Andrew Lock is a Savanti vCISO (Virtual Chief Information Security Officer). He was a copper for 15 years, ending up in cybercrime detection, so when he left the police service, computer security was a natural progression for him. He says, "It was something I wanted to get into. I wanted to be pro-active and help businesses prevent intrusions, rather than react to them afterwards."
Andy works for two Savanti clients at the moment, performing high-level security oversight, to ensure the businesses are safe. He is working for The Chemistry Group and a very well-known Premier League Football Club.
No two days in a vCISO's career are alike, but their first task is usually to understand how the current system works and create a top-level security roadmap, then work with the client's people to implement it.
A typical security plan might consist of tasks like:
- Updating Information Security related policies and Standards
- Risk management oversight and reporting
- Audit Checks on joiners, movers and leavers (JML), staff and asset inventories.
- Review of security settings within SaaS services and systems for continuous improvement
- 3rd party security assurance for key suppliers
- Perform internal audit for compliance with security policies, standards and processes
Pro-active Security Compliance for Businesses
Although Andy only works a few days for each client per month, he is available to respond quickly with advice for active security incidents. Generally, his work consists of ensuring compliance with standards and reporting to the company board, rather than front line security, which is usually covered by internal company staff.
Being pro-active means identifying security weaknesses, for example by simulating phishing attacks to find out where areas may be vulnerable. Being an outsider means he can have an overview, so "Things don't slip through the gaps between managerial responsibilities," as he puts it. He can also call on the expertise of numerous Savanti consultants and experts to advise on specific problems.
Andy administers both GSuite and Office 365 applications. Neither is superior – they have different ways of performing. He likes Google apps because they are straightforward to configure from a security perspective. Being part of the Savanti team gives him the ability to use existing digital security assets (including security assessments and security forms), and it helps him fast track entire security programmes.
Diagnosing potential security issues is an integral part of the job. Apart from the inevitable human errors of insecure passwords or clicking on malicious emails, there is the issue of third party security – if another partner company has access to your network or handles your data, their security needs to be tight too, or malevolent actors can gain entry through the back door.
Bad Things Happen to Good Companies
Multi-Factor Authentication (MFA) is becoming standard in this world of smartphones, tablets, and mobile access and is a must for any business, as passwords are so easily circumvented. Andy outlines his views, “You need to regularly review access to your systems and also use the right mobile device management system. For example, Microsoft Office 365 has Intune, so you know where your devices are at any time. You can wipe them remotely. You can stop certain information being copied and pasted from company applications. You can put in all sorts of different controls to scrutinise any misuse or data loss. But that can be quite challenging to administer.” Mobile Application Management (MAM) means that all devices and platforms can have appropriate levels of security, and that includes “Bring Your Own Devices” (BYOD) smartphones and the like, owned by the user rather than the company.
There's always a delicate balance, according to Andy, to be found between the need for tight security but also ease of access and usability for people to do their jobs.
Andy says, "Your number one risk is phishing emails which could result in malware ingress into networks. People are busy and can be careless at times. They need educating to be aware of what not to click on, what not to upload and download." Proper training and security awareness need to be a KPI of all businesses, large or small, because the reality of cyber enabled fraud can be very damaging. Nowadays, there's also the threat of a hefty fine under GDPR for losing customers' data. So there are genuine benefits to having a vCISO at board level who can advise on the best type of security practices and ensure they are implemented.
“A vCISO is a way for a lot of businesses to have this sort of security oversight, who don't want to employ a very, expensive CISO or who don't need a full-time information security manager," Andy concludes.
Written by guest blogger - Julian Jackson
If you want to find out more about Savanti's vCISO service?, then click HERE