Updated: Jul 22
By Ben Card, CIPM, PMP, CISSP
Much attention has been focused on whether or not Colonial Pipeline had devoted enough
resources to cybersecurity in the time leading up to the ransomware attack that crippled its East Coast services. Many in the media (see here or here ) have written about how Colonial had openings for both a risk management leader and a manager of cybersecurity. Individuals in such roles can either operate independently or be unified under a Chief Information Security Officer (CISO). None of the candidates for any position listed comes cheap. While the old saying that "the only truly secure organization is one that does not exist" continues to be valid in most endeavors, organizations incorrectly assume they needn't invest in security. This concept tends to hold many teams back from accomplishing the critical objective of building a robust security management program; one which is validated through obtaining a security certification like ISO 27001, HITRUST, SSAE 18 (SOC), or FedRAMP.
Yes, a company like Colonial should hire a full-time CISO or other risk management and compliance professional to construct a comprehensive security program. But resources for skilled CISO’s are scarce and it may not be necessary to have a such a professional on staff year-round. Many companies realize economies of scale when using cloud-based software and services. This approach of outsourcing to a seasoned security professional brings savings by focusing on the security issues at hand. The FISO, or Fractional Information Security Officer, can manage the necessary hours needed to develop a security program, interface with external auditors for certifications, and represent the state of security to the Board and Executives without sending the budget in to the red.
"The FISO, or Fractional Information Security Officer, can manage the necessary hours needed to develop a security program without sending the budget in to the red."
Webcheck Security is a premier provider of FISO consultants. These professionals have years of experience as CISOs, engaging with teams to craft security policies that make sense, implement security tools and procedures that are sustainable, and take the stress off the organization’s leadership when it comes to external and internal audits. Nothing can strengthen a team’s security maturity quite like striving for a security certification! While it is true that the world is facing a shortage of capable cybersecurity professionals, no one need feel that they cannot afford to get the help they need. A FISO can be hired today to take the reasonable efforts their customers—and the federal and state regulators—expect when it comes to cybersecurity.
To learn more about FISO services click here.