CISO for Software Business
Start Date: April 2022
End Date: In Post
Summary
One of our certified CISO resources has been the appointed CISO for a research software company for over two years. The company engaged a CISO on the level 2 service that we provide. The engagement has been highly successful, taking them from a fairly low security posture to a higher, more compliant and secure status.
What did we do?
Our role was to provide the company with a certified CISO on level 2.
What was delivered?
The engagement consisted of the following to date:
Risk review
The CISO quickly established the risk register and an ongoing risk management process that aligned to the existing business processes.
The risk mitigations were then used to derive the Security Improvement Plan
Security Improvement Plan
The plan was derived from newly identified risks aligned with the strategic goals and objectives of the business.
To date, many things have been achieved including:
- Incident reduction and reduced cyber risk rating.
- Implementation of better Endpoint protection.
- Implementation of Data Loss Prevention tools.
- Implementation of a Security and Awareness Training Course.
- Certification to ISO27001.
- Improved customer perception (based upon responses to security questionnaires).
- Improved policies and procedures specifically designed to reduce the insider threat.
- HR security processes for starters, leavers and movers.
- Improvements to office security.
- Enhanced Disaster Recovery and Business Continuity plans.
Lessons Learned
The following key lessons have been learned up to this point:
- The part-time CISO role works for most small to medium sized organisations.
- Demonstrating that commercial benefits of security improvements help motivate senior management to support change.
- Procurement of security solutions for businesses is tricky, especially as they don’t often support small to medium sized businesses in their pre-sales activities.