Cyber Security Risk Management
At Nicolson Bray we know that protecting organisations from cyber security attack is an ongoing process. Business and technology risk needs to be continuously monitored and where necessary corrective actions taken. Your Board needs to be kept abreast of both the evolving cyber security threat and how vulnerable your business is to that threat.
"What we will be looking for is a ‘security culture’ in firms of all sizes – from the Board down to every employee."
- Nausicaa Delfas, Director of Specialist Supervision at the FCA
A Chief Information Security Officer (CISO) is responsible for this ongoing risk management, reports regularly to the Board and keeps the organisation abreast of cyber security issues. Importantly the CISO is independent of IT in order to give an impartial view of cyber risk within the IT estate.
However, given that security budgets are often stretched and many boards lack the technical expertise to connect security risk to the “bottom line”, the CISO is a difficult role to account for. Additionally, a full-time CISO may not be necessary but would be virtually impossible to employ. Therefore, Nicolson Bray has developed the option to outsource the role using our Virtual CISO service.
Meet your Virtual CISO
As with an in-house CISO, your Virtual CISO will initially work closely with you to define a cyber security strategy and programme for your business, unifying your operational and strategic functions. Once in place, they will manage the implementation of that programme and drive the delivery of cyber security improvements and risk reduction. At the same time, they will proactively monitor real-time threats to your organisation enabling your Board to make informed cyber security risk decisions.
Your CISO will work with employees to ensure that all staff remain current in their awareness of threats to the business and comply with policies and procedures. An independent figure, they provide an essential service which allows the rest of the business to continue to function with minimal disruption but with greater assurance that they are protected. And should the need arise they can capably manage projects such as breach and incident response or independent audit.