Measure Twice, Cut Once: How a VISO Helps Make Your IT Spending More Effective

A Virtual Information Security Officer (VISO) can help make your IT dollars more effective.Typically, we’re starting with the Scoreboard because we want to measure twice and only cut once. It’s important to ask these key questions:

  • What do you have?
  • Is it working?
  • Can we use it?
  • Does it make sense?

If we look at our graph, you can see that we have critical items in the red and less critical items in the green. We’ll go into an environment and see the green area is chock full of solutions and the red area is not. One of the reasons is – in the green area, there are a lot of solutions users won’t notice, and in the red area there are a lot of solutions that users will notice.

You can tell, in a backwards organization where IT wasn’t allowed to do anything, how that might impact a user because no one understood security and security was really an IT issue, not a business issue.

When we talk about measuring twice and cutting once, what we mean is, “Where can the dollars be spent in the most effective way possible, so you get the most number of bars up?” And so, someone will ask me, “Am I PCI compliant?” And the answer is always “No”. It’s a process to be PCI compliant. The same applies to HIPPA and GDPR.

You have to really look at it and say, “Have I created my building blocks in such a fashion that each more difficult security system I put in place can be used? I don’t want to put in that half million dollar DLP system, if my twelve-year old with an iPad can get around it. That’s not really good security; I don’t get a good return on my dollar there.”

We want to make sure that an action plan really follows this. We want to make sure that people aren’t sitting here and looking at this – I’ll pick on a Network Access Control (NAC) system – because a board member saw it in InfoSec Magazine and they said, “This is really cool, my son works in IT, he said we really need one of these, so let’s get that project going.”

Actually this has happened multiple times. Then we look at it and say, “You don’t even have a real spam filter. You don’t have anything to help you with phishing attacks. If you don’t have these basic fundamentals, what are you buying that thing for?” It’ll give you the appearance of security, it’ll give you the feeling of security, but at the end of the day, you’re not going to be secure.

Are you interested in hearing more about our VISO programs? Contact my team today at