Michelle: [00:00:00] Hi everyone, and welcome to this episode of cyBARR Chats. Today, we’re going to be covering some of the core functions within BARR’s CISO advisory services. And to do that, we’re speaking with BARR’s Director of CISO Advisory, Mitch Evans. So Mitch, I’ll jump right in. What are some of the core functions or services within BARR’s CISO advisory practice?
Mitch: [00:00:21] Yeah, so a lot of things to think of it. Anything that the Information Security Officer would do full-time at an organization. So, that would be things like risk assessments, security awareness training, vendor risk management, customer due diligence, responses, policy, procedure, documentation, external audits, facilitating those, internal audits as far as securities related, security project management.
[00:00:47] And, other compliance-related topics, as well. Basically, all of that would comprise what a virtual or vCISO does. So typically what the type of organization that needs a virtual CISO is one that is maybe a little, not quite mature enough to have a full-time CISO. Maybe they don’t have the business case to hire a full-time employee to handle something like that.
[00:01:15] They’re also, full-time CISOs are kind of expensive; they’re a little difficult to find right now. Security positions, in general, are pretty hard to find right now, or I guess, security candidates. So, basically what we would do is we provide outsourced security consulting for all things cybersecurity, those services I mentioned before, as well as things like if you need a new security monitoring tool for say, your it AWS environment. We would, we have a bank of tools that whether other clients have used them, or we just know about them, we’ll reach out to them and evaluate those tools for you, for our clients. I mean, for what fits best for them, based on what they do, the types of information they handle, the business environment, they operate in.
[00:02:01] Another thing we might do is provide advisory services during a data breach. So, if you have some sort of hack or leakage or whatever it is, we can provide consulting services to kind of handle that from all the way from identification to containment to communications to basically anything we’re involved with incident response or data breach. Could also be that you’re going through a security audit, like a SOC 2 audit, ISO 27001. Those audits can be kind of challenging and we can come in and assist. Whether it’s getting these clients ready for the audits or interfacing with the audit auditors themselves, kind of acting as a go between to translate what auditors ask for, to what people who don’t do audits or auditors, because we kind of speak both languages. And then, also we have a network of cybersecurity expert partners that we can leverage to help our clients achieve their security goals, compliance requirements, whether they’re compliant with regulations or customer commitments contracts.
[00:03:11] So, those are just some examples of what a virtual CISO would do. But ,basically at BARR, what we do is offer our advisory services whenever our clients need it, and then one-off projects related to those topics from the first question.
Michelle: So, you talked a little bit about this previously, the type of company that would need CISO advisory services. Can you go into detail a little more on that and why those types of companies would need CISO advisory services?
[00:03:39] Yeah, typically like I mentioned earlier, larger enterprises. They’re going to have the resources to go out and hire a full-time CISO. They build a security and compliance team, but many, many companies out there, especially startups, small- to medium-sized businesses. They don’t have, whether they don’t have the resources to hire a full-time CISO, or they just don’t want to at the given moment, they’ll reach out and because they still need these types of services, they’re dealing with a lot of times, you’ll have a small business selling software, for example, to large enterprises.
[00:04:13] And those large enterprises come back and say, we need you to comply with all this stuff. And these startups with, you know, 20 employees are kind of at a loss, not only because they don’t understand a lot of times what these enterprises are asking for, but also they just don’t have the resources or time to do it.
[00:04:32] So, typically that’s who we’d be helping out, companies who just don’t have the resources to hire somebody internally, and they’re required to comply with whether it’s a regulation, customer requirements, contracts, and then at BARR specifically, we specialize in advising and consulting.
[00:04:51] Companies that provide software as a service. So, oftentimes those are small- to medium-sized businesses that don’t have, like I’ve mentioned a few times, the resources, whether it be time or money to hire those full-time CISOs. And that’s where we come in and act as the go between when they’re a small business and need security advising, but aren’t quite to the point where they want to hire a full-time CISO.
[00:05:17] And the goal is eventually, I mean, obviously this would mean that we would lose a client, but the goal is to eventually just bridge that gap between being a small business, lack of resources to, alright, now we’re ready to hire a CISO. So, that’s where our kind of project life cycle would come in.
Michelle Smith: [00:05:34] And can you talk a little bit about BARR’s process and approach?
Mitch Evans: [00:05:38] Yeah. So, typically we take, it depends on the project, but let’s say that it’s a company that just doesn’t have a security program at all. A formal security program. They might have security controls here and there, but they haven’t formalized anything like policies or procedures or controls.
[00:05:56] So, what we would do is take our four-phased approach. First phase being, the scoping phase, where we figure out the why before the how. So, we would come up with a plan based on the client’s needs, the environment they operate in, the types of data they might be handling, the commitments they have to maybe customers or regulators.
[00:06:20] And based on that, we will come up with a plan and then we’ll assess where they’re at against what, where they want to be. So, let’s say they want right now, they’re like I mentioned no formal security program, but they want to get to the point where maybe they have an ISO 27001 certification goal.
[00:06:37] Well, we would say, all right, this is what you have in place. This is where your gaps are and then that leads us into the third phase, which would be the roadmap where we’ve identified gaps. We provide recommendations on how to fix those gaps. And then, we provide a roadmap to getting to, in this case, ISO 27001 certification.
[00:06:55] And then the final phase is what we call remediation. We basically manage that remediation, all the remediations that need to take place. We would be acting mostly as the project manager. But for things like risk assessments, like the services I mentioned before, risk assessments, vendor risk assessments, policy procedure documentation.
[00:07:17] Those are the types of things where we can actually help them remediate those gaps, because those are some of the services we do. And then the more technical fixes that may require engineering personnel, we kind of projects manage those tasks with the client and maybe some outsourced consultants like penetration testers, or maybe sometimes it’s even outsource legal advice for a privacy policy or a data protection agreement.
[00:07:44] So, those are kind of the four phases. And then after remediation, it kind of moves into just an ongoing management. So, that’s where we would just typically make ourselves available for a set amount of hours per month. And they can bounce ideas off us, come to us if they have a data breach or one-off projects as they come up.
Michelle Smith: [00:08:04] So what sets BARR’s CISO Advisory services apart?
Mitch Evans: [00:08:09] I guess the answer to this is it’ll kind of contradict a little bit of what I just said because we do have our approach, but our first priority is an approach that fits our clients. And that will typically involve whar their customers or stakeholders, including regulators, require.
[00:08:25] So, you know, we’re going to apply our approach in whatever way fits our clients operating environment. Again, going back to the types of day-to-day process, what they want or need for a security or compliance program. And we take our expertise across all things cybersecurity and compliance, and we would tailor that four-phase approach just to fit each client.
[00:08:44] A lot of the other companies out there, or advisors out there, would just say, you know, my way or the highway. And we’re more of, this is the highway, and how do you want to get on that highway and stay on it? We’ll help the client do that within the overall structure of how we do things.
[00:09:02] But again, it’s going to be heavily tailored to each client because each client is different. Each client, you could have two clients that do the exact same thing, but they have different goals or they have different types of people that work for them or different customers. So, we really try to tailor our approach to fit with what our client actually needs.
Michelle Smith: [00:09:23] Got it. Well, Mitch, thank you so much for this overview and we look forward to learning more about BARR’s CISO advisory services in a future cyBARR chat. Thanks again, have a great day, everyone.
Mitch Evans: [00:09:35] Thanks.