Back in the bad old days there were lots of IT job roles.
We had people to manage Solaris (but not Linux) servers, people who managed Cisco (but not Juniper) kit, people who managed Oracle (but not SQL Server) databases and on and on…
Now it seems all we need is developers.
The most effective QA these days is automated via software.
With The Cloud we don’t manage hardware any more and with emerging approaches like Software Defined Networking the need or opportunity to get up close and personal with underlying infrastructure is getting increasingly rare…
Genuinely effective software that writes software is a little way off so I think the message is that if you want to enter or thrive in the IT job market these days add coding to your skill set (whatever your current role).
You might actually enjoy it as well…it really is a creative process and very satisfying.
If you’re more of a platform services sort of person learn golang. It rocks and is taking over the server side programming world…see here
Interim CISO: Can occasional information security leadership work for your organisation?
How an interim CISO service can drive strategic information security governance, risk and compliance.
At a time when organisations are facing greater cyber threats than ever, the information security industry claims to be facing deepening skills shortages. Imminent regulation in the form of the General Data Protection Regulation (GDPR) and recent increases in fines for data loss show that it’s not just hackers that put organisations at risk, and the threat landscape itself is changing rapidly with cloud and mobile workforce technologies still not fully mature or widely accredited.
“It’s obvious that information security is an area where we can’t afford to stand still,” says Phil Cracknell, Interim CISO and Security Partner at interim.team.
“IT projects are regularly kicked off to expand services, to save money, or just to keep equipment supportable and every time something changes you introduce new risks. That’s why security has to be driven strategically as part of every transformation programme.”
Cracknell, who was previously chief information security officer (CISO) of Nomura Investment Bank, London City Airport, TNT Express and Yell Group plc, has first-hand experience of the challenges involved.
“It’s not just security transformation that calls for someone with clout. You can’t afford to be without a CISO if there’s a sudden need to respond decisively to a breach, and given the legal and regulatory burdens increasingly faced by businesses it’s critical to have information security representation at board level.”
“The trouble is that unless you’re a large organisation, your CISO can end up twiddling their thumbs a lot. Strong leadership is essential, but the reality is that most firms simply don’t need someone working at that level day-in, day-out. Even assuming you need someone full time, simply finding candidates of a suitable calibre is increasingly difficult.”
The requirements for an interim CISO
Many organisations already have a Chief Information Security Officer (CISO) or equivalent head of department. As with many senior or executive roles, the tenure is often between 18 months and three years, and as such there are periods where either you have no one in the role of CISO, or you are getting a new hire up to speed and processing the exit of a previous security leader.
The interim CISO role can help augment your existing information security management, coach them, assist in specialist projects where your incumbent have little or no experience and of course as an extra pair of hands during hectic times. (Annual audit, PCI Compliance, Cyber Breach)
GDPR clearly stipulates that any business over 200 people in size must have a Data Protection Officer who is an ‘expert’ in the relevant disciplines. It is no longer acceptable to allocate that responsibility to a nominal individual from HR or Legal as many companies do. This is another great example of changing landscapes and how interim.team can help.
At gro.team we have world-class CISOs, available on a short-term, part-time basis with whom you would have 5-day email and telephone access to, supplemented by on-site presence and dependent upon location this could be for board meetings, strategic presentations or simply a half day at a desk helping cover vital information security matters.
Our interim CISO service can:
Protect business and manage risk inherent in any IT transformation
Ensure legal and regulatory IS compliance and preferred practice
Offer immediate leadership to deal with security incidents and breaches
Address security skills shortages
Provide best value solution for organisations that cannot justify a full-time CISO
Impart strategic advice to address business priorities and evolving security threats
Objectively Chair information steering committees
Represent information security at board level
Interface with regulators, banks and other compliance regimes
Provide input to information security and IT architecture and design
Deliver information security projects, including programme management and technical resources
Manage security services protecting against threats and vulnerabilities, and security assessment services such as penetration testing
Retaining interim CISO services provides access to a highly-qualified security professional who can provide advice and assistance whenever it is required.
Cracknell has led the development of interim.team’s interim CISO services, and acknowledges that the same skills are in demand for both interim and part-time roles.
“Retaining an interim CISO is essentially a timeshare arrangement; you’re buying ready-made, off-the- shelf seniority, experience and accountability, but sharing it consecutively or concurrently with other organisations. It’s a very efficient model, well-established in other roles. As with an interim or outsourced chief finance officer, for example, the objective is to protect your business and to help manage risk as it develops.”
The interim CISO service is easily extended so that when not scheduled to be in the office the person is immediately available by telephone or email to provide an apparent CISO function for events, incidents and during security crises. Strict confidentiality agreements ensure customers, partners and even staff need not be aware that the individual is working on a retained basis.
“At the heart of the service is strategic advice around future development of security within the organisation,” says Cracknell. “An interim CISO enables you to respond to changing business”
“Our interim CISOs are seasoned security experts, able to architect and design solutions, direct management and technical resources to deliver projects faster and at lower risk, and who are fully conversant with security assessment practices like penetration testing and managed threat and vulnerability services.”
According to Cracknell, organisations often focus on technology solutions without considering the wider security context. “It’s not just about making sure your cloud data can’t be hacked. It’s critical that security is baked into your culture and that users are educated. Take data loss prevention; you may have tools in place to stop data leaking, but unless there’s a policy-led approach the sheer number of false positive results can make it worthless. An interim CISO has a broad remit that includes making sure areas like this are properly addressed.”
How do I cover the cost of an interim CISO?
The interim CISO service is subscription-based, according to the client’s expected demand. Compared with hiring a permanent CISO it offers substantial savings to organisations that need senior-level skills but cannot justify a full-time employee.
Cracknell concludes: “By retaining an interim CISO – even for just a few hours or days a month – you have access to a highly-qualified security professional to provide assistance whenever it is required. For organisations where security is a cornerstone of the business continuity strategy, the commensurate reduction in risk to the business should far outweigh any cost consideration.”
gro.team want to make the world a more successful place…person by person, company by company. If you need an high impact Interim to deliver your change agenda give us a shout here..
“On behalf of the team here at I want to personally thank interim.team for the amazing impact you had in just a few hours in this office. I appreciate you giving credit to the development team for arriving at the deliverable MVP, but in all honesty we would never have arrived at this point had it not been for your intervention.” – Jessica Sachs Head of Product and Operations Sportdec.
Unlike the Directive, the GDPR provides specific suggestions for what kinds of security actions might be considered “appropriate to the risk” including:
The pseudonymisation and encryption of personal data.
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services – not only do you need to have systems in place to keep information secure, but systems to keep it available
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident – what back up processes do you have in place? How resilient are your systems? Do you need to upgrade?
A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing – what ongoing monitoring and testing do you have in place?
If any of this is of any any interest why not give us a shout firstname.lastname@example.org or0800 246 5735 for a friendly informal chat about your GDPR needs?
Similar to the old Data Protection Act, under the new General Data Protection Regulation (GDPR), data controllers and processors are required to “implement appropriate technical and organisational measures” to keep data secure.
They should be taking into account “the state of the art and the costs of implementation” and “the nature, scope, context, and purposes of the processing” as well as the risk in terms of “likelihood and severity” of a data breach – sound prescriptive but suitably vague? It is and it doesn’t end there…more to follow.
As part of our mission to help make people successful we’re going to start creating presentations, documents, “one pagers”, spreadsheets etc that you might find useful.
We’re going to kick off with a hiring one pager which reminds us of the three axes we hire against (ability/intellect, ability to work in a team and impact focus) with sample interview questions and scoring boxes. The .pdf can be found here (Give us a shout if you’d like an editable .ppt or Slides link).
Please feel free to suggest any “things” that we could create to help you and we’ll see what we can do.