What is a vCISO?

You may be familiar with the term CISO (Chief Information Security Officer), but if you’re reading this, you’re probably not the most familiar with a vCISO or virtual CISO. This quick 5 minute blog will help you to understand what a vCISO is and why having a vCISO for your organization may be the best thing you do this year.

Chief Information Security Officer

A Chief Information Security Officer is the senior-level executive in an organization who is responsible for the creation and management of security protections for information assets and technologies that keep in line with the organizations vision, mission, and strategic goals. They are charged with ensuring the proper protections are in place and maintained for the business to reach established objectives. Their scope of responsibility will also include communications, applications, infrastructure, including policies and procedures that apply to all lines of business within the organization.

A virtual CISO (vCISO) is a proven security expert who works with your organization, but not directly for, to accomplish the requirements of an in-house CISO. This individual works to strengthen and reinforce your established information security or information technology team.


Benefits of a vCISO

 One of the largest benefits of hiring a vCISO is that your organization will receive the knowledge and skills of an established security professional without having to pay them a full-time salary. With a median salary of $228,612, according to Salary.com, the cost of a full-time CISO is exorbitant and many smaller businesses simply cannot afford to hire a full-time CISO. Virtual CISO’s however can be used on-demand and cost a fraction of the price.

Another benefit of a vCISO is that they will not require training on the organization as a whole. Their job role and function for the organization is focused on results. As such, they will be unafraid of “playing nice” when it comes to being direct about security measures and goals.


A Good vCISO

Individual organizations have different goals for their business, in addition almost every industry has a set of regulations and standards they must follow.  A good vCISO will be able to hit the ground running when they begin working with an organization to align business goals, security goals, and compliance standards. A vCISO will incorporate the goals of the organization into their strategic plan for information security, compliance, and risk management.

The “good” vCISO for your organization will be able to effectively communicate the risk and mitigation strategies for those risks as deemed appropriate. They will establish controls and procedures to mitigate risk within the organization. However, the vCISO will also maintain a working relationship and open communication with the in-house information technology/security team to ensure the security roadmap is meeting the needs of the organization.


Hiring a vCISO

Hiring a vCISO isn’t the right move for all companies. They are best suited to work with small to medium sized businesses who are looking to support their existing teams. Since the role of a vCISO within an organization differs from company to company and within industries, it is important to find a Virtual CISO that has experience with the challenges an organization faces. These challenges include compliance regulations, security threats, industry standards, and more. When hiring a vCISO organizations should also take into account focused industry experience and overall experience.


The ultimate goal of the vCISO should be keeping the organization they work with protected and secured so that the organization can focus on business goals.

Interested in Learning More About CyNtell’s vCISO Services?

Schedule A Call

Privacy versus Security

Privacy and security are rapidly converging especially in the realm of compliance. A comprehensive program for information security management and planning must include privacy concerns and meet such confidentiality objectives. The two disciplines become “siloed” when information security is regarded as an IT issue and privacy as a legal issue. The truth is they are both a management data protection issue with board room level implications. Management must look at all forms of information and provide for its protection in accordance with privacy, Cyber Security, and include continuity of operations as these three components of business assurance have congruent requirements.

After a recent presentation on Cyber Security at a financial services conference, I was asked what the differences are between privacy and information security. I thought I would share my answer with you in hopes that it improves collective understanding.

What is Privacy?

Privacy is centered around customer and employee information most people would reasonably consider private and only for trusted disclosure. Such information includes, but is not limited to:

  • Personally Identifiable Information (PII) – This is information that could lead a third-party to identify who you are and how to contact you including email addresses and phone numbers. PII extends to data values that can lead to identity theft like your social security number and birthdate.
  • Personal Health Information (PHI) – This is information that could identify you and reveal health diagnosis, illnesses, prognosis, and treatments.
  • Personal Financial Information (PFI) – This is information that could identify you and provide information about your investments, credit status, loans, liens, wages, and taxes.

The primary protection focus is the confidentiality (prevention of unauthorized disclosure) of such information. The main threat is a breach of information in which an unauthorized party can access data. A breach could lead to identity theft resulting in company legal liability and loss of company confidence.

What is Information Security?

Information security focuses on the protection of data while stored, in transit, and during processing, and the related informational assets like servers and mobile devices. The objectives are information confidentiality, integrity and availability (C-I-A). Compromise of one or more of the objectives could result in a breach of information to unauthorized parties, inaccuracy in data elements and records, and destruction or denial of access to mission critical data.

Privacy and Security Laws and Regulations

European nation states are serious about privacy. Germany is one of the leaders in this area based on its history of violations towards citizens. Well known North American laws, like the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) and the U.S. Health Insurance Portability and Accountability Act (HIPAA), set the standard for data privacy in the western hemisphere. In the U.S., there are very few federal laws regarding privacy protection beyond HIPAA which puts pressure on the individual states. Thus, U.S. companies that operate across multiple states must always be aware of various state laws and implement controls commensurate with the most restrictive.

Unlike privacy, information security has very little by way of laws requiring protection. Don’t misunderstand, there are numerous regulations regarding companies having a security program, but government statutes are lacking. Most U.S. congressional statutes in this realm have to do with cybercrime or refer back to data privacy. More recent laws in the U.S., like the Cyber Security Act of 2015, give companies legal rights to protect their data. Stay tuned as many more laws across the international landscape will quickly rise in the remaining years of this decade.

Privacy and Security Frameworks and Standards

A trending industry approach is to focus on creating an organization standard through the lens of privacy and information security frameworks like ISO 29100 and ISO 27000. ISO 29100 is a privacy framework that can be adapted to any organization that stores, transmits, and processes PII; and ISO 27000 series is a set of mature security techniques that can be used by organizations to protect various types and states of data. Both address protection via the implementation of information technology controls and the two frameworks have a direct relationship (according to ISO).

For several years in the U.S., the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) has been the standard for information security within federal government agencies. RMF has a provision for privacy and all systems using this framework must conduct a privacy impact assessment. In May 2015, NIST drafted a Privacy Risk Management Framework (PRMF) for protecting and assessing federal systems processing personal information. As with ISO, there is a direct relationship between information security and privacy as it pertains to RMF and PRMF.

Most U.S. industries are highly regulated and new regulatory standards require safeguards for privacy and programs for Cyber Security. Most of these regulations make a direct reference to NIST guidelines and frameworks. For regulated organizations, NIST provides guidance via the Cyber Security Framework (CSF) which includes a smidge of privacy techniques. My prediction is that more privacy protection guidance will be incorporated over the coming years of this maturing framework.

Business Privacy and Security Implementations

Privacy and information security, although not the same, are closely related and critical for every business. Privacy should be regarded as an element of information security specifically providing for the confidentiality of PII, PHI, and PFI. The requirements for both are complex and evolving. Every business has a responsibility to understand their legal, civil, and social obligations for data protection. For small to medium sized businesses, the convergence of privacy and security is essential to an efficient and effective data protection program. For certain medium to large sized companies, it makes sense to separate, yet closely relate, the two functions as each can benefit from concentrated focus and management.