Fractional CISO Creates Focal Point for Security
- IT Management
This ZehnTek client, a financial services firm, had previously deployed information security practices and periodically sought independent assessments of the program. The key recommendation from the most recent assessment was to bring in a fractional Chief Information Security Officer (fCISO) to create a coherent security program, build mature security practices and demonstrate compliance with financial regulations.
To take on this challenge, the firm turned to ZehnTek, which provided an experienced security leader. As the client’s fCISO, the ZehnTek specialist guided the security program by providing the unique ability to speak the languages of both IT security leaders and executive management.
Knowing When Cyberattacks Occur
The key findings of the fCISO included the determination that the client's IT team consumed too many hours discerning whether the network infrastructure was under attack from cybercriminals. The deployed technology generated too many false positives, not enough useful information, and a big bill!
To remedy the situation, the ZehnTek fCISO recommended managed detection and response services. The fCISO also helped the client select a well-regarded vendor who could ingest over 10 times as many log sources and sensors as the previous log aggregation vendor.
The new vendor could also discern attacks much more readily and reduced the false positive rate by an order of magnitude — all at a similar cost as the previous vendor. In the end, the client generated improved awareness of attacks and reduced security analyst time spent on incident detection by 75%.
Managing Risk Through Effective Governance
Risk management was also important to our client. A committee of senior executives met periodically to manage the company's operational risks, and our fCISO assisted by working with the committee to elevate information risk management and to bring information security governance into the committee's area of responsibility.
The outcomes were numerous. As an example, company leaders expanded their awareness of information risks, which led to stronger security policies. This reduced the risks of cyberattacks and led to the implementation of required security practices that were achievable within the company.
Company leaders also became more aware of how employees are susceptible to various social engineering attacks. As a result, the committee approved the recommendation by the fCISO to improve training and awareness. The committee also implemented a process for vendor risk management (another recommendation by our fCISO) and selected an outside vendor to perform standardized independent vendor risk assessments.
Compliance is not security, but the two overlap significantly. In the compliance environment, the client had implemented several practices, but they also encountered a challenge: demonstrating compliance required additional practices.
To solve this challenge, the firm’s governance body approved new policies, and the fCISO worked with the head of IT to develop information security controls aligned with the NIST Cybersecurity Framework and OCIE Sweep Guidance. ZehnTek also chose a low-cost, lean, GRC (Governance, Risk and Compliance) system provisioned as a SaaS solution to serve as an evidence collection facility.
And on a continuous basis, ZehnTek deploys compliance controls and collects evidence, making great headway towards the Compliance Officer's goal of demonstrating regulatory compliance on two continents. The chosen path reduces the cost of compliance audits and minimizes the impact of audits on the day-to-day work of the IT staff while institutionalizing solid security practices.
A Harmonized and Coherent Security Program
Solving security and compliance challenges does not end with the deployment of best-of-breed technologies, which don't always work together. In addition, regulatory and privacy controls in different jurisdictions don't always match, and security practices implemented by highly-competent staff with varied backgrounds don't always mesh.
But by working together with the client, ZehnTek helped bring coherence to all of these aspects within the firm’s security program. The internal IT team and company leaders now have a clear focus on how security practices must work together to achieve information risk reduction and compliance objectives.