Publications
Stout Article
Regulations, Guidelines, and Risks
SECURITIES AND EXCHANGE COMMISSION
NATIONAL ASSOCIATION OF CORPORATE DIRECTORS
RISKS
Regulations, Guidelines, and Risks
RISK ASSESSMENT
The FBI reports that some 90% of company security exploits result from employees clicking on an email link or opening a web
page with embedded malware.5 All it takes is one click and a fi rm’s systems can be attacked from the inside.
- ● Identify what needs to be protected, plausible threats, and known vulnerabilities
- ● Estimate the business risks if vulnerabilities are exploited (considering probability and potential severity)
- ● Prioritize these risks and identified protective gaps
- ● Document and agree to a plan to address these gaps
- ● Track progress of the plan, with executive and board updates
- ● Monitor the effectiveness of these protections
- ● Periodically and regularly repeat the above steps
PENETRATION TESTS
VENDOR REVIEWS
WRITTEN POLICIES
TRAINING PROGRAMS
INCIDENT RESPONSE PLAN
Important Questions and Considerations
BEST PRACTICES VERSUS GOOD ENOUGH
SECURITY TECHNOLOGY SOLUTIONS
FOR BOARDS AND SENIOR EXECUTIVES
CISOS AND VIRTUAL CISOS
- ● Advising boards and senior executives on their information and cybersecurity responsibilities, presenting security risks and choices in a prioritized business context, and supporting the development, implementation, and monitoring of an enterprise security strategy.
- ● Mentoring internal security officers, accelerating their professional development, and providing guidance on priorities, projects, and purchases
- ● Advising or leading specific projects such as vendor selections, purchase decisions, and reviews of security plans, or prioritizing audit findings and coordinating their remediation (as it is sometimes easier for an outside expert to bridge internal hierarchies).
- ● While most of the above work can be scheduled in advance, virtual CISOs also can provide emergency support, such as for breach evaluation and recovery efforts. Ideally your organization has a ransomware plan already prepared, but getting external advice in a crisis still helps.
SECURITY PROCEDURES COME FROM THE TOP
Aspire Profile
MAXIMISING SECURITY
ADAPTION IS THE KEY TO BE SECURE
GUIDANCE IS ESSENTIAL
What Does a CISO or Virtual CISO Cost?
Median CISO total compensation is $376,249 (salary, bonus, benefits)
Glassdoor, as of June 2023, reports US CISO average annual compensation of $288,830: an average salary of $180,000 plus additional compensation of $109,000.
vSEC estimates the median salary, bonus and benefits for a CISO with 15 years experience and a masters degree is $400,000, or $33,000 / month.
Virtual CISO Costs
A recent web survey of price quotes for virtual CISO services showed many offerings from $5000 to $20,000 per month, heavily dependent on how much time and support is needed by the client. vSEC virtual CISO services usually range from $6500 to $15,000 a month based on client needs, with $10,000 a month common for long- term support.
Sources
- ● https://www.salary.com/tools/salary-calculator/ciso?yrs=1.5&type=bonus
- ● https://www.heidrick.com/en/insights/cybersecurity/2023-global-chief-information-security-officer-survey
- ● https://www.glassdoor.com/Salaries/chief-information-security-officer-salary-SRCH_KO0,34.htm
- ● Other virtual CISO businesses.