Chief Information Security Officers On Demand

CISO

"Cyber security resources continue to be in high demand in the U.S., with Chief Information Security Officer (CISO) and engineering positions left vacant.   Smaller firms with only part-time information security needs have an even tougher time finding experienced resources that fit their culture."

Working Security CISO On-Demand Services allow you to respond to cyber security, audit/compliance and incident response needs now.   If your needs are less than full time or you are searching for a permanent hire, our services keep your projects and operations moving.

Delivered at your offices or remotely, our services are tailored to fit your needs and complement the skills you already have in-house.  

We support corporate boards, executives, and owners, as well as CIOs and CTOs who need an experienced strategic resource on specific projects.   Our CISOs have deep business backgrounds to support strategic planning as well as the technical knowledge required to work directly with I/T leadership on implementation strategies.

Our CISOs: 

  • Support your technology project teams to manage security risks;
  • Work with regulators and partners to complete Compliance and Certification processes;
  • Respond to questionnaires from Business Associates, Partners and Vendors;
  • Train your staff and business partners to minimize risk to the business;
  • Implement and deliver Incident Response and Risk Management services, and 
  • Develop security operations capabilities for your existing Helpdesk or NOC

 

  • Risk Assessment in the Spotlight

OCRRisk assessment for healthcare providers and business associates is again in the spotlight.   The Department of Health and Human Services is gearing up for a new round of HIPAA audits.   At this point they are surveying 1200 firms and will include business associates.   The results of the survey will be hundreds of audits.  Of continued interest in this round are risk assessments.

Why does risk assessment keep jumping to the front?   Any time we hear of a breach of personal information an investigation follows.   It's very rare that an organization has done nothing to secure data.   The problem is they've done the wrong things.

Risk Assessment is the missing first step in the processing of establishing an effective Information Security program.   It creates a prioritized roadmap for firms to address information security issues.   In short, it tells an organization where to spend their time and money most effectively.  

Too many organizations fall victim to product based compliance schemes thinking that purchasing specific software or hardware products will make them HIPAA compliant.  

When risk assessment is cited as a shortfall, it's a good sign the organization was spending money on security, but wasn't making informed decisions.

The difference between demonstrating due diligence in securing information assets and not can sometimes be as simple as producing the results from an annual risk assessment.   

"We understood that risk, but didn't mitigate it as well as we could," is very different than saying "We never throughout about that risk and instead thought our anti-virus would protect us."   

Resulting costs can include millions of dollars and significant patient attrition.

Read More