In today’s business landscape, shaken by the COVID-19 pandemic and an increasing number of Cyberattacks, there is a lot of uncertainty to wade through. In an effort to control the situation, many companies hire a full-time staff CISO. While effective, hiring a CISO can be an expensive option due to paying a salary and benefits. A good alternative is to hire a Fractional Information Security Officer, or “FISO.”
FISOs are typically a part of a Managed Service Provider (MSP), along with the virtual Chief Information Security Officer (vCISO). Typically, a vCISO is hired on a full-time, contract basis and can offer staff augmentation services with their network of contacts. However, hiring a vCISO is often deemed expensive, especially in the eyes of a SMB. For that reason, many MSPs also offer Fractional Information Security Officer (FISO) services.
Scalable, affordable, and flexible services
As the name implies, a Fractional Information Security Officer is typically hired on an “as needed” basis and usually works part-time. You can hire a FISO for as long as you need them, at a fraction of the cost (hence the name) of what it would take to hire a full-time CISO. You can hire a FISO for just a few hours a week, or more as needed, depending upon your specific requirements. One of the key benefits of a FISO is that since they are typically hired on a contractual basis, you can end the contract and onboard them at a later date as needed. In other words, their services are highly scalable, unlike a full-time staff CISO.
What a FISO can do for your business
So, what can a FISO do for your business? Here is a just a sampling of the services they provide:
- Initiating an Assessment Program: Assessing the level of risk that your company can tolerate can be a complex process. With the breadth of experience that the FISO can bring to the table, within just a matter of hours, they can draft a Risk Assessment Analysis in order to determine where the hidden vulnerabilities exist from within your IT and Network Infrastructure. They will also take each digital asset that you have, and based upon a certain categorical scale, they will rank each one as to how vulnerable (or not) they are to a security breach. With this in mind, you will then be able to carve out a much more efficient and effective Cybersecurity strategy for your company. Plus, the FISO that you hire will also have the ability to vet third party vendors in order to make sure that they are compliant with your established security protocols.
- The development of Key Plans: Given the magnitude of what the world is facing today, the C-Suite in many businesses are starting to realize the importance of the development and execution of mission critical programs in order to keep their organizations operating even in the face of a disruptive event, such as another global pandemic. Once again, the FISO will have the experience to help you initiate and draft the following plans:
- Incident Response (IR) Planning: This plan will carefully spell out the steps that your business needs to take to combat a threat variant once it has been detected. This will include not only the best way to react to it, but how to mitigate it head-on as well.
- Disaster Recovery (DR) Planning: Once you have contained the impact after being hit, the next step is to resume critical business operations as quickly as possible. With the Risk Assessment that the FISO did, you will know immediately which processes need to be restored right away, followed by lower priority processes.
- Business Continuity (BC) Planning: After you have brought operations back to some degree of normalcy, the next step is to figure out how you can continue viably as an organization well into the future. This will be done by further mitigating the risks of any future Cyberattacks with the lessons that have been learned. The FISO you have hired can also create this plan for you, by further augmenting it with the deep level of experience that their other contacts will have. This is something that a staff CISO will not have the ability to do.
- Maintaining Oversight: Given that the Remote Workforce is now a reality for the foreseeable future, the meshing of both home and corporate networks is starting to become a real challenge. A key risk in this area is the exposure of confidential information and data. As a result, you are being closely watched by the likes of the CCPA, GDPR, and even HIPAA. If you do not comply, you will likely be under the scrutiny of an audit, and possibly even face some very harsh penalties. A good FISO will have the necessary skillset to develop a program that ensures you are in compliance with all of these federal and state statutes, and even develop a set of controls to make sure that you stay that way for a long time to come. In stark contrast, a typical CISO would have to hire outside consultants to accomplish this task, which would cost your company even more money. But with the FISO, any other resources that are needed are part of the fixed, package deal.
- Implementing security training programs: Security training is very much a hot topic today, especially with so many employees working remotely. Unfortunately, many IT Security teams are too overburdened to provide that kind of instruction to employees, and this task is often left to the Human Resources department to conquer. More than likely, the HR team will not have the expertise to deliver a deep dive-style training program. The FISO, however, is well-equipped to provide the in-depth, high-quality instruction that is so desperately needed by businesses today.
Now that you have a good understanding of the role of a FISO can play, you may be wondering how this type of professional compares to other IT specialists who perform similar roles. In our next article, we will clarify the role of the FISO as compared to that of the vCISO and the CISO.
Ravi Das is a Cybersecurity Consultant and Business Development Specialist. He also does Cybersecurity Consulting through his private practice, RaviDas Tech, Inc. He also possesses the Certified in Cybersecurity (CC) cert from the ISC2.