What does a typical vCISO engagement look like?

It varies somewhat based on the organization’s need. The overall structure stays the same, however. Audit Liaison will lead the audit and compliance efforts including creating a Security Committee, Risk Management Committee (in smaller organizations, these are often the same), and lead all efforts related to maintaining an information security framework and staying compliant with laws, regulations and requirements of whatever audit standards with which the client wishes to comply.

The basic tasks include facilitating and documenting the annual risk assessment, performing periodic testing to validate the operating effectiveness of the controls, facilitating and documenting the minutes for the Security and Risk Management Committees, assisting in investigating and documenting suspected security incidents, conducting annual Security Awareness Training (if needed), and creating and/or maintaining a customized set of comprehensive Information Security Policies and Procedures. Finally, we work with the control owners ahead of any audits to pull the audit request items, pre-audit the evidence and provide feedback, and then work directly with the independent auditors to help ensure a smooth, and relatively easy on the client, annual audit or audits.

Additional services available include cost-effective penetration testing and vulnerability scanning, security incident investigations, and we’re in the process of offering Security Operations Center as a Service where we’ll monitor the production assets and applications for security events and provide required responses in conjunction with internal client resources.