Current State

It costs an average of $730,000 to recover from a ransomware incident.

Security is now simply too important to ignore, even more so against a backdrop of high-profile data breaches, large fines, and reputational damage.  Organizations can no longer maintain an informal, relatively lax security paradigm given the proliferation of threats in an increasingly interconnected world.  However, due to a limited supply of capable CISOs and the high salary necessary to attract them, recruiting and retaining an experienced security leader is no easy task.

The One Solution

Our CISO-as-a-Service solves this challenge by providing your organization a world-class Virtual CISO (vCISO), giving you the benefits of a C-level leader with cutting-edge Fortune 50 and US Government cyber security, regulatory compliance and audit expertise to help set the vision and the foundation for your information security program, with the agility to prevent, detect and mitigate evolving threats.

Imagine Staying 5 Steps Ahead with:

  • Access to the Latest Risk Management & Cyber Defense Techniques

  • Peace of Mind with 24/7 Support

  • No Waiting in Line When an Issue Comes Up

  • High Quality Guidance to Your Employees, Board, and Business Partners

  • Turn-Key Implementation Services So You Can Focus on the Business

How It Works

Select from the Silver, Gold or Platinum value package below.  Complete payment.  Reserve time on our calendar for an initial strategy call.  Step 2 Next.

On-board your new vCISO in as little as 24 hours to immediately go to work on your most pressing needs and remain on-standby to help address priority initiatives and unplanned events.

You get the help you need whenever you need it, wherever you are.  Keeping you always five steps ahead!  Cancel anytime for any reason, no questions asked.  Step 3 Next.

At the most critical moments of change, we’re there.  You get peace of mind with on-demand leadership, guidance and consulting from an experienced in-house CISO reporting directly to executive leadership, providing decision-making authority with responsibility for outcomes, and equipped with the depth and breadth of knowledge for collaboration throughout the enterprise.

Go beyond advisory support with game-changing executive-level presentations, best practice templates, and even hands-on implementation.  We will position you to reliably anticipate real threats, prevent breaches, and minimize the business impact of incidents to engender confidence.  Authoritatively answer the question, “is my data safe?”

Who This Service Is For

PUBLIC COMPANY
Grow shareholder value by fulfilling two fundamental fiduciary promises – financial reporting integrity and preserving your customer’s trust.
PRIVATE BUSINESS

Fortify access to confidential growth strategies, trade secrets and investments through holistic cyber risk measures.

GOVERNMENT
Maximize taxpayer investments by effectively aligning IT security to the mission to defend and enhance vital critical functions.
HIGH VALUE DATA OWNER

Bulletproof the security of your personal data and identity on social media, transaction sites, mobile, and personal devices.

Get Unsurpassed Value

A virtual CISO from ControlPoints provides on-demand access to a top-tier security leader with specialized technical knowledge and corporate governance experience.  Get better time, quality and consistency on every decision and deliverable.  50 security capabilities you immediately acquire with our vCISO service:

IT Governance, IT Risk, Security Strategy & Transformation, Revenue Assurance

  • Transform Information Security Strategy
  • Modernize Enterprise Risk Management Strategy
  • Develop IT Audit Strategy & Plan
  • Lead and Guide Information Security Program
  • Chair and Advise Steering Committee
  • Formulate Information Security Budget
  • Manage Critical Assets Across the Enterprise
  • Capture Cloud, Cyber Insurance, and Bug Bounty ROI
  • Prevent Ransomware, Phishing, Insider Threats, Viruses, DDoS

Data Privacy, IAM, SDLC, SOC, Patching, Cloud Security, Training

  • Defend Data, Systems, Network, Infrastructure, Personnel
  • Assess Critical Processes and Systems
  • Design Enterprise Data Privacy Program
  • Strengthen Controls Over all Access Points
  • Introduce Agile Security within SDLC and Change Management
  • Develop Security Policies, Procedures, and Standards
  • Evaluate Security Architecture Effectiveness
  • Maximize Security Operations Center (SOC) Value
  • Enhance Anti-Malware Process, Vulnerability & Patch Management
  • Strengthen Encryption, Tokenization, Cryptographic Key Management
  • Secure System Configurations
  • Architect Cloud, Endpoint Security, and IoT
  • Deliver Internal Audit Training

Audit, Continuous Monitoring, SIEM, Vendor Risk Management, BCP/DR

  • Diagnose Security Program Posture & Maturity
  • Conduct Independent Evaluation of Internal Control
  • Empower Key Business and Technology Process Owners
  • Maximize Continuous Diagnostics & Mitigation (CDM) ROI
  • Overhaul IDS/IPS
  • Rationalize Security Information and Event Management (SIEM) Logs
  • Implement True Continuous Monitoring
  • Assess Third-Party Vendor Security (SOC 2, 800-171, FedRAMP)
  • Quantify Industry & Market Trend Research
  • Provide Internal Audit Co-Sourcing / Outsourcing
  • Modernize Incident Response Plan
  • Stress Test Disaster Recovery Plan
  • Validate Business Continuity Plan

Incident Response, Forensic Services, Remediation, Briefings

  • Minimize Ransomware, Phishing, Insider Threat, Virus, DDoS Impact
  • Direct Incident Response & Recovery
  • Lead Root-Cause Discovery
  • Formulate Risk Reduction Strategies
  • Define Actionable Mitigation Steps
  • Develop Risk Rating & Risk Acceptance Defense
  • Remediate Gaps Correctly the First Time
  • Liaise to OIG, Auditors, Assessors, and Third Parties
  • Lead Regulatory Queries Response
  • Augment Response with Specialized Technical Staff

Restore Capabilities Quickly, Elevate Resiliency

  • Modernize the Security Program & Architecture
  • Overhaul Security Over Critical Assets
  • Transform Policies, Procedures, and Processes
  • Deliver Security Awareness Training
  • Deliver Insider Threat Training
  • Restructure Audit and PMO Functions
  • Fortify Vendor Oversight
  • Implement Streamlined Trust Frameworks:
    Public

    • NIST RMF
    • FISMA
    • A-123
    • FedRAMP
    • 800-171
    • CDM
    • POA&M
    • IV&V
    		 Private:

    • SOX 404
    • GDPR
    • NY DFS
    • PCI
    • ISO 27001
    • FFIEC
    • PII
    • 3rd Party SOC (SSAE 18)

When hiring a virtual CISO, you need an experienced provider to realize these benefits and to move security objectives from vision to operation. That is why many organizations source their virtual CISO with ControlPoints.

Ready to Take Control

To ensure you get support at the exact moment of need, we recommend you lock down our retainer service today. You don’t want to have to get in line or scramble to find a resource after an incident occurs, adding unnecessary delays and costs to your recovery. Scale up or down as business conditions change and our no questions asked policy gives you the freedom to cancel anytime.

vCISO Silver
The Strategic Plan

$1,999/mo.

Benefits
Includes strategic and tactical support with current and planned cyber risk initiatives. Quarterly call to review investments, progress, and issues.

Plan Details
8 Support Hours/mo.*
Quarterly Check-in Call
Product Discounts
30-Day Money-Back Guarantee





Select Plan

vCISO Gold
The Performance Plan

$4,999/mo.

Benefits
Everything in Silver plus complimentary enterprise risk assessment and strategic roadmap to recalibrate risks and the go-forward vision.

Plan Details
24 Support Hours/mo.*
Quarterly Check-in Call
Product Discounts
Annual Risk Assessment
Annual Strategic Roadmap
30-Day Money-Back Guarantee



Select Plan

vCISO Platinum
The Value Plan

$9,999/mo.

Benefits
Everything in Gold plus premium whitepapers, how-to checklists, invitation to network with peers and our exclusive best practice video series.

Plan Details
50 Support Hours/mo.*
Quarterly Check-in Call
Product Discounts
Annual Risk Assessment
Annual Strategic Roadmap
Premium Whitepapers
How-to Checklists and Guides
Knowledge Sharing Call with Peers
Video Series: CISO Advanced Practices
30-Day Money-Back Guarantee

Select Plan

* Unused hours roll-over for a 12-month period.  Total Support Hours per Year: Silver – 96hrs, Gold – 288hrs, Platinum – 600hrs.

7x Return on Investment

Our retainer service provides high-caliber security leadership at a fraction of the cost of hiring a CISO – 7 times the savings to be exact.

Cost Over Time Our vCISO Service Full Time CISO*^
Year 1 $24,000 $150,000 or higher
+$20,000 hiring cost
Year 2 $24,000 $155,000
Year 3 $24,000 $160,000

* CISO salary taken from publicly available figures for the year 2018
^ Full-time employees also require budget considerations for training, holiday, benefits, and sick leave

Need More Information?

Schedule a FREE 25 Minute Call

Frequently Asked Questions

The Chief Information Security Officer (CISO) is the most senior decision maker for information security and is pivotal to protecting the business from damaging data loss caused by cyber-attacks.

The CISO serves as the principal information security specialist and consultant to senior management, business process owners, and end users.

The CISO is responsible for establishing and maintaining the enterprise vision, strategy, budget, and program to ensure information assets, technologies, and personnel are adequately protected.

The CISO is also heavily involved in formulating regulatory and compliance plans to safeguard data privacy and prevent fraud and data breaches.

Only 14% of businesses have implemented the most basic of cybersecurity practices.  Security is now simply too important to ignore, even more so against a backdrop of high-profile data breaches, large fines, and reputational damage thanks to more stringent regulation and enforcement powers.  Opportunistic cybercriminals target businesses where they can take advantage of haphazard or inconsistent focus on security practices.  The responsibility and potential impact are too great to be left in the hands of unqualified part timers.

Clearly, someone must own the security and compliance strategy, but the requirements can extend beyond the expertise of operational IT and security managers.  Recruiting an experienced security leader is no easy task, however. Due to the rapid pace of change, there remains a significant gap in skills between increasingly sophisticated hackers and tech employees.  Cyber security is a specialized field requiring a clear understanding of the current threat landscape, thorough knowledge of contemporary security technologies and the latest defense best-practices.  An experienced and skilled executive is paramount to identify gaps specific to an organization’s industry and mission to mitigate risks holistically at their root quickly and effectively.

Research undertaken by the Ponemon Institute concluded that, for organizations holding personal data, appointing a CISO reduced on average the cost of a security breach by $6 per data record. This adds up to a significant potential saving for any organization possessing personal records – not just those of their customers and prospects, but also of their employees.

Organizations can no longer maintain an informal, relatively lax security paradigm given the proliferation of threats in an ever-increasing interconnected world.  Even in the absence of large fines arising from regulatory non-compliance or missteps contributing to a security breach, the market will demand answers from a credible representative of an organization.

Many businesses mistakenly appoint “security officers” that do not have sufficient formal security experience and skills.  This is not recommended because it can have very serious consequences.  Given the complex financial and legal ramifications, various regulations and compliance drivers necessitate the hiring of a credible, experienced CISO.  Some examples include but are not limited to:

  • Federal Information Security Management Act (FISMA)
  • European Commission’s General Data Protection Regulation (GDPR)
  • Financial Industry Regulatory Authority Contact System (FINRA FCS)
  • New York Department of Financial Services Cyber Security Regulations (NY DFS)

Notwithstanding regulatory commitments, companies also face increasing market pressures to ensure customer privacy and security while safeguarding shareholder investments.  A capable CISO can adapt and quickly grasp the unique business environment the organization operates in and is able to keep the business from incurring penalties, lawsuits, bad press, or worse.

Why would you need a vCISO when you could simply hire a real one on a permanent basis? The answer is varied and not necessarily the same for everyone.

The majority of large corporate organizations employ a dedicated CISO to lead the security function, tasked with protecting the organization from ever-evolving cyber threats.  But for smaller organizations, the investment in a full-time member of the senior management team focused solely on security is often impossible to justify, especially when there isn’t enough work to keep a full-time CISO busy.

Even if you do manage to win approval to hire a full-time employee to lead your cyber and risk efforts, you will undoubtedly face major recruitment and retention challenges: CISO’s worth their salt are in high demand, competition is fierce for the limited supply of qualified CISOs, and many command six-figure salaries.  What’s more, they often stay in their job for two years or less because surveys reveal many CISOs register concerns of being “burned out” from stress and overwork.

In contrast, a Virtual CISO is the ideal choice when there isn’t a requirement for a full-time CISO, or when a major initiative requires deeper oversight, or when the current CISO can benefit from additional assistance.  Virtual CISOs offer on-demand flexibility, can be tailored to business needs, and are estimated to cost 30 – 40 percent less of a full-time CISO. But the benefits go well beyond cost.  Virtual CISOs usually require no training, can hit the ground running, are purely results-driven, and can provide reasonable key performance indicators (KPIs) and reporting to measure success.  Having a seasoned security professional overseeing your organization’s information security can lead to desired business outcomes in a more cost-effective manner.

Some businesses may have a hard time justifying the salary and overhead of another full-time, permanent executive whereas others may find it difficult to compete for high-level talent, while others may not even need a full-time CISO.  Nonetheless, waiting until a security incident, such as a ransomware attack, has happened to find the expertise to deal with it is a foolhardy approach: prevention is more effective and less costly than cure.  But bolting on security controls as an afterthought is invariably expensive too and less effective than thoughtfully building them into your systems and processes from the beginning.

According to Gartner – a leading technology research company – organizations spend, on average, 5.6% of their overall IT budget on security and risk management. A CISO can help strategically align the security budget to the mission, maximizing the value of investments and mitigation strategies.

CISOs however are highly sought after, and with a restricted supply the good ones are expensive and hard to come by.  The salary range of a full-time CISO is $180k-$200k per year.  Add on benefits, bonuses, stock programs and the total compensation rises to $250k-$300k.  A qualified vCISO, who does not require benefits or an arduous on-boarding process, can cost a fraction of that amount, as little as $35k per year and as much as $250k per year.

Most businesses have invested in highly capable people to meet the core mission.  Where they require support though, is and around understanding their threat landscape, regulatory requirements, defining an appropriate security strategy and roadmap, and implementing with certainty. Because cyber-attacks can pose an existential threat to any organization reliant on digital technology.

A virtual CISO from ControlPoints provides access to an experienced security professional who can enable your organization to have a strategy for information security, taking a holistic, risk-driven approach to protecting vital assets and elevating trust in an increasingly interconnected world. As a preferred advisor to Fortune 50 and government customers, there is no challenge or issue we haven’t seen before. We know where to find value, what works and what often fails.

What Makes Our Service Unique?

A study conducted by the Harvard Business Review finds 85% of executives from companies with mature practices cite trust as a necessary precondition for collaboration and innovation. Yet, only 9% of executives say their organizations are currently able to accurately measure the value of trust for their businesses. Our CISO-as-a-Service offering is specifically designed to build and measure trust as a business driver, resulting in increased employee productivity and innovation. Here’s how we help you demonstrate trust: update/expand your cybersecurity strategy, employ risk analytics expertise, leverage thought leadership to help your organization get smarter and respond to threats faster, hire qualified cybersecurity expertise, invest in employee training, create third-party management strategy.

Recognizing that companies are in three potential states of defining, managing, or optimizing their security programs, we develop managed service models that align to these collective stages of security maturity.  For this reason over 90% of our customers rehire us because they see a clear return on their trust and risk investments.

Contracting a ControlPoints virtual CISO can give you access to the skills and experience of a C-level security leader much faster than going through a protracted search for a full-time position. A virtual CISO is an on-demand expert who provides more flexibility to work on specific projects and can scale as needed.  Notable advantages:

  • Unrivaled Expertise and Guidance.  It takes more than purchasing boiler plate written policy to create a meaningful cyber program that effectively cascades through the enterprise and fully integrates your risk management objectives.  When you want to take your business to the next level, you need to collaborate with a single, trusted partner who brings an unrivaled breadth and depth of cyber security experience and skills.  We support a myriad of organizations and bring lessons learnt from other industries to help modernize your security approach with best-practice structure, rigor and accountability.  Get rapid technical support, advice and organizational response to breaches from an experienced cyber security professional who integrates seamlessly and pain-free with your existing personnel;
  • Stay Focused on Your Core Business.  We help you reduce your level of management oversight.  Get real-time access to senior strategic security expertise to supplement the existing management team or to provide coverage as an interim solution.  Outsourcing the CISO role allows your organization to stay focused on the core business objectives, while still benefitting from our expertise and experience to develop and maintain a robust information security program;
  • Upskill Your Team.  We are equipped with world-class processes and varied industry perspective having worked with a wide-range of companies to quickly deliver superior results.  Depending on the terms of the engagement – we can function as a leader/advisor of the security program, as a conduit to the board, or senior team member.  In all cases we champion the existing IT teams and ensure they are provided sufficient time and resources to carry out their functions properly.  Enhance your team’s skill with practitioner-led on the job training;
  • Drive Cost Effectiveness.  Get the advantages and peace of mind of an in-house, full time CISO at a fraction of the cost and without the recruitment challenges, fixed overheads and retention challenges.  We develop a custom-managed infosec program for your organization based on your company’s current needs, maturity of the security controls and IT platforms.  We complement, utilize and develop your existing capability to maximize invested capital.  What’s more, our typical engagements decrease in cost over time because your security program is designed with proven cyber transformation, maximum automation, mature processes, and repeatable security methods;
  • Expedite Change Effectively.  We will collaborate with you during the implementation of any remedial activities and provide support and assistance during the transition from reactive processes to proactive, risk-driven and business aligned information security that delivers on all your legal and regulatory obligations.  We monitor trends to keep pace with the threat landscape that help you maintain situational awareness and strengthen security operations.

End-to-end Governance, Risk, Compliance, Cyber, CISO (GRC3) Services Provided by Unrivaled Experts

Comparison of Benefits ControlPoints vCISO Independent Contractor Full-Time CISO
Verifiable Industry Experience
Strategic Security Vision & Planning
Flexible Investment
Objectivity & Independence
No Training & Certification Costs
Fortune 50 and Government Cyber Performance
GRC3 Strategy-Implementation-Remediation
Proven Transformation Methodology
Infuse Advanced Risk Analytics
Update Annual Risk Assessment & Roadmap
Trust-Centric Reporting
Access to a Team of Domain Experts
No Turnover
Implement Controls That Pass 100% of Audits
Highest Value and ROI

Get 7x the Value by Only Paying For What You Need

Cost-effective access to a licensed and experienced professional without breaking the budget.

Cost Over Time Our vCISO Service Full Time CISO*^
Year 1 $24,000 $150,000 or more
$20,000 Hiring Cost
Year 2 $24,000 $155,000
Year 3 $24,000 $160,000

* CISO salary taken from publicly available figures for the year 2018
^ Full-time employees also require budget considerations for training, holiday, benefits, and sick leave.

Your CISO will help you with access to strategies and resources that you could not afford to maintain on a full-time basis, keeping you ahead of the game.  To ensure you get the support at the moment of need, we recommend you lock down our retainer service today.  We have a limited schedule of availability, and once it fills our schedule could get very busy working with other clients.  When an issue comes up where you need or want assistance and help, you don’t want to have to get in line.  Sign-up for a package that works best for you and you’ll get peace of mind knowing that any time something comes up you can give us a quick call or send an email.  As your advisor, we’re there on your side to consistently support the growth of your business and help with any of the challenges that might come up.

ControlPoints’ CISO consultants are highly experienced, with extensive senior / CISO level experience already under their belts.  Your vCISO will initially carry out a detailed security assessment of your organization, taking a wide-view across the entire business to reveal the true extent of the challenges to be resolved.  We also look at the business in depth to identify what are the valuable assets and where they exist, the protections around them and recommend solutions to fill any gaps.  We will deliver a report highlighting areas of weakness, before providing board-level engagement to win the investment required to mitigate your organisation’s key cyber security risks.  The initial report will serve as a baseline, enabling you to de-scope, re-architect and reduce exposure before proceeding.

Next, a comprehensive project plan and strategy will be developed to govern the information security program in tandem with the in-house IT team. We will review and normalize existing tools, techniques and policies benchmarked against industry leading solutions, conduct due diligence audits, oversee existing projects, and provide technology leadership; all the while acting as a member of your IT team and making sure our thinking is in the best interests of the business as a whole.  By acting as an extension of your in-house resources and gaining an intimate understanding of your business needs, the ‘CISO’ will provide ongoing management, remediation support, security advice and oversight.

We strive to deliver a flexible, responsive, personalized, and meaningful security program to each customer.  Throughout the life of the engagement our reporting will keep you abreast of what we are working on month to month, the tangible outcomes, and the value being generated as a result of the work.  Moreover, at a frequency of your choosing we’ll meet for a proper conversation but we’ll stay in touch in-between for lighter-touch support and questions.  If you’re ever really stuck you don’t have to wait for our next meeting – we’ll always make time whenever possible at short notice and no extra charge.  If it ever feels like projects require reprioritization we can just have a conversation and adjust as needed.

You Have Options

Complete Form to Engage Consulting by the Hour

    [cf7sr-simple-recaptcha]

    Interview with General Nakasone

    Read Thought Leadership from the Commander of US Cyber Command