hundred employees. If you have a large IT team and your software development team is more significant than 20 people, then our CISO as a Service pricing will be higher than $10000 per month.
The CISO as a service pricing starts at $5200 because a small company needs at least 20 hours a month and will most likely require at least 40 hours in the first month to get rid of all the high criticality risk vulnerabilities we usually find. You can expect the price to decrease after the third month because our involvement gets lower the more vulnerabilities we help you patch and the more secure you become.
A dedicated full-time CISO usually spends one, two, or even three months understanding what is going on in a company.
It is essential to be non-disruptive by getting into processes you don’t yet understand, even if you are vigilant to quickly raise the bar in defense of the organization.
From there, one could determine the maturity level of an organization and build a strategy.
The goals are identical, but there are some differences and similarities between a CISO and a virtual CISO.
Depending on the organization’s maturity level, we might start with different projects. We usually begin with a NIST CSF (NIST Cybersecurity Framework) assessment and how it matches its requirements. We run our Cybersecurity Risk Assessment service in most cases, including NIST CSF elements but based on the NSA-ISAM (NSA Information Security Assessment Methodology). Sometimes we go deep and include breach susceptibility (penetration testing).
Using the results and the report, we establish a baseline for the client – in parallel to understanding the environment and culture at their company.
We also look at the deliverables set in front of us by the client (if any) and prioritize according to the business’s risk. We identify the major priorities for the first three months – the most essential items on our list are usually the risks identified that present a direct threat to the organization.
After identifying those and working on them, we developed a 2 to 3-year strategy for the larger organizations and a one-year plan for the smaller ones, detailing everything we can tackle from a budget and resource perspective.
The limitations from the customer’s side are usually time, people, and resources available for security – and so with the results of our assessment, we strategically prioritize them together with the client. There are many cases when we can request more people and resources to cover the risks identified before materializing realistically.
What are the costs involved?
The first point we usually get into when people look at the virtual CISO option is cost – and from a pricing perspective, it is less expensive to have a virtual one. Sometimes you can’t even find a good one on the market! A CISO typically makes around $200 000 per year, and most organizations generally have not budgeted that amount for someone to take care of security.
Hiring and keeping the right talent is expensive and risky – many people leave within a year or two, and you would have to go through the same process repeatedly, which can take up to six months even with a good recruitment head-hunting team.
Let’s not forget that’s just the salary – excluding the price of any software, hardware, and external help they need to order – such as penetration testing, incident response, EDR, SIEM, and all kinds of other security services.
If you decide to get a dedicated CISO, you will need to get a headcount below them.
Let’s do the math, budgeting for a CISO position:
You get to use our whole team of seasoned professionals under one service name: CISO as a Service with our service.
The cost savings are apparent. Let’s take recruitment, for example:
Any head-hunting company charges one or two monthly salaries for finding a CISO, and the same applies to other people in the security department.
The average lifespan of a CISO in a company is 1-2 years (source: ISSA.ORG). That means that every 18 months, you will have to spend $20 000 – $40 000 on finding a new CISO and another $5000 – $8000 for each additional team member.
With our service, you save roughly $40 000 every 18 months just on recruitment costs, and you’re getting a higher quality of service. Add to that the cost of re-training every new hire, as they spend up to three months (paid!) while learning about their new job and requirements.
On average, the longevity of a CISO in a company is around two years – because they can lose their job for all kinds of reasons, security incidents being just one kind. Yet another reason to go with a virtual CISO – you get to keep improving your security program with the same team, avoiding some of the political and interpersonal relationship risks present when tensions between CIO, CEO, and CISO arise.
For a security program to be successful, every employee of the organization needs to stand behind the security strategy laid out in front of them – including the IT team, the leadership team. Everyone should care and participate equally, trying not to click on phishing links, reporting suspicious activities, trying not to bypass security measures, and instead of reporting when they are ineffective so the security team would find better ones in terms of usability and efficiency.
From a CISO service delivery perspective, our responsibility is to help everyone on board to stop seeing security as the ‘department of No’ but as a department that supports business and ensures its survival in the long run.
