It’s a common problem, and one we see all the time here at BTB Security. We conduct an annually-required penetration test or security assessment for a client and identify important security gaps that need to be addressed. A basic, and frequently encountered, example of such a gap is that too many employees have been granted unnecessary access to sensitive applications or data. The client takes some basic steps and they believe that the situation has been addressed but, when we return to do another assessment the following year, we find the same access control issue.
What the client actually fixed were the symptoms, not the root problem. Their IT team cut off the access that had been granted to certain employees, which addressed the problem on the surface. But, without updating the underlying issue – the faulty onboarding process for new employees – they continued to grant unnecessary access to a new group of people.
This pattern plays out in a variety of ways in many companies. The reason: No single individual in the company is responsible for its overall security stance. Some companies make security part of an IT person’s job, but operational duties usually force security to the bottom of their priority list. What’s more, such a person tends to be more tactical, often putting out immediate fires, rather than being strategic and proactively identifying root issues. The result: even though companies spend good money to improve their security, the same problems keep cropping up.
Every company needs a Chief Information Security Officer (CISO). A dedicated security executive, he or she reports directly to the senior leadership and/or the board of directors. They are responsible for setting and overseeing the policies, standards and procedures that keep the company compliant with regulations and within tolerance of its risk appetite. It’s an important role and one that should not be overlooked.
However, small- and midsized companies often hesitate to create such a position. First, it’s expensive: typical CISO salaries range from $200,000 to $300,000 annually. But, more importantly, companies may not know how or where to start when creating the position. Often, corporate leadership recognizes the need for better security, but isn’t sure exactly what that entails. That makes it hard to go out and hire the right CISO, or effectively promote from within.
That’s why BTB created its CISO Advisory Practice which helps clients create, implement and maintain practical, effective information security programs that are tailored for their business. On a part-time basis, yet fully integrated into the client culture, BTB provides a CISO-caliber person to work with the organization’s existing security personnel and collaborate with other functions like HR, Legal and Compliance, in addition to Information Technology. This individual identifies security needs, sets strategy and puts the right procedures in place by coordinating the implementation of any additional technologies or processes required and maintaining the program – all in alignment with the company’s business strategy. Some clients use the service long-term instead of hiring their own full-time CISO. Others use it as an onramp to hire their own CISO, in which case, BTB helps them build and implement a strategic security program, then helps them recruit, vet and hire the right candidate.
When hiring, you’ll often find that there are plenty of candidates with technical expertise, but the key to finding a good CISO is getting someone who views the role as a business function, not just a technical one. Because BTB already knows the client’s business, and because we have helped design the security program, we have the expertise to help identify the best candidates for that particular client.
BTB’s service doesn’t end once a client hires their new CISO. BTB stays involved to help transition the new CISO into the role through training and coaching. By helping to match the right candidate with the right company, then making sure everyone works well together, we help the client achieve effective, long-term, strategic security.
To learn more about BTB Security and how we can help your organization improve its security posture – whether through our CISO Advisor Practice or for other security needs – visit us at www.btbsecurity.com.