The benefits of an independent Chief Information Security Officer

Cyber and information security readiness is high on the agenda of all executives. However, the ability of these executives to address their ongoing cyber security needs varies drastically.

The majority of larger organizations have an internal Chief Information Officer (CIO) who leads all IT-related efforts, including cyber and information security. These CIOs rely on a Chief Information Security Officer (CISO) to manage their internal and external cyber security teams. These teams comprise professionals, both internal and external, who address issues ranging from ongoing system configuration and monitoring to development and upkeep of information security and privacy policies.

Most middle-market firms, especially smaller ones, do not have a CIO. Some do not even have an IT manager on staff and thus rely heavily on their outside IT providers for ongoing maintenance and support of their systems. In these organizations, given the limited nature of internal resources, cyber and information security issues tend to be dealt with in less than optimum fashion.

Smart Business spoke with Sassan Hejazi, director of technology solutions at Kreischer Miller, about how middle-market companies can implement cyber security protocols in an effective fashion.

Why might an outside IT provider be ill-equipped to fully protect an organization?

Many executives of middle-market organizations equate cyber and information security with basic IT management, and as such assume their IT providers are performing all the necessary security-related activities as part of their normal IT support contract. Most IT service contracts, however, only cover basic security-related matters, such as virus protection and general-purpose application version updates, and do not get into reviewing each client’s unique business information management and classification processes and applicable cyber risk issues.

Who should companies work with to create and maintain a cyber security program?

An independent CISO provider has a team and the right tools in place to assist an organization and its internal and external IT teams with the same type of service that larger organizations use, but at a fraction of the cost. The independent CISO will be responsible to act as the subject matter expert in areas such as conducting risk assessments, identifying gaps, recommending remediation solutions, assisting with development and delivery of updated policies and procedures, and delivering applicable training solutions. The independent CISO team will also be responsible for conducting periodic validations, such as penetration tests or war-game exercises, to test and validate defenses and assist the organization and its internal and external IT teams with lessons learned and applicable improvement efforts.

This kind of a relationship is successful only if there is an empowered representative from the IT team and another from non-IT within the organization able and willing to participate and take ownership of the cyber security process. The IT provider representative will ideally be the lead system engineer assigned to the client organization who is familiar with their overall systems and acts as the IT support advocate for the client organization. The client organization will also need to have at least one individual, preferably two — one IT if there is an internal IT team or person, and one non-IT, usually highest-level finance officer, such as the controller or CFO — who will act as the organization’s cyber advocate.

How should executives stay connected to the cyber security process?

The independent CISO team will be working closely with all involved parties in establishing an effective and ongoing cyber and information security program. This will require periodic meetings to review, plan and execute cyber-related activities as well as quarterly or semi-annual executive meetings to update the executive team regarding the latest development in the field and what steps could be taken to address such concerns. This approach will lead to the implementation of the core components of an effective cyber and information security enterprise risk management program as practiced by larger firms, but one that has been adjusted to fit the needs of a middle-market organization.

Insights Accounting & Consulting is brought to you by Kreischer Miller