From the organization’s beginning, NJEdge has been dedicated to creating a better world for its members by providing statewide advanced networking, access to optimal technology solutions and services, and insight and expertise in information technologies.
With technology ecosystems changing so rapidly, budgets tightening, resources continuing to be limited and member input, NJEdge saw the need to offer a new solution to its members, access to an EdgePro Virtual Chief Information Security Officer (vCISO).
Many institutions require guidance with recognizing and implementing viable information security strategies and policies to maintain their security effectiveness while simultaneously ensuring adherence to regulation and compliance requirements. The Chief Information Security Officer (CISO) plays a vital role in IT leadership, balancing information security, risk and general business challenges, but not every institution has the ability or need to hire a CISO full-time.
The EdgePro virtual (vCISO) service has been created to fill this gap and help NJEdge members in need of the service.
Fairleigh Dickinson University (FDU) was the first organization to utilize the EdgePro vCISO services, after their associate vice president and CTO/CISO departed.
“I had been advocating for the concept on behalf of a vCISO because I had heard from other institutions there was a need, but for FDU I had no interest or desire because with my AVP and CTO/CISO, I had no need,” said Neal Sturm, FDU’s Vice President and Chief Information Officer. “When my associate VP resigned, I began rethinking how I was going to replace the position.”
Sturm decided to separate the network, system and security components and created a new director of systems and a new director of networks at FDU. Then he signed up for the vCISO service for a year, which started in September 2018.
“Having a vCISO is working very well. The virtual position is cost-effective, and, more importantly, I think by having an outside person focused on technology security, and also working with other institutions, he brings some additional depth and experience to the role,” Sturm said.
The Role of a vCISO
Sturm has been impacting decisions at FDU since 1977, when he first started working for the University as a student employee in the computer center. He has seen countless changes in the past 41 years and feels information security has been a huge game changer.
The types of cybersecurity considered during the 1970s and 1980s are dramatically different than what is dealt with in today’s world. Even five years ago, many institutions didn’t even consider owning a cyber liability insurance policy. Now, not having a policy is the exception – and a liability.
“When I began my career in the 1970s, we used paper tape, punch cards and Teletype ASR 33s,” Sturm said. “Today, technology has transformed every single facet and function of the University. The most significant thing for me that’s changed is how tasks are accomplished. Interestingly, there is the lack of ability to do things quickly, which has nothing to do with technology itself.”
However, the lengthy process for implementing technology and the complications of contracting technology play into the need for a qualified CISO. In this case, FDU’s vCISO makes sure all of the information security related terms, conditions, and clauses in all agreements are met and completed correctly.
The vCISO service was created to provide clients actionable information security strategies and define optimum information security direction for an organization. For instance, at FDU, the University gains independent and objective input ensuring the University’s security posture is on track, identifying areas of necessary improvements and continuing to support places where they have already met compliance.
The partnership between an organization and NJEdge depends on need, whether the arrangement is only for a few hours, per-project basis, or full-time staff augmentation. The vCISO would focus on executive level strategy, policy development, and process creation for immediate adoption, implementation, and operation of improvements within the organization.
NJEdge assigns the vCISO to the organization, but if the arrangement isn’t a good match, a new vCISO would be provided.
Need for a vCISO
Many institutions in higher education are finding it necessary to decide where to apply their financial resources. The colleges and universities are choosing where to focus their energies and determine which specialties are affordable, especially in regards to information security.
For FDU, it wasn’t a cost decision but the University was excited about the opportunity to try something different.
“The cost is reasonable, but our decision wasn’t made based on cost,” he said. “For us, the decision was based on an opportunity to try something new and different, and if we could save money in the process, so much the better.”
Every organization has different needs and requests, which is why NJEdge added the vCISO component to their EdgePro Solutions.
“I definitely see collaboration as a key item, because of the knowledge the vCISO brings to the position,” Sturm said. “This individual draws upon their past experiences, knowledge gained from assisting former clients and customers as well as valuable insights from their peers.”
Sturm says the value an outside, objective vCISO brings to an organization is substantial especially because that individual draws upon their past experiences and other members they’ve assisted.
Facets of a vCISO
By fully immersing themselves in the position, the vCISO plays an essential role with many strategic elements faced by the institution or organization. Specifically at FDU, the vCISO is considered a bonafide FDU employee. Currently, NJEdge’s Jeremy Livingston is serving in the vCISO role for FDU.
Livingston has an FDU email address and uses a FDU signature at the end of all correspondence. He also has a virtual FDU phone number with an FDU campus extension.
“By my desire and design, our vCISO doesn’t initiate projects or requests without first clarifying, ‘do you want me to handle this task?’” Sturm said. “Because obviously everything has a cost, so I make judgments as to what I’d like him to prioritize and accomplish. That being said, our vCISO reviews everything and, subsequently, he feels like the regular CISO at FDU.”
From everybody’s perspective, Livingston is FDU’s CISO, as he plays an active role in all related functions. For example, he reviews products and services and reviews contracts from a security perspective. If a department would like to purchase something, Sturm conducts a preliminary IT review and then Livingston completes a security review of the contract.
“Either I or someone else on my team conducts the regular technical review and he takes care of the security portion, and then we talk about our collective reviews prior to coming to a consensus,” Sturm said. “Few people know he’s in a virtual position. He looks and feels like he is the regular full-time CISO at the University.”
Livingston has been a necessary participant at the Data Security Incident Response Team (DSIRT) Meetings, where all information security issues and polices are discussed. The group also manages vendor risk and reviews how personally identifiable information is or will be used in software and programs. The vCISO also reviews security reports and provides his analysis of the vendor from the details of a BitSight Report.
“I liken the BitSight Report to Dun & Bradstreet reports in the corporate world. Where the Dun & Bradstreet reports focus on the overall strength of a company from a business perspective, the BitSight Report represents a dynamic measurement of cybersecurity risk,” Sturm said.
The BitSight Report is a perfect example of one of the many functions Livingston performs as FDU’s vCISO. Using his extensive background, Livingston is able to review and contribute to the process wherein the end result presents valuable data, insights into third and fourth party risk, benchmarks security performance, and, assesses aggregate risk with objective, verifiable and actionable Security Ratings.
While the BitSight process represents just one example of the vCISO’s role, FDU has also been using their vCISO to help the University consolidate policies, as well as recommend self-training programs for their staff.
For those interested in adding a vCISO to their organization, Sturm recommends trying the position for a set period of time (he recommends one year). In addition to determining the engagement period, Sturm also recommends selecting specific parameters and objectives at the on-set of the engagement.
“Some institutions and businesses have a CISO and pay them a dedicated full-time salary to do a job where the person may not be needed for the full amount of time,” Sturm said. “There may not be enough work for the CISO to comprise a full 40-hour work week. With the vCISO, you can have them work the time you need and in the role you need.”
Learn more about the responsibilities of a vCISO and whether it’s right for your organization: https://njedge.net/solutions/edgepro/vciso/