Our message is: “Here is our assessment of the situation, here are the risks, here are the potential remediation actions from a risk perspective – accept, mitigate, transfer, etc..”
Then the response method, based on the options provided, is with the client’s leadership team.
In most cases, especially in organizations with a less mature security program, the CISO function reports to the CIO – and it might be the most effective form of reporting for them.
Being inside the team is often better than being outside the IT team and telling people what to do without directly seeing the impact of your suggestions on their projects.
If the networking team in the company also does security, when a CISO as a Service expert comes in, they may be viewed as a threat.
We need to understand the personnel culture right from the start and then tactfully diffuse things over a short time to build trust.
Sometimes, after we start delivering our Virtual CISO services in the company, we still need to sell ourselves to the internal teams and team members – and we do.
The Information Security Program defines the responsibilities of a virtual CISO (or the company delivering the CISO as a Service offering) created for a customer. They may range from external consulting only to hands-on implementation, assessments, team, individual employee mentoring, security awareness training, security hardening audits and random spot checks, financial reporting on the money spent on cybersecurity to the board much more.
We have a vast network of friendships, acquaintances, vendors, and industry professionals. We consistently leverage that network to offer a more streamlined and cost-effective service.
On the other hand, when a CISO stays in the same position and company for a long time, its professional network becomes stale and offers less leverage over time.
One of the great benefits of working with our company is the talent we have – even if one is not a PCI expert when our clients fall under PCI compliance, we can always bring in a phenomenal PCI expert from our team to help them.
Another point is sharing industry knowledge with other consulting companies – 99 percent of the time, we’ve got the same attackers, we defend the same infrastructure types. We have about the same technology, and we all desire to share success stories to help others mitigate similar threats.
Together at Atlant Security, we also share information internally in our daily meetings, internal chats – the speed of information flow is much faster than a CISO can afford to read during their daytime job activities.
Our primary responsibility is to communicate risk to the business and provide the right tools and expertise to act accordingly.
Almost everyone uses one or many cloud services – businesses even migrate all their infrastructure and data to the Cloud. The digital transformation movement is swift, and technologies change quickly – quicker than many full-time employees are comfortable with.
That is where our CISO as a Service comes in – to bridge the gap between the data and services you need to migrate and the internally available resources.
We always have the needed skills and personnel available and speed your cloud migration significantly, reducing friction and risk.
On Monday, we might be in an organization and work with their own set of business drivers and political obstacles to mature their security program.
On Tuesday, it could be a completely different organization, in a separate vertical with varying needs of business and requirements, and it is challenging. By overcoming various challenges, we add to the whole team’s experience – and all our customers get to benefit from that.
It’s important to understand that you can’t do everything at once. You need to identify the number 1 priority, which will bring the most impact quickly in improving the organization’s security.
No company out there can offer a complete set of managed security services unless the client, in general, outsources most of their processes – their whole IT organization – to a third party.
If there is on-site infrastructure, someone, even a member of the IT department, must do things as instructed by our virtual CISO team.
Having a part-time CISO with our service is better than having a full-time CISO because you get guaranteed service levels and defenses. Hiring full-time means you pay one salary to the headhunter or recruiter/recruitment agency, and you need to train the person in the specifics of your company. That training period usually lasts between a few weeks to a few months, depending on its side and the CISO skills.
A part-time CISO needs less time to commute if they work remotely, which gives them more time to work on the company’s defenses. With our service, you can get a highly experienced and qualified security expert to be your part-time CISO.
The team serving as your CISO is always motivated and consistently performs at their highest capacity due to the KPI-based contract between our clients and Atlant Security and the performance rewards system based on client satisfaction and goal achievement.
When you have a CISO-as-a-Service contract with us, it clearly defines the Key Performance Indicators (KPIs) and objectives. Our invoicing depends on the KPIs achieved, agreed and approved by you.
Imagine if you could approve the work of your full-time or part-time CISO before each salary? Unfortunately, no labor law in any country globally would allow that. But it will enable it with a service contract with a company! Their performance would have been excellent, too!