Virtual CISO as a Service (vCaaS)

Ongoing virtual CISO services plans start at $3,000 per month and are offered over several levels, based on estimated resource hours:

• Virtual CISO Bronze: For small businesses requiring minimal but consistent virtual CISO services, including customer and partner questionnaire support, information security program creation and management, annual information security training, annual business continuity table-top exercise, external vulnerability assessments, and an annual qualitative information security risk assessment.
• Virtual CISO Silver: For small and midsized businesses requiring more complex virtual CISO services. Includes all the features of Bronze plus annual SOC2 or similar audit support, compliance with regulations and standards such as NIST-CSF, CMMC, PCI, or HITRUST; annual IT security assessment; chairing a quarterly governance committee, and third-party critical vendor reviews.
• Virtual CISO Gold: For midsized businesses over 300 employees with the complexity to require the features of Silver but at a greater volume of virtual CISO services. Includes managed KnowBe4 training services (license fee extra).
• Virtual CISO Platinum: For midsized businesses requiring virtual CISO services beyond the Gold level. Includes managed eramba GRC services (license fee extra).
• Virtual CISO Diamond: Short-term (less than three months) full-time virtual CISO. Contact us for details.

Note, these are examples. Each level is customizable depending on industry and engagement goals. 

Examples of specific services include (each are available as a standalone managed package, prices quoted are minimum and depend on scope and complexity):

Managed Governance, Risk, and Compliance (GRC) Services: Our managed eramba GRC  service enables tracking and dashboard reporting on information security risks, compliance with various frameworks and regulations, asset management, incidents, and more. Requires one year commitment. Starting at $5,000/yr.

 
Training: The human is the weakest link. As a KnowBe4 partner, our virtual CISOs provide and manage online training to further your organization's information security awareness, reducing the risk of an information security incident caused by human error. Requires one year commitment. Starting at $3,000/yr.

Information Security Risk Assessment (Qualitative): Information security is, at its core, risk management. Risks must be identified and prioritized so as to efficiently apply resources for mitigation. An Information Security Risk Assessment (ISRA) is the tool for managing and communicating risks to executive management and the Board of Directors. Without a solid ISRA, executives do not have a clear understanding of the information security risks they are ultimately responsible for, and staff have no direction on the risks to address. A virtual CISO will create and manage a complete and sustainable ISRA process. Starting at $15,000.

CMMC, NIST-CSF, PCI-DSS, HITRUST, FFIEC CAT/ACET, SOC2, ISO 27001/2, and Other Framework Gap Analysis: Compliance does not equal security, but is necessary to demonstrate the viability and effectiveness of the security program. We have a documented, solid history of building security programs aligned with many frameworks, including the ones above. Whatever the regulation or standard your organization needs to comply with, our virtual CISOs and information security risk analysts can get you there. Starting at $9,000.

Quarterly Governance Committee: A fundamental but often overlooked aspect of information security programs is a quarterly governance committee, led by our vCISO and involving business unit leaders and executives organization-wide. The C-suite and the Board of Directors can only make risk-informed decisions if they understand information security risks, and a quarterly committee facilitates that communication. Our vCISO can present once annually or every quarter. Starting at $3,000.

IT Security Assessments: Does your firewall ruleset make sense? Are your other IT controls maximized for protection? Our experienced virtual CISOs and risk management analysts provide an independent review to verify IT controls or recommend changes, all while not impeding business operations. Starting at $9,000.

Information Security Program / Policy Creation and Implementation: The Information Security Program document and associated policies form the foundation of an organization’s information security program. However, a policy downloaded from the internet that does not take into account the unique operating environment of your organization is not only useless, it can become a liability. A virtual CISO or risk analyst will design policies and standards (including RACI charts if desired) to match your organization’s need and culture. Call for quote.

Business Continuity Plans and Table Top Exercises: Stuff happens. Your business needs to survive unintended events.  We script different scenarios for clients each year. In 2019, the exercise focused on a pandemic, which prepared our clients for the improbable COVID-19 pandemic in 2020. Let one of our virtual CISOs work with you to create meaningful BIAs and conduct effective table-top exercises to ensure continuity of operations, whatever the cause for the interruption. Starting at $9,000 (table top only).

Third-Party (Vendor) Reviews: Migrating to a cloud provider does not absolve an organization of its cyber security responsibilities. Controls must be assessed and confirmed to align with the corporate risk tolerance. Our virtual CISOs' and risk analysts' years of experience reviewing vendors make vendor information security reviews simple and complete for your business and are an essential element of proper information security risk management. Starting at $5,000.

Network Vulnerability Assessments (External) and Basic Web Application Scans: Testing is the first step. Knowing what to prioritize in remediation and what compensating controls may work better than rectifying the primary control gap can save time and cost and add efficiency while increasing security posture. Starting at $200/month.

Penetration Testing: Testing exposes vulnerabilities; penetration testing attempts to exploit those vulnerabilities. May be added to any package for an additional fee, based on scope of services desired and environment. Call for pricing.

On-Demand Incident Response Services: When an incident occurs, timely response is critical. Call for pricing.

Data Mapping Exercises: Where is your data? How is it protected? A data mapping exercise led by a virtual CISO skilled in privacy concerns will answer these questions and reveal gaps in controls - and is required for GDPR. Starting at $10,000.

Other Items: Don't see what you need? Let us know, we may be able to assist.

Call us at (833) VCISOSV (833-824-7678) a free virtual CISO consultation. Virtual CISO services are available within the United States and beyond; inquire for details.