For many organisations, hiring a dedicated CISO is a big step toward building a comprehensive information security programme.
Many organisations are not ready to hire a full-time CISO or have not fully defined what a successful CISO’s responsibilities look like within their organisation. However, these organisations still need the strategic guidance and knowledge a traditional CISO brings to the overall security strategy.
In this video, Ashley Ferguson, Global Director of Executive Advisory Services covers SecureWorks Advisory CISO Services. This comprehensive service is delivered out of SecureWorks Executive Advisory Centre and includes the strategic components that a normal CISO would deliver, but from a collective pool of former CISOs that utilise a network effect of knowledge sharing and the latest threat intelligence to help your organisation with:
What You Will Learn:
- Security strategy development
- Intelligence integration
- Industry expertise
- Board and Executive briefings
- On-site presentations and strategy sessions
Our Advisory CISO Services are really trying to change the way this has been traditionally done in the environment. We don’t look at this as something in terms of staff augmentation. We really look at it as something where you’re getting the advisory capability of a CISO, as if you had a CISO on your team.
I don’t think that having someone physically on site every day equates to having that capability. What you want is the leadership, the direction, the planning. The whole process involved with a CISO but you’re not wanting to hire just one person.
And so I look at it very similarly as to why someone would utilise SecureWorks for security. They don’t do that to purchase one person from SecureWorks; they do that to have the capability to have all of the intelligence of SecureWorks. And so that’s what we’re trying to bring to our clients with our Advisory CISO Service. Yes, it could involve someone coming on site periodically. We have clients that utilise the service to come and make their board presentations quarterly, or to help them prepare for their services. It’s really the ability to have the advisement of a CISO, but not have them sitting in the day to day… day-in exercises of the company but really focus on the things that make you better from a risk and security perspective, from a CISO perspective.
I think there are a lot of services out there. The CISO in a box, there’s things that people are frustrated with, and things that we saw in those offerings from other peers out in the industry. We’ve tried to take a lot of that confusion and frustration of purchasing someone to sit in your office, or purchasing pieces that really were not necessary, and try to customise and remove those items for clients to really make it something that’s going to really help improve their programme and reduce the risk to their business.
So for example, we had a client, approximately $2 billion in revenue, that really recognised the need to have security and, really, a risk-based approach to their security, but wasn’t quite ready to hire a chief information security officer. They were considering it, but weren’t even really sure what they were going to need in that role. So they brought us in to speak to their board, plan out what they need to be doing with their programme. It consists of quarterly updates to their board. Some intelligence driven specifically for them, but also helping them design what the role would look like, as they try to pursue and bring that roll in permanently. Or there’s the potential that it will be something that we continue to do for them. We try to approach this in a way of, ‘Let’s do what works best for you as a company.’
So whether it’s something that we do for you continually each year, or if it’s something we are helping you figure out what is the right approach for you, for that role, it’s really designed to help people bridge that gap. Because I think, that’s one of the things we’ve seen as former CISOs in the industry, is that some companies haven’t even made the realisation that they need that role and they are suffering for it. Then there are others that have the role, but it’s more from an ‘in name only.’ And there are others out there that they’re not called a CISO but they have that role and they have other things that they have on their plate. And so trying to take that client experience in and bring them something that can help them improve overall and provide them that service is really where this mostly applies to clients that are out there. Seasoned clients that have CISOs is probably not the right service for them, but I think those that are trying to either bridge the gap, would like to be able to have all the expertise of experience without trying to take their chances on one person, it’s a great way for them to receive that service.