Does Your Business Need a Virtual CISO?

The chief information security officer (CISO) plays a crucial role in guiding the business and technology strategies of an organization. CISOs combine technical subject matter expertise in cybersecurity with a thorough understanding of how organizations function at an executive level. This dual perspective allows the CISO to serve as a bridge between the world of cybersecurity and the business, helping business leaders understand and manage risks and helping technologists better contribute to business strategy.

Unfortunately, not every organization has the resources required to hire a full-time CISO. I spend my time working with healthcare organizations across the Pacific Northwest, and they often can’t afford a full-time hire and have difficulty filling the positions that do exist with qualified individuals.

I recently had the opportunity to work with a midsized hospital located in a rural area. The hospital’s CIO knew that the organization needed to take a more proactive approach to cybersecurity but didn’t have the resources to hire a CISO. She was very aware of the ransomware attacks that had crippled similar hospitals and wanted to take measures to reduce the risk theirs faced from emerging threats.

Fortunately, we were able to provide my client with exactly the type of service needed: a virtual CISO. CDW can provide organizations with access to a dedicated security expert who can guide them through the development and implementation of a cybersecurity strategy. All CDW consultants providing this service have real-world experience as CISOs and bring the magical combination of technical and business acumen to the table.

A virtual CISO has worked with this hospital for the past two years to dramatically improve the organization’s security posture. Here’s just a small sampling of what has been accomplished:

• Designed and outsourced a full cybersecurity gap assessment designed to identify areas for improvement
• Developed a concrete roadmap for remediating the vulnerabilities identified during that assessment
• Created a security awareness program for all hospital employees, educating them about security and privacy threats and their role in protecting the hospital, our patients and each other from cybersecurity risks
• Developed a formal incident response plan that will guide the hospital’s response to any future cybersecurity incidents
• Entered into a retainer agreement with an incident response firm to ensure that the hospital has 24/7 access to specialized expertise
• Built relationships with other technology leaders, helping them understand how cybersecurity efforts support their goals

There’s more to come. A virtual CISO can help organizations think strategically about security. My client’s biggest priority for the coming year is working closely with the virtual CISO to integrate cybersecurity into the hospital’s existing technology project management system. They are hoping to shift security planning into the early stages of new projects to better control costs and reduce the work necessary to retrofit systems to meet security requirements.

The CISO role is indeed critical to every organization, but not every organization is able to hire a full-time cybersecurity executive. In those cases, engaging a virtual CISO allows organizations to tap into a wealth of cybersecurity and business expertise without breaking their budgets.

Story by Nick Schurman, a CDW senior inside solution security architect who specializes in pre-sales design and consulting. He provides innovative network security solutions by leveraging years of industry experience and client interaction. Nick can articulate technical subject matter within all levels of an organization. He discusses long-term business objectives and crafts security solutions to solve business problems, not just technical problems.