Everything You Need to Know About BARR’s CISO Proven Process: Part 2—Remediation to Continuous Management

According to the New England Institute of Technology, 58% of CISO advisors believe the problem of not having an expert cyber staff will worsen in the future. While developing a security program is no easy feat, this statistic speaks to the skill gap some organizations face when needing to secure sensitive information. That’s why working with a virtual Chief Information Security Officer (vCISO) can help alleviate the existing skill gap, as bad actors continue to find new ways to breach systems and networks.

vCISOs exist to guide your business to your security goals, strengthening brand reputation along the way. Working with a vCISO is like having a plan in place in case of a fire—installing detectors, being careful with electric cords, ensuring your heating sources are properly working—versus solely relying on the fire department.

Instead of putting out your proverbial cybersecurity fires when an emergency occurs, vCISOs help you continuously manage the programs that guard your sensitive information, proactively preventing security incidents before they can occur, eliminating the probability for compliance issues in the first place.

This is the second iteration of a two-part series on BARR’s CISO Advisory Proven Process where we’ll be outlining what happens during remediation and continuous management. In the first part of this series, we highlighted Phase 1, the CISO Gap Assessment, where your organization gains an initial list of gaps and recommendations for remediation.

With Phase 1 complete, BARR and your organization know exactly what you need to achieve the first of many security milestones. Let’s take a look at what to expect during Phase 2—remediation and onto Phase 3—continuous management.

Phase 2: Remediation

During Phase 2, BARR guides you from a posture with gaps to a level of compliance with a given framework or standard.

Establish a Security Committee

The first step of any remediation program is to form a security team within your organization and document each team member and their responsibilities. A security team sets the vision, responsibilities, and scope of your security program and ensures your organization is clear on your responsibilities.

Project Management

Regardless of whether BARR owns the remediation activity or if it’s assigned to someone within your organization, we follow up and keep the project on track. During project management, we ensure all gaps and recommendations move forward.

What you Gain

During the remediation phase, BARR will provide you with several deliverables, including:

Security team documents
Information security policies and procedures
Final set of controls mapped to in-scope framework

These deliverables not only document your remediation process, but provide you with a clear analysis of how you’ve reached your security objectives.

At the end of your remediation process, you’ll also work with your vCISO to define your security plan and determine a roadmap for a sustainable long and short-term information security program.

Phase 3: Continuous Management

BARR doesn’t stop at remediation. Once you’ve reached your initial cybersecurity goals, we work with you to develop and implement your security plan as your business develops.

Your engagement lead, in conjunction with the CISO Leadership Team, will perform regular reviews of both engagement performance and budgets, forecasts, and schedules. These tasks are performed on a monthly, quarterly, and annual basis.

BARR’s CISO Advisory resources are readily available at your disposal and we continuously scale our services to meet your organization’s needs. Continuous management services include:

Customer compliance questionnaires
Risk assessments
Vendor evaluations
Internal audits
Security awareness training
Penetration tests
Reviews and updates of policies and procedures
InfoSec KPIs

Through BARR’s CISO Advisory, you’ll see significant reduction in cost compared to a full-time CISO with the industry expertise needed to make sound security decisions.