A Guiding Hand for Organisational Security: Virtual CISO (Chief Information Officer)
Client: ACME Housing Association (anonymised to protect client confidentiality)
Sector: Housing Developer
Company Size: 2,000+ employees
A large developer with a 50-year heritage building well-designed, sustainable communities, ACME Housing Association’s (ACME HA) leadership faced several challenges, including a lack of security and risk awareness, and knew it was time for change. Perspective Risk’s GRC (Governance, Risk and Compliance) team designed a sustainable security strategy and plan that addressed their immediate concerns, and enabled them to take control of their security requirements and manage it in-house in the future.
ACME Housing Association is a large developer with a 50-year heritage building well-designed, sustainable communities. It delivers schemes of all sizes, from small residential developments to garden villages and larger urban regeneration schemes.
With a complex network of suppliers, and limited visibility of its security posture, ACME HA’s leadership faced several challenges:
- No security strategy and a lack of ownership
- No culture of security and risk awareness beyond ACME HA’s IT team
- Disparate security technologies and practices
- No holistic understanding or view of the risks
- Multiple third parties further complicating the picture, potentially exposing ACME HA’s confidential information and leaving it open to compromise
It was time to change, and as ACME HA traditionally struggled to get on top of these issues, its senior management decided to bring in expert, outside help.
Our GRC (Governance, Risk and Compliance) team were tasked with designing a security strategy and developing a plan to address immediate concerns. Furthermore, it had to be sustainable and enable ACME HA to take control of their security and manage it in-house in the future.
Virtual CISO: The Brief
Our Virtual CISO service was required to provide a dedicated consultant to manage ACME Housing’s information security strategy and operations. The service was part-time, over a flexible six to twelve-month term. Our Virtual Chief Information Security Officer’s brief included:
- Define a security strategy, operationally aligned with the business and its risk profile
- Develop and implement security policies
- Create and deliver company-wide security awareness training programmes
- Security operations (SecOps) process guidance and management
- Third-party risk management
- Ultimately, enable ACME HA to appoint a full-time equivalent security resource
A Collaboration of Experts
We worked in harmony with other teams across the Content+Cloud group. These included our Managed Services IT team – who took over from the incumbent provider and our newly procured CSOC (Cyber Security Operations Centre) service.
And it was vital to leverage the value of ACME Housing’s internal IT Team, ensuring a comprehensive, joined-up approach to threat and the incident management process.
Virtual CISO in Action
Conversations with the senior leadership team revealed that there had been no review of existing security policies since their first draft, nor had they been distributed sufficiently across the business.
Because of this, our Virtual CISO’s role extended to analysing the security policy framework. This entailed developing additional content in line with the GDPR and increasing security awareness across the business,
And we moved swiftly. In the early weeks of the engagement, our Virtual CISO drafted new policies aligned with ACME HA’s mission. And security objectives, such as compliance with the GDPR and the implementation of standards from ISO 27001:2013, were met.
In the spirit of real teamwork and transparency, we also worked with the company’s HR and learning management teams on a strategy to communicate changes to the broader business.
Results and Benefits
With our cohesive approach alongside the other services we deliver, the ACME Housing Association has substantially reduced its risk, achieving a level of control over its assets beyond the company’s expectations. Today, ACME HA is enjoying:
- Through regular network vulnerability scanning, a faster process of identifying vulnerabilities and managing remediation
- Increased security awareness across the business and enthusiastic feedback from staff and stakeholders alike
- Security-led service management reviews with all third parties, ensuring continued quality of service in line with stringent SLAs (Service Level Agreements)
- An improved risk management structure, where identified risks are reported regularly, allowing them to be addressed appropriately
- High-performing security operations (SecOps) through the integration of the Content+Cloud group’s CSOC (Cyber Security Operations Centre) with ACME HA’s internal IT Team. A repeatable and efficient cycle of risk management: identify, assess, fix and re-check found vulnerabilities.
- A full-time equivalent security role within the business, who received a well-executed handover by our virtual CISO consultant
“Perspective Risk, and the wider Content+Cloud group, surpassed our expectations. From day one, we had a strong sense that our security was in the hands of a highly capable team of experts. They seemed to understand our needs instinctively and suggested ideas we hadn’t considered.
“And they’re generous with their time and knowledge, often going above and beyond their contractual obligations to ensure our satisfaction. Today, a full-time member of staff has replaced the Virtual CISO, and it’s thanks to their efforts – and the continued services of their CSOC, that everything is running so well.”
– Operations Director, ACME Housing Association
Perspective Risk Core Services Provided:
- Virtual Chief Information Security Officer (CISO)
Other Services Provided:
Wider services delivered by Perspective Risk and the Content+Cloud group include Cyber Security Operations Centre (CSOC), IT Managed Services, Infrastructure-as-a-Service (IaaS) and DevOps customisation of service management tooling.