Budget Denied: Information Systems Security Officer Role
November 24, 2020
Cyber Security
We spend most of our time talking with small businesses that do not have an Information Systems Security Officer. In fact, most small businesses we work with have never contemplating getting one. ZipRecruiter refers to the Information Systems Security Officer role as a role with an average annual salary of approximately $108,686/year, having the following responsibilities:
"An information systems security officer (ISSO) protects the IT infrastructure of companies, organizations, or agencies. Your duties include taking proactive security measures, assessing risks, and responding to security breaches."
So why aren't small business owners on the hunt for talented cybersecurity professionals to file a role of this title and description?
What We Choose to Afford
Our clients are most often small-but-growing companies that are in deep in the process of figuring out how to manage their balance sheet in a manner that makes it possible to fund their product development, operations, sales, and marketing initiatives. That's challenging enough as it is, without layering on the burden of finding budget headroom for specialized cybersecurity staff members.
Often our clients have Chief Technology Officers (CTOs), but they rarely have Chief Information Officers (CIOs), and they almost never have Chief Information Security Officers (CISOs). Given that, they never have Information Systems Security Officers (ISSOs). So who "protects the IT infrastructure"? Who takes "proactive security measures"? Who assesses risks? Who responds to security breaches?
In the types of growing small businesses that we work with, there are no specialized cybersecurity professionals on hand to do all of those things.
Expertise At Less Than $108,686/Year
It's safe to say that the growing small businesses that lack anInformation Systems Security Officers aren't naive to the idea that there is value in protecting their organization from cyberattacks. The typical storyline of a company that finds their way to our doorstep, is one of having a heightened awareness of one or more cybersecurity risks -- and having a precipitating event that leads the company to take cybersecurity more seriously. But not $108,686/year more seriously. They don't have that in the budget (and sometimes, they don't have that in their bank account at all).
That's where we step in. There are good, affordable, low-effort ways to mitigate a bunch of cybersecurity risks that a bigger company might have an ISSO handle. For example:
- Assessing Risks: All of our work as a company is predicated on working with clients in a manner that starts with a contextual understanding of the client's risk exposure, risk tolerance, and currently unresolved cybersecurity struggles. That initial conversation becomes the basis for crafting policies and plans that button up the unacceptable risks. The policies and plans become the basis for selecting a set of tools and processes that allow the team to comply to the policies. The tools and processes unlock the ability to gather evidence of strong cybersecurity practices suitable for review by auditors, enterprise clients, and institutional backers. All without having an ISSO.
- Taking Proactive Security Measures: As any cybersecurity professional will tell you, the proactive/protective measures are often an order of magnitude less expensive than the reactive cleanup and remediation that might be needed if a cybersecurity incident were to occur. For example, taking on proactive measures like strong G Suite configuration practices (e.g., MFA, external sharing limitations, a least privilege file sharing approach), can dramatically reduce the likelhood of untintentional information disclosure -- either by accident or due to a cyber criminal's efforts. We're glad to help with those protective measures, and in the particular example of G Suite configuration we have an entire portion of our solution designed to provide guidance on G Suite configuration best practices (our Guidance Assistant).
- Protecting IT Infrastructure: One of the first things that we help our clients orchestrate is an enterprise-grade managed web vulnerability scan, which comes with various port scans and crawlers. Want to protect your IT infrastructure? A starting point is the effort of conducting a sophisticated vulnerability scan and evaluating the critical, high, medium, and low vulnerabilities discovered therein. It's a lot easier to protect IT infrastructure when the effort begins with a baseline understanding of the current scope of vulnerabilities. Havoc Shield clients get this as part of their onboarding.
- Responding to Security Breaches: We hate to see it happen, but even the best managed organizations find that they still remain the target of cyber criminals. For organizations that do not have an Information Systems Security Officer, the moment that an intrusion is detected is a harrowing moment indeed. Especially for organizations that also lack a CIO. It's in these moments that it helps to have a Virtual CISO (Chief Information Security Officer), like the service offered by Havoc Shield, to be able to pull in an experienced cybersecurity professional for strategy-level advice about how to orchestrate a response effort to the incident that occurred.
Want to go deeper on any (or all) of these areas, but don't have $108,686 in your budget? Drop us a line, we'll be glad to help with all of the above items.