IT Outage Calculator
Request Proposal
A Chief Information Security Officer (CISO) an executive-level position responsible for an organization’s information security strategy and its data’s security. They develop and implement security programs, manage risks, ensure regulatory compliance, and lead incident response, all while communicating security needs to both technical and non-technical stakeholders. Sometimes this expertise is outsourced from third-parties including Managed Security Service Providers (MSSPs), consulting and accounting firms who offer virtual or “vCISO” services.
Many of today’s CISOs (or vCISOs) fall short because their backgrounds are largely academic or compliance-driven, with little or no real world operational experience. These individuals chase certificates, frameworks and summary dashboards but many, not all, have never really operationalized a network beyond its diagram on a Powerpoint slide. Meanwhile, the C-Suite executives and Boards of Directors to which they are dispensing advice have succumbed to ‘authority bias’ – a psychological phenomenon that causes humans to automatically place a high degree of confidence and trust in individuals with certain status, titles or credentials. Other examples of this include consumers blindly buying products endorsed by celebrities and trusting a doctor’s diagnosis without getting a second opinion.
What Does This Brand of Cybersecurity Expertise Really Look Like?
Superficially, it all looks polished and professional:
- Countless Questionnaires & Interviews
– “Do employees use MFA for logins”
– “Does your firm have a written incident response plan?”
– “Is there an asset inventory of all devices on the network?” - Fill-in-the-blank frameworks
– NIST, ISO, CIS – all important standards but useless in a vacuum - Impact analyses (If your network is down for X days, you will lose Y dollars)
– Impressive looking tables, but how does one quantify the fallout from the reputational risk associated with a security breach? - Employee cyber hygiene training programs
– Almost always ‘off-the-shelf’ and not bespoke
This is the brand of cybersecurity that alleged experts are practicing and more firms, particularly in the accounting sector, are getting into this business as a means to gain “wallet share” or more money from the same client. They might be making more money but who is doing quality assurance on their work?
We at Netwolf Cyber are often called in for breach response work and can attest that the hackers are doing just fine. Meanwhile, the businesses that experience a breach are suffering, with nearly 20% of them closing their doors or filing for bankruptcy.
In Part 2, we will look behind the curtain at what operational security truly entails and reveal the critical, real-world gaps and risks we consistently uncover as an MSP/MSSP when conducting vulnerability assessments on organizations.
The information in this blog is for general informational purposes only. All references to third-party companies or competitors are for context and comparison only. NetWolf Cyber makes no representations or warranties regarding the accuracy or completeness of information about third parties mentioned herein. For guidance tailored to your organization’s specific needs, please contact NetWolf Cyber Intelligence Advisors directly for a consultation.
