Why do people use a Virtual Information Security Officer (VISO)?
At the end of the day it’s a hardcore competency. Most people I talk to, if they have a security officer, that security officer is really bored. There are only so many times they can go through an incident before someone fires them because – if you’re a security officer and your company has a hundred incidents, you’re not really good at your job right?
It’s hard to get a lot of experience and training with that kind of stuff. You need checks and balances. Generally speaking, the people who are doing the work are not supposed to be the people checking the work and that’s a good reason to outsource some of those items.
Take the analogy of Schrodinger’s Cat.
What that means is, if you’re not really measuring your security, do you really have any security? It’s just like in the science experiment, your security is both working and it’s not – until you measure it; but you assume it’s there.
We’ve actually found DLP systems interact with green light and no cables attached. Do they have a DLP system? According to their audit, yes. Did it do anything once you looked at it? No. It used power, some cooling, and things like that, but it didn’t actually plug into the network whatsoever.
Measuring really changes the reality. You can measure where you’re starting from in something like this, then see how you’re scoring. What are my grades? Not, “Do I have a yes/no answer;” but “Do I get an A, a B, a C, or a D? How did I score? Did I graduate fifth grade?
Then measure again and you can see where you are now. Hey, I got into sixth grade; I’m in the seventh grade; maybe I’m in high school now. It means really going through it so you can see where you started, where you are now, and what you need to do next and why.
In-house teams rarely have time to proactively manage security and measure results. If you would like to learn more about how to deploy the latest CIO Offense Innovation within your network contact firstname.lastname@example.org.