Since you are the team owner for the ODD team, you report on cybersecurity resources to your board and investors.
We get that cybersecurity may not be the most exciting thing about your job. The good news is you don’t have to do it all. However, you do have to intelligently articulate how players on your team operate and give your investors confidence that you have your cyber program handled.
We’ll give you a jump start on how to do that
Below is a list of possible resources you can fold into your cybersecurity team.
CISO / CIO / CTO
A Chief Information Security Officer (CISO) primarily focuses on cybersecurity. A Chief Information Officer (CIO) and Chief Technology Officer (CTO) primarily focus on the technology that your firm uses, but sometimes deals with cybersecurity. This team member designs cybersecurity programs, hires security headcount to deal with tool implementation, and vets third-party vendors.
Fractional CISOs are less expensive than a full time CISO (we’re stating the obvious, I know). From our experience, even if you have a cybersecurity leader in a CISO, clients still end up having to fill in the other responsibilities, such as onboarding third-party vendors, independently running cyber risk assessments, and all the everyday cybersecurity grind. This works great when you have the internal resources to handle the everyday cybersecurity honey-do list.
A cybersecurity consultant does the heavy lifting of building, evaluating, and reinforcing your cybersecurity program. They conduct independent assessments and audits, policy reviews, training and awareness, tabletop exercises—all the stuff that keeps your security program healthy, resilient, and up-to-date to protect against evolving cybersecurity threats.
IT provider / Managed service provider
An information technology provider or a managed service provider (MSP) is different from a cybersecurity consultant. IT providers and MSPs do the business-critical job of making sure your infrastructure and technology environment works. They react to troubleshooting tickets, the kinds you send if Outlook is glitching on you, and maintain your systems through updating your platform, and monitoring IT system performance. By themselves they DO NOT prevent or stop a cyberattack from happening.
Assembling a cybersecurity team to meet your investors’ priorities
The good news is the composition of your team is up to you. There are no set positions that you are required to fill. What you need to do is make sure that people, vendors, and consultants you hire can meet all your investors’ cybersecurity concerns.
Not sure if you need a full time or fractional CISO, dedicated cybersecurity consultant, and/or IT provider? Need advice on other cybersecurity resources for your next ODD review? Drawbridge has hundreds of relationships with vetted vendors and consultants that can help you optimize your team.