The job of a Chief Information Security Officer (CISO) is one that has become increasingly complex as more frequent security threats emerge. A typical CISO has broad responsibilities for establishing and maintaining an organization’s strategy to ensure information assets and technologies are protected. The CISO also directs staff in reducing IT risks, responding to incidents, and implementing procedures that protect the enterprise. In many organizations, the CISO needs to combine the communications skills necessary to advise the board and CEO with the technical chops to manage tactical delivery.
It takes years to develop these skills, and the demand for them has increased dramatically. Because of this, a traditional in-house CISO can cost an organization upwards of $200,000 to $380,000 in salary, plus benefits for a full-time employee. Employing a CISO is a substantial investment for any organization, and many have difficulty attracting world-class skills to their organization because of their location, industry, or scale. Although these organizations face the realities of an ever-growing risk of cyber attacks, many of them do not have the resources to afford and attract a qualified CISO candidate. Cybis’ Managed CISO service is designed to fill that gap with a flexible, highly capable, and affordable alternative.
Cybis is a cybersecurity consulting firm comprised of former National Security Agency (NSA), Central Intelligence Agency (CIA), Department of Defense (DOD), Department of Energy (DOE), and US Senate cyber operators who provide retainer-based security advisory and Managed CISO advisory services to leading organizations across multiple industries. Here are some benefits of the Managed CISO model over the traditional CISO employee model.
Traditional Model vs. Managed CISO
What Cybis Can Do
Cybis Managed CISO engagements typically begin with an assessment to establish a baseline understanding of the client. This will identify any critical gaps or vulnerabilities in the cyber, human/insider, and physical security environment. Cybis also assesses the client’s readiness to respond to likely threats and develop a practical roadmap of recommendations to remediate those gaps.
Once the landscape is understood, Cybis and the client can craft an appropriate ongoing CISO or advisory arrangement that typically provides a combination of leadership, oversight, and objective advice on a part-time, retained basis. In this role, Cybis consultants may report to the board, audit committee, and others as an independent, product-agnostic assessor of the client’s security position.
Cybis Managed CISO teams may conduct intermittent assessments throughout the year to explore more specific issue areas identified in the assessment, such as countering an insider threat or establishing an information security program. They may maintain a cybersecurity dashboard or program office to track the progress of the cybersecurity program. They can also available to quickly respond to incidents and new threats as they emerge, adding skills and flexibility to the client’s in-house team.
As a trusted advisor, Cybis can also provide ad-hoc project services as required, including:
Driving cybersecurity strategy at an enterpise level
Assisting with tactical decision-making, such as vetting vendors and technical solutions
Honing security policies to address organizational and cultural vulnerabilities
Briefing executive and board-level personnel on current threats and security initiatives
Driving more efficient utilization of existing human and technical resources against concrete threats