Virtual Chief Information Security Officer | vCISO Solutions - What THarWi Brings to Your Organization.

vCISO Solutions

Having identified that there is a gap in the essential strategic CISO role in many organizations, our Virtual Chief Information Security Officer (vCISO) solution closes this gap and provides organizations of all sizes with access to a suitably experienced and qualified cybersecurity executive strategist to fill or augment the CISO function.

Don’t wait until disaster strikes before investing in a virtual CISO . Proacting as an approach to cybersecurity, strengthens and fortifies your organization, leaving minimal need for reacting and recovery tasks. A skilled virtual CISO will architect necessary security controls into your organization over time, enabling your organization to increase cyber resiliency. Ultimately, hiring a virtual CISO on your team will help achieve and preserve organizational goals.

Implementing & Overseeing A Cybersecurity Program

A key role for a vCISO within your organization is to provide guidance on your cybersecurity program at a strategic level. Along with guidance, it is a vCISO’s responsibility to make sure organizations remain compliant with cybersecurity standards, policy, regulations and legislation.

Managing Business Continuity & Disaster Recovery

Implementing existing business continuity and disaster recovery plans is a key role of a vCISO. Security incidents can have numerous effects on an organization’s wellbeing. A vCISO can play a vital role in managing business continuity in the aftermath of a security incident.

Aligning Cybersecurity & Business Objectives

Make sure that the objectives of your organizations cybersecurity program are in line with the objectives that your organization hopes to achieve. One key function of this role is to ensure clear communication between security personnel and key stakeholders.

Reporting On Cybersecurity

vCISOs play an important role when it comes to providing business leaders with intelligence on key cybersecurity trends, additionally providing upper-level management with a consolidated and comprehensive view of their organization's cybersecurity posture.

Promoting A Culture of Strong Information Security

Another key role of a vCISO is to promote a culture of strong cybersecurity. To facilitate cultural change across the organization, the vCISO should act as a thought leader, continually communicating strategy and vision. This can be achieved by tailoring communications to different parts of the organization.

Utilizing Cybersecurity Budgets Effectively

It is also the responsibility of a vCISO to use the allocated budget towards an organization's cybersecurity program efficiently and effectively. A vCISO can help an organization make decisions when it comes to investing in cybersecurity smartly.

Managing Vendor Relationships

There is a significant risk to your organization’s information security via the suppliers and service providers you work with. A vCISO can help ensure that consistent vendor management processes are in place to mitigate these information security risks.

Monitoring Incident Response Activities

A vCISO oversees how well internal teams handle a cybersecurity incident when it is identified. If needed, a vCISO may be expected to step in and manage incident response. During a security incident, it is the vCISO’s responsibility to bring a level of clarity to the key internal and external stakeholders.

Core Characteristics of an Effective and Impactful vCISO

vCISO Retainment Options

Each organization is different, and therefore each organization has differing requirements. To provide appropriate solutions, THarWi offers three levels of vCISO solutions.

 vCISO | Diamond | The vCISO Diamond solution offers the following:

◾ vCISO executive-level advisory and consulting services on retainer.
◾ Priced as a set number of hours (generally up to 130) of general information security, cyber security, and GRC consulting and advisory services, provided by phone, email, video conference, and/or in-person.**
◾ Consist of periodic occurrences and deliverables.
◾ Engagements occur using practices appropriate for implementation of a metric driven cybersecurity program.

  • 🔺WEEKLY REPORTING:

    • Artifact verification (e.g., security testing results for products) ;

    • Weekly Status meeting;

    • Change control status;

    • Planning for upcoming monthly, quarterly, or annual requirements.

    🔺 MONTHLY:

    • Program status meeting;

    • Infosec/IT Steering  Guidance;

    • Governance/Plan for Corrective Action.

    🔺QUARTERLY:

    • Quarterly Business Review (QBR): Conduct Risk Governance Committee meeting;

    • Review / update IR Plan.

    🔺ANNUALLY: 

    • Participate in annual strategic planning and budget development;

    • Policy Review.

    🔺DELIVERABLES (Minimum)

    • Weekly Report: A written status report sent weekly, including: Status of previous or currently open activities and deliverables:

      • New questions or emerging needs;

      • Weekly (ad hoc) call to review project progress, project barriers, service performance, vendor response and support + other operational and security topics.

    • Monthly Status Reports: A written status report sent monthly, including:

      1. A summary report that includes progress and status updates of technology security posture, and roadmap progress between reviews;

      2. Status of previous or currently open activities and deliverables;

      3. Number of project hours remaining;

      4. New questions or emerging needs;

      5. Plan for recommended corrective actions .

    • Annual Policy Review: A set of updated information security and data protection policies that are required for compliance and for increasing cybersecurity maturity awareness at your organization;

    • Annual Cybersecurity Strategic Plan review/development.

      **Travel requests for on-site in-person activities will be determined and authorized by the client organization.

vCISO | Platinum | The vCISO Platinum solution offers the following:

◾ The "Platinum" solution supports a subset of best practices for an overall cybersecurity program, and is offered at a lower investment relative to the vCISO Diamond offering.
◾ vCISO executive-level advisory and consulting services on retainer.
◾ Set number of hours (generally up to 78) of general information security, cyber security, and GRC consulting and advisory services, provided by phone, email, video conference, and/or in-person.**
◾ Consists of periodic occurrences and deliverables.

  • 🔺 MONTHLY:

    • Status of previous or currently open activities and deliverables;

    • Number of project hours remaining;

    • New questions or emerging needs.

    🔺ANNUALLY: 

    • Annual Policy Review

    🔺DELIVERABLES (Minimum)

    • Monthly Status Reports: A written status report sent monthly, including:

      • A summary report that includes progress and status updates of technology security posture, and roadmap progress between reviews;

      • Status of previous or currently open activities and deliverables:

        • Number of project hours remaining;

        • New questions or emerging needs;

        • Plan for recommended corrective actions.  

    • Annual Policy Review: A set of updated information security and data protection policies that are required for compliance and for increasing cybersecurity maturity awareness at your organization.

      **Travel requests for on-site in-person activities will be determined and authorized by the client organization.

vCISO | Gold Add-ons | vCISO Add-on solutions include the following:

◾ Annual Penetration Testing
◾ Annual IR Plan Tabletop Exercise
◾ Annual Security Awareness Training Materials and Training Session

  • 🔺Annual Penetration Test

    • A report detailing the penetration testing methodology as well as the findings and recommendations for remediation identified during the testing.

    • Discovered vulnerabilities and weaknesses

    • Exploited vulnerabilities and weaknesses

    • Remediation and mitigation recommendations

    🔺Annual IR Plan TableTop Exercise (TTE)

    • One (1) day virtual exercise designed to identify any weaknesses in the IR Program and to familiarize the staff with their responsibilities in the event of an incident

    • Report with Table of Findings and Recommendations:

      • A written report summarizing the results of the TTE that will include a Table of Findings and Recommendations for improving the Incident Management Program

    🔺Annual Security Awareness Training Materials and Training Session

    • Security Awareness Training curriculum materials that can be used in whole or integrated into your existing content.

    • Up to 2 virtual training sessions.