Our Methodology
Our comprehensive information security assessment is based on industry leading standards and will help businesses get a baseline understanding of where their security weaknesses are, build a roadmap to address and then track the continuous improvements of their security posture over time.
Define the scope of the engagement
We start by defining the scope of the vCISO’s role. This includes the specific security issues that the vCISO will be responsible for, as well as the duration of the engagement.
Conduct a security assessment
Before your vCISO begins their engagement, we conduct a security assessment to identify any vulnerabilities or gaps in your organisation’s security posture. This assessment will provide your vCISO with a baseline of your organisation’s security posture.
Develop a roadmap
Using the results of the security assessment, your vCISO will develop a roadmap for improving your organisation’s security posture. The roadmap will include short-term and long-term goals, as well as an implementation plan for achieving those goals.
Implement the roadmap
Once the roadmap has been developed, it’s time to start implementing it. Your new vCISO should work closely with your organisation’s IT and security teams to ensure that the roadmap is being implemented effectively. Where there are no internal teams to work with, Numata can provide additional resources to fill the gaps for you.
Provide ongoing support
Cybersecurity is an ongoing process, so your vCISO will provide ongoing support to your organisation. This may include regular security assessments, vulnerability management, incident response planning, and employee training.
Measure success
Number of security incidents: This metric measures the number of security incidents that occur within your organisation over a period of time. By tracking this metric, you can identify trends and patterns in the types of incidents that occur, and use this information to improve your organisation’s security defenses.
Time to detect and respond to incidents: This metric measures the amount of time it takes for your organisation to detect and respond to security incidents. A lower time-to-detect and time-to-respond metric indicates that your organisation has effective incident response processes