1. Blog
  2. Cyberdefense
  3. CISO-as-a-Service Hits the Right Note with Mid-Size Businesses

CISO-as-a-Service Hits the Right Note with Mid-Size Businesses

It’s hard to believe, but it’s been three years since Orange Cyberdefense first pioneered CISO-as-a-Service. Well past time for us to take a look back at how the service came into being, why its popularity amongst mid-sized businesses has surged forward and where we’re headed next.

A new approach to security management

Security isn’t a static problem; it’s different for every company depending on its size or vertical industry. Where major enterprises typically face the volume of strategic security challenges to justify a full-time CISO, smaller companies often find themselves in need, but not 100% of the time. More cybercriminals are targeting mid-sized businesses, hoping to take advantage of haphazard or inconsistent focus on security practices. At the same time, mid-sized firms are reluctant to invest in the expense of a full-time CISO, on a ‘just-in-case’ basis. Clearly, someone must own the security and compliance strategy, but the requirement can extend beyond the expertise of operational IT and Security Managers.

Finding the answer

The simple solution, is to apply a consumption based model to acquiring this expertise. This way, any organisation can access senior strategic security expertise in a cost effective way – the utility benefits without the capital expenditure argument that we know so well. Our CISO-as-a-Service allows organisations to have a strategy for security. We help to build and maintain an information security management system and take a holistic, risk-driven approach to protecting vital assets, which can then be unpinned and supported in tandem with the in-house IT team. The other advantage we bring to the table is an industry perspective – we have 130 trained security experts working with several hundred customers – we track and monitor the security threat landscape and there is no challenge or issue we haven’t seen before. When a mid-size organisation rings the CISO bat phone – we tend to take a wider view of the client’s specific need. We begin with a “drains up” risk assessment across their entire business which reveals the true extent of the challenges to be resolved and often puts a far more extensive context around the initial issue identified by the customer. We look at the business in depth to identify what are the valuable assets and where they exist; we assess the protection around them and recommend solutions to fill any gaps; all the while acting as a member of the customer’s IT team and making sure our thinking is in the best interests of the business as a whole.

An evolving service

CISO-as-a-Service has already proved popular to give customers the expertise they need as and when they need it. We’ve been working with several big brands since launch, but nothing stands still in security and we’ve been careful to continuously simplify and improve our service based on customer feedback. For instance, we’ve added tiered security metrics and a maturity model, so organisations can monitor the improvement in their security posture over time. Mark Sprules has just joined as head of our CISO team, and he’s on the charge to make sure businesses avoid a “head in the sand” approach to strategic security risks. From eBay to Target, high-profile security breaches are continuing to happen all the time, and businesses can’t afford to sit and hope they won’t be affected. Putting the right security processes and strategies in place is now even more essential for organisations of all sizes, but we like to think we’ve found the best way to help customers apply security in a sensible way that suits their business requirements.