Skip to content

Virtual CISO Silver

Virtual CISO services for small and midsized businesses requiring more complex information security and cybersecurity services.

Our most popular subscription level overall, Virtual CISO Silver is best suited for businesses that have similar needs to those suited for Virtual CISO Bronze but have additional needs such as annual audit requirements (e.g. SOC2) and/or training program implementation and management (KnowBe4). Your virtual CISO will manage all aspects of your information security program, including governance activities such as annual board reporting and quarterly strategic security committee meetings. Example services are included below; we will tailor the program for your specific needs.

  • Customer and partner questionnaire support (Vendor Risk Assessments)
  • Information security program creation and management
  • Annual information security training
  • Annual business continuity table-top exercise
  • External vulnerability assessments
  • Annual qualitative information security risk assessment
  • Annual SOC2 or similar audit support
  • Compliance with regulations and standards such as NIST-CSF, CMMC, PCI, or HITRUST
  • Annual IT security assessment
  • Chairing a quarterly governance committee
  • Third-party critical vendor reviews

Service Examples

The above included services are examples only and is based on resource needs. Services can include:

cyber risk management 18

Our managed eramba GRC service enables tracking and dashboard reporting on information security risks, compliance with various frameworks and regulations, asset management, incidents, and more. Requires one year commitment.

The human is the weakest link. As a KnowBe4 partner, our virtual CISOs provide and manage online training to further your organization’s information security awareness, reducing the risk of an information security incident caused by human error. Requires one year commitment.

Information security is, at its core, risk management. Risks must be identified and prioritized so as to efficiently apply resources for mitigation. An Information Security Risk Assessment (ISRA) is the tool for managing and communicating risks to executive management and the Board of Directors. Without a solid ISRA, executives do not have a clear understanding of the information security risks they are ultimately responsible for, and staff have no direction on the risks to address. A virtual CISO will create and manage a complete and sustainable ISRA process.

Compliance does not equal security, but is necessary to demonstrate the viability and effectiveness of the security program. We have a documented, solid history of building security programs aligned with many frameworks, including the ones above. Whatever the regulation or standard your organization needs to comply with, our virtual CISOs and information security risk analysts can get you there.

A fundamental but often overlooked aspect of information security programs is a quarterly governance committee, led by our vCISO and involving business unit leaders and executives organization-wide. The C-suite and the Board of Directors can only make risk-informed decisions if they understand information security risks, and a quarterly committee facilitates that communication. Our vCISO can present once annually or every quarter.

Does your firewall ruleset make sense? Are your other IT controls maximized for protection? Our experienced virtual CISOs and risk management analysts provide an independent review to verify IT controls or recommend changes, all while not impeding business operations.

The Information Security Program document and associated policies form the foundation of an organization’s information security program. However, a policy downloaded from the internet that does not take into account the unique operating environment of your organization is not only useless, it can become a liability. A virtual CISO or risk analyst will design policies and standards (including RACI charts if desired) to match your organization’s need and culture.

Stuff happens. Your business needs to survive unintended events. We script different scenarios for clients each year. In 2019, the exercise focused on a pandemic, which prepared our clients for the improbable COVID-19 pandemic in 2020. Let one of our virtual CISOs work with you to create meaningful BIAs and conduct effective table-top exercises to ensure continuity of operations, whatever the cause for the interruption.

Migrating to a cloud provider does not absolve an organization of its cyber security responsibilities. Controls must be assessed and confirmed to align with the corporate risk tolerance. Our virtual CISOs’ and risk analysts’ years of experience reviewing vendors make vendor information security reviews simple and complete for your business and are an essential element of proper information security risk management.

Testing is the first step. Knowing what to prioritize in remediation and what compensating controls may work better than rectifying the primary control gap can save time and cost and add efficiency while increasing security posture.

Testing exposes vulnerabilities; penetration testing attempts to exploit those vulnerabilities. May be added to any package for an additional fee, based on scope of services desired and environment.

When an incident occurs, timely response is critical.

Where is your data? How is it protected? A data mapping exercise led by a virtual CISO skilled in privacy concerns will answer these questions and reveal gaps in controls – and is required for GDPR.

Don’t see what you need? Let us know, we may be able to assist.