A CISO for all Seasons

A CISO for all Seasons

If you’re a small or medium-sized business, you probably have security needs. This could range from a small non-profit who does community outreach, to a large medical service firm with an array of activities. Maybe you have a security budget but are short on qualified applicants, or perhaps you have a shoestring budget but require the administrative policies and technical controls of organizations ten times your size. Well, Kuma has you covered.

One of the specialties that Kuma offers is our virtual Chief Information Security Officer (vCISO) services. A vCISO allows an organization that doesn’t have the budget or need for a full-time CISO to still get professional assistance on a part-time basis.


But why don’t I need a full-time CISO?

Well maybe you do, but taking the examples from above, a small non-profit may require access to health payor data, which is classified as Protected Health Information (PHI) under HIPAA. That non-profit doesn’t have the budget for a full-time CISO, but definitely has the need. Health payors are notorious for their intense security reviews (with good reason). By having a vCISO in your corner, the non-profit can get the policies written and the technical controls implemented that will allow the health payor to share PHI confidently and securely.

After that initial hurdle, staying in compliance with those freshly-minted policies can be a daunting task. A vCISO can oversee the continuous monitoring program (CMP) of those policies for maintaining compliance. The CMP will include the review and incorporation of other tracking procedures (as appropriate), which may include any risk analyses, gap analyses, etc., as they relate to CMP controls. When the payor comes back in a year for their annual security review, having a vCISO and CMP management could mean the difference between business-as-usual or a freeze in operations until security requirements are met.


Beyond policies, what else am I paying for?

Great question! Having a vCISO for operations can be immensely helpful for speaking with clients. Sharing PHI isn’t just a contract with indemnity clauses (though it is that sometimes), it’s knowing where the data is flowing, how it’s being processed, stored, protected, and destroyed. While policies may look good, a vCISO ensures those policies are followed, as proven by evidence if required. Data mapping, access controls, and business continuity plans are just a few of the tasks a vCISO can be expected to oversee. When it comes to completing security questionnaires, sometimes the questions or controls can’t be answered directly, and a good vCISO can create compensating controls to match the business you are in.

While a vCISO can help almost any company with security practices, procedures, and culture, it takes the commitment of management to understand the areas they know, and what they don’t. Let’s walk together on this security path, each bringing our expertise, our blind spots, and build something great.