The Fortify virtual Chief Information Security Officer (vCISO) program provides your organization with an expert to assist you in all aspects cybersecurity. The vCISO reviews your current security framework, practices and procedures, your current security posture, performs a penetration test and checks for any current breaches in your current network. This evaluation includes an interview of the executive staff and current IT staff. This investigative interview covers concepts including vendor management, program & project management, financial management, IT risk management, and system security.
After the assessment is completed, the Fortify vCISO creates a report for you outlining what you’re doing well and where there are gaps in your security or IT policy. If you are missing any necessary items for specific compliance requirements (HIPAA, SOX, PCI, etc.), our vCISO provides you with a plan to move forward in fixing any of the items that are currently missing. In the event that you experience a security incident, the Fortify team of experts will provide expert guidance or complete incident response depending on the specific engagement.
Commonly Asked Questions
A Fortify vCISO is much less expensive than a full-time in-house CISO. According to SilverBull’s May 2016 report, the Median salary for a CISO is $223,000 per year. The base salary doesn’t even include the additional expenses required for a corporate executive. On average, Fortify’s vCISO clients pay significantly less than it would cost to hire an in-house CISO. Our vCISO clients also gain access to the expertise of an entire team, which eliminates the inherent skills gap of a single employee. The Fortify vCISO program enables companies that could not otherwise justify the expense of a CISO to receive industry leading quality, security vision, strategy and execution.
vCISO engagements are objective-based and tend to follow an agreed-upon time-frame.
A current client has the following objectives for their security program over the next 18 months:
- Quarterly security awareness training for all users
- Preparation for an third party security audit
- Monthly executive committee participation and consulting
- Annual risk assessment and penetration testing
- Security policy development
- Incident response program creation and implementation
- Guidance with HIPAA security compliance
These objectives were quantified and agreed-upon by Fortify and our client. We tailored our vCISO solution to fit their budget, agreed on monthly invoicing terms, and began work right away. The client will spend approximately 20% of the cost of a full-time CISO capable of meeting all of these requirements over the same period of time in order to accomplish 100% of their security objectives.
Yes, Fortify utilizes a team of information security professionals to provide the very best security services for each vCISO program. You will have a dedicated vCISO who will guide the overall strategy while leveraging Fortify’s security team to accomplish necessary milestones. One of the advantages of our vCISO is that additional security professionals are included in the security program, unlike with a CISO who must hire additional people (or outsourced service providers) to fulfill security staff needs.
The Fortify vCISO offering is meant to be flexible in order to meet the unique needs of each of our clients. Engagements typically follow a cycle of assess, plan, remediate and reassess.
Whether you need high level guidance on a monthly or quarterly basis or need hands-on help several days per week, our vCISO’s will be able to build a solution for you.
Typical objectives of vCISO engagements include:
- Information security leadership and guidance
- Steering committee leadership or participation
- Security compliance management
- Security policy, process, and procedure development
- Incident response planning
- Security training and awareness
- Security assessment
- Internal audit
- Penetration testing
- Social engineering
- Application Vulnerability assessments
- IT Risk assessment
- Red Team Assessment
- And much, much more.
vCISO has no borders – which is one of the many benefits of the program. Communication with your Fortify vCISO occurs remotely though the use of teleconferencing and online collaboration tools. Engagements can also be conducted onsite if requested and agreed to in the statement of work. Many of our clients employ a hybrid approach where the vCISO lead is onsite periodically to foster teamwork while other times working remotely to leverage the cost savings that virtual meetings afford today’s businesses. Fortify will find the right balance of on-site and remote activities to fit your company culture and budget.
Our team of vCISO’s have experience with numerous regulations impacting businesses in the United States, Canada and the EU – including:
- Health Information Portability and Accountability Act (HIPAA), particularly the Privacy and Security rulings
- The Health Information Technology for Economic and Clinical Health (HITECH) Subtitle D
- Sarbanes-Oxley Act of 2002 (SOX)
- Payment Card Industry Data Security Standards (PCI DSS)
- The Gramm-Leach-Bliley Act (GLBA)
- The Family Educational Rights and Privacy Act (FERPA)
- Children’s Online Privacy Protection Act (COPPA)
- Freedom of Information Act (FOIA)
- The Electronic Communications Privacy Act (ECPA)
- The Federal Information Security Management Act of 2002 (FISMA)
- Title 21 CFR, Part 11 | Food and Drug Administration (FDA)
- Federal Trade Commission (FTC) Red Flags Rule
- Texas Medical Records Privacy Act | Texas HB 300
- California Senate Bill 1386 (CA SB 1386)
- Bank Secrecy Act The Bank Secrecy Act (BSA) aka Anti Money-Laundering law (AML) or as BSA/AML
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- European Union Data Protection Directive (EUDPD)
- Finnish Personal Data Act (523/1999) and Amendment (986/2000)
- Danish Act on Processing of Personal Data (Act No. 429)
- Austrian Federal Act concerning the Protection of Personal Data (Datenschutzgesetz 2000 – DSG 2000)
- And More …
“The Fortify vCISO service is exactly what I needed to ensure our company was on the right track. As a financial services organization, we must maintain compliance with a number of regulations. The team at Fortify understands exactly what needs to be done to maintain compliance.” Magid Mina, CEO