Virtual CISO and CDO

In many organisations the security of information has tended to be part of the Chief Information Officer’s responsibilities, but increasingly a need is emerging for a more integral Chief Information Security Officer (CISO) role, responsible primarily for identifying and managing information security risks across the business. As cyber security becomes more and more complex, the requirements on the CISO have developed significantly and have become more and more technically focused, while needing to maintain a clear and broad business view of information security risks. It’s a truism that every organisation’s information security risks and needs are different, and the CISO needs to be very alive to that. But typically, the CISO will need to be able to:

  • Provide leadership to the specialist security teams
  • Develop strategies for IT security hardware, software, systems development, awareness, processes, standards and compliance
  • Take careful account of supply chain security, including the ever-increasing significance of “cloud” and other outsourced services
  • Drive and manage security related audits
  • Lead a programme of continuous security risk assessment and management
  • Monitor threats and vulnerabilities
  • Oversee the management of security incidents
  • Take a central role in business continuity and disaster recovery planning
  • Drive an effective and properly focused information security awareness campaign

Regency’s senior consultants are well placed to help organisations in all sectors with this task, for example by providing an interim CISO, or for smaller organisations, where a full-time CISO may be inappropriate, by offering a “virtual CISO” service tailored to the needs of the organisation. They bring to the organisation the necessary presentational, communication and planning skills, experience in strategy and policy development, knowledge of relevant legislation, experience of incident management and a range of other skills aligned to the tasks listed above. These will be combined with aptitude for putting across technical and challenging topics to non-technical business leadership, and the overall ability to be the champion of information security within the organisation.