The job of a Chief Information Security Officer (CISO) is one that has become increasingly complex as more frequent security threats emerge. A typical CISO has broad responsibilities for establishing and maintaining an organization’s strategy to ensure information assets and technologies are protected. The CISO also directs staff in reducing IT risks, responding to incidents, and implementing procedures that protect the enterprise. In many organizations, the CISO needs to combine the communications skills necessary to advise the board and CEO with the technical chops to manage tactical delivery.
It takes years to develop these skills, and the demand for them has increased dramatically. Because of this, a traditional in-house CISO can cost an organization upwards of $200,000 to $380,000 in salary, plus benefits for a full-time employee. Employing a CISO is a substantial investment for any organization, and many have difficulty attracting world-class skills to their organization because of their location, industry, or scale. Although these organizations face the realities of an ever-growing risk of cyber attacks, many of them do not have the resources to afford and attract a qualified CISO candidate. Cybis’ Managed CISO service is designed to fill that gap with a flexible, highly capable, and affordable alternative.
Cybis is a cybersecurity consulting firm comprised of former National Security Agency (NSA), Central Intelligence Agency (CIA), Department of Defense (DOD), Department of Energy (DOE), and US Senate cyber operators who provide retainer-based security advisory and Managed CISO advisory services to leading organizations across multiple industries. Here are some benefits of the Managed CISO model over the traditional CISO employee model.
Traditional CISO Model vs Managed CISO
Traditional CISO Model | Managed CISO/Advisory Model |
---|---|
High salary costs that can range from $200K to $380K, plus benefits | Costs tailored to the organization –typically over 50% savings in comparison to the average salary cost of a traditional CISO |
Full-time CISO may become key person for incident response, creating vulnerability when on leave | Cybis offers a team of cybersecurity experts who can ensure continuous coverage and ramp up to respond to an incident or crisis |
Cybersecurity expertise is limited to the skills and experience of one person | Access to a team of cybersecurity experts with decades of experience in both offensive and defensive operations |
What Cybis Can Do
Cybis Managed CISO engagements typically begin with an assessment to establish a baseline understanding of the client. This will identify any critical gaps or vulnerabilities in the cyber, human/insider, and physical security environment. Cybis also assesses the client’s readiness to respond to likely threats and develop a practical roadmap of recommendations to remediate those gaps.
Once the landscape is understood, Cybis and the client can craft an appropriate ongoing CISO or advisory arrangement that typically provides a combination of leadership, oversight, and objective advice on a part-time, retained basis. In this role, Cybis consultants may report to the board, audit committee, and others as an independent, product-agnostic assessor of the client’s security position.
Cybis Managed CISO teams may conduct intermittent assessments throughout the year to explore more specific issue areas identified in the assessment, such as countering an insider threat or establishing an information security program. They may maintain a cybersecurity dashboard or program office to track the progress of the cybersecurity program. They can also be available to quickly respond to incidents and new threats as they emerge, adding skills and flexibility to the client’s in-house team.
As a trusted advisor, Cybis can also provide ad-hoc project services as required, including: