As a business grows, it faces increasing risks due to regulations and exposure to cyber threats. A bank faces different regulations (and regulators) when they have $500 million in assets under management vs $100 million. A business large enough to become a government contractor will have certain regulations to abide by. Cyber criminals would rather target a business with a large cybersecurity insurance policy or bank account than a business with no policy and little money to steal.
At a certain size, a business must take more seriously these risks and build out expertise in these areas. A financial or healthcare company doesn’t really have a minimum size where it has to deal with these issues. It depends on how much audit or regulatory pressure they are under, or if they don’t have the time or energy to adhere to the requirements. Non-financial companies we usually see around 100+ employees begin to run into this. Though this is not an exhaustive list, policies must be created to address:
- Password policy
- Audit policy
- Vendor Management policy
- Vendor Selection policy
- BYOD (Bring Your Own Device) policy
- Remote Access and Work From Home policy
- Incident Response policy
- Patch Management policy
- Change Control policy
- Data Backup policy
- Data Retention policy
- Acceptable Use policy
- And many more…
Once policies are created, they must be maintained on a regular basis (usually quarterly, bi-annually or annually) and updated periodically. Board reporting on the policies is a requirement, as well as testing and/or audit of the policies. Regulators and certain customers will ask for your policies in these areas, usually on an annual basis.
In addition to creating and following acceptable policies, additional tools and services will need to be implemented for the company. These may include:
- Mobile Device Management (MDM)
- Vulnerability Management
- Endpoint Security
- Security Operations Center (SOC)
- Penetration Testing
- Log Management
- Security Information and Event Management (SIEM)
How does a vCIO fit in?
If it’s not obvious by now, creating these policies requires a good bit of expertise in these areas (as well as time). Once the policies are in place, maintaining them and ensuring they are followed requires ongoing time and effort. At a certain point, this cannot be done effectively by a COO, CFO or Operations Manager part-time. A dedicated CIO will either need to be brought in (at a significant cost to the organization), or the organization can outsource these positions with a service provider who specializes in them (hint: Unicom specializes in these!). A vCIO can:
- Create the necessary policies for the organization
- Maintain said policies
- Determine the correct tools to implement for cybersecurity and regulators’ requirements
- Manage the Vendor Management process
- Review event logs
- Attend board meetings just as a CIO would
- Represent the organization with regulators and examiners
- Manage the remediation process from audit and examiner findings
- Manage an ongoing disaster recovery test
- And much more…
Is an ongoing audit or examination keeping you up at night? Are you not ready to pull the trigger on another executive hire, but find managing these processes daunting? If you are wondering whether you may be at the place of needing a dedicated effort in managing these areas of your organization, we invite you to get in contact with us. We’d love to help you sleep better at night!
Houston: 1011 S Texas 6 # 200, Houston, TX 77077
Waco: 5211 Lake Shore Dr, Waco, TX 76710