Chief Executive Officer, Chief Operations Officer – these are just some of the C-Suite positions typically associated with corporate leadership. But some critical positions go beyond the corner office, like the increasingly essential Virtual Chief Information Security Officer (vCISO) or Virtual Chief Information Officer (vCIO). The primary goal of either position is to maintain information security protections and cybersecurity awareness for businesses and even private clients, and like the internet itself, these officers are unbound by physical restrictions. With ever-evolving cyber threats and now the COVID-19 pandemic, traditional network security just is not enough.
The Immediate Need for Virtual Chief Information Security Officer or Virtual Chief Information Officer Amid the COVID-19 Crisis
Several weeks ago, we warned that cybercriminals would continue to leverage the U.S. stimulus checks as an opportunity for fraud. Unfortunately, mounting evidence shows this to be true. A recent piece from the New York Times details how identity theft – a practice made easier by data breaks – and phishing has rocked Americans. One 19-year-old from Indiana discovered on the IRS website that someone posed as her to claim her $1,200 check – money she and her mother, who is recovering from COVID-19, desperately need.
Eva Velasquez, the chief executive of the Identity Theft Resource Center, a nonprofit based in San Diego that helps victims, said: “I’ve been in this space for over 30 years and I have not seen anything like this in my entire career … The scope, the scale, the speed and the efficiency of the scams is breathtaking.”
A vCIO or vCISO helps mitigate these risks in four ways. In short, they:
- Identify potential scam emails and train users on how to avoid them
- Protect personally identifying information (PII) to secure it from data breaks and out of the hands of perpetrators
- Assess the risk, threats and vulnerabilities facing the organization, family office or family
- Develop and implement a risk-mitigation framework to secure digital assets
This includes business-related information that may be housed on in-home devices and personal networks, a reality that is nearly inescapable as the world transitions into a work-from-home environment – originally protected by business-class infrastructure in traditional brick and mortar locations.
Common Risks Beyond the Pandemic
Though important now and into the near future, the work of vCIOs and vCISOs extends beyond the COVID-19 pandemic to mitigating several common risks to cybersecurity such as the following.
- Managed service providers (MSP) often do not have the expertise beyond basic support and typically lack the special knowledge required for robust cybersecurity. One of the reasons vCIOs or vCISOs are so critical is that they vet any MSPs before assigning them basic tasks, but the vCIO retains authority over more complex systems.
- Remote users connecting to offices are vulnerable, and now working from home is the “new normal.” vCIOs or vCISOs have several tools, such as virtual private network (VPN) configuration, to prevent intrusions.
- Attackers often target high-net-worth families and their offices for the biggest “payouts.” Children are particularly vulnerable. Sometimes, even basic training can keep family members from interacting with potentially hostile communications in addition to best-practice mitigation tactics.
- Understanding the risks facing your business, family office, or family directly is paramount. Assumption of risk or protective measures without validation will most certainly lead to loss of data or negative financial consequences at varying levels – and often outweigh the costs associated with mitigation strategies at the forefront when administering a preventative model instead of a reactionary one.
Protect Yourself and Your Business
We currently serve as a vCISO or vCIO for several organizations, providing leadership, oversight and accountability for our clients concerned about the risk to their digital assets. In this capacity, we focus on the key standards afforded by ISO27001, Cobit5 and NIST, as well as measurable metrics and key performance indicators, which allow organizations to align their risk appetite with cost-efficient and effective mitigation strategies.