The CISO Strategic Advisement Services were really designed with a concept in mind — Chris and I talked about this a lot — a CISO is either planning voluntarily or involuntarily. The idea is that you always want to be voluntary. Involuntary is when you’re planning due to a breach or an issue that’s come up, or the fact that an organization has finally made the realization that they need that change.
This program is really designed to work with you regardless of where you are in that process. Ideally, you’re planning from a voluntary perspective. You’re trying to really look at the strategy, building a program around your security that’s risk-based, that’s around your overall core business. Occasionally, there is the involuntary: we’ve had a breach, we had an issue, we really need to enhance our program to plan for that.
And so there are, obviously, certain assessments, certain controls, things that need to be put in place, from a policy/procedure level that we cover within our other GRC services. But you don’t want to neglect the overall planning from the strategic perspective, from an executive-level perspective of how you’re going to really build, and support that program, and also convey that program to your board and other executives, and how you are planning to approach. There’s always that need for metrics and really putting things in an operational view that your CEO will respond to, that your CFO will respond to, and that’s really where this program is designed to take you.
Without a strategy, you’re putting out trashcan fires when the whole building may be burning down. So what we do is actually help them create their plan. I’ve always said that one of the most important things — and Ashley and I have talked about this — is having a plan. Because if you don’t have a plan, you’re constantly in that tactical mode. With Strategic Advisory Services, we’re able to actually provide them the guidance to create their plan. And that plan is what’s going to make them successful as a CISO.
So an example of where this can assist, is we’ve seen organizations who’ve actually been in the involuntary situation through some very unique regulatory challenges. Having experienced a situation that was not necessarily a breach but maybe an employee or somebody may have made a mistake. We are able to come in through an engagement that may have originally been an incident response engagement and then help them build, through those building blocks, into the executive advisory piece and inevitably get to their planning piece, while addressing that immediate tactical situation they had. Because that tactical situation had to be addressed from the beginning. And getting them to a point where that three letter agency that they may have been dealing with was now satisfied with the direction they were going and the program they had put in place.
An example of a voluntary situation is simply just a vendor management program, where they’re trying to really handle the influx of vendors and the processes coming through, and wanting to improve that program. So they’re trying to — not because of something forcing upon there — but the growth and maturity of their program, and really looking for advice around how to make it the best.
The way that we look at that is obviously through the lens of a former CISO, but also through the lens of our vast team of consultants that are preforming a lot of these vendor risk assessments for clients. So what are really the best practices out there? What is the right way to do this? And dealing with simple things as far as what should your program look like. And what do you do when you have a vendor who comes in and submits a, ‘Here’s my package that I send to all of my vendors’ and you’re saying, ‘No, I know I need you to fill out my checklist,’ and they’re like, ‘Well we don’t fill out checklists.’ How do you respond to those things? So some of the things just around improving your program overall, can happen continuously outside of one of those incident response, involuntary breach, or regulatory issue situations.