One Way to Boost Proactive Cybersecurity

Chip Coy, Solution Architect

It’s clear from media articles that new CISOs need to make an immediate impact on their organization’s security program in the first 90 days with action items such as “make a quarterly plan for the next year”.

When you compare this to the typical day of a CISO, there’s not a spare moment to work on anything outside of maintaining the existing security infrastructure or dealing with the fire drill of the moment.  So how can you be proactive when you’re so busy being reactive?  Here are some ideas for how to get out of the reactive mode so you can focus on proactive security measures.

Suppose there’s a project that needs to be done that has management support and funding…for example, building a risk management program for using cloud services. There are two approaches for managing the project – either free up staff to focus on it or bring in outside expertise to complete the project.

Finding more time for your security team requires change, and considering outsourcing some team activities can be part of that change:

  • Firewalls, VPN concentrators, other ingress/egress controls:  There are many vendors that can manage these border protection devices. Not only can this save time for your team, you may also experience a better audit trail of changes to these devices by using an outside vendor.

  • Log management and monitoring:  Using a vendor to manage log servers may allow you to revisit why those servers are in place. Some organizations lose sight of using logs (reviews, automated or otherwise) in the day-to-day activities of keeping servers working and the rest of the organization sending in logs.

  • Vulnerability scanning:  An outside vendor can save you the time spent on managing a vulnerability scanning infrastructure and also provide a stronger focus on fixing identified problems.

When looking for vendors to help with these projects, it’s typically most efficient to identify the ones that use the technology you’re using today. This makes the transition easier and allows the staff that managed these activities in-house to manage the vendor more effectively.

Even after you transition some in-house responsibilities to vendors you may still need to consider hiring outside help for other projects simply because there’s not enough staff time or specific security framework expertise to get the job done.

There are a couple options to consider:

  1. Do you hire an outside firm to manage the project in its entirety?

  2. Do you hire an outside firm to augment your staff, allowing them to taking over enough of the day-to-day work to allow your staff to lead the project?

There are many items to consider for each option.  But given the extremely high demand for information security skills today and your need to keep your team intact, you might consider option 2 as a way to give your staff interesting work so they stay on board as opposed to watching “the consultants” come in and do the work they likely wanted to perform.

Either option requires funding, which may not be available. A common approach that we see is to use your security advisory firm to help justify the necessary funding for cyber risk and cybersecurity programs.  We have collective knowledge from working with many organizations on strengthening their cyber security posture that can help with securing support for security projects from the executive team.

We help clients with both approaches. While the majority of our work requires us to manage the entire project, we also do a lot of staff augmentation projects – everything from providing an interim CISO for organizations that need to develop an information security plan, to providing skilled security specialist(s) that work under the direction of the CISO on a temporary basis.

If your security team struggles with the day-to-day grind and fire drills, and rarely finds the time to be proactive despite your best intentions, contact us to discuss your specific needs and we can develop a plan for success.

Chip Coy


Chip Coy — Solution Architect

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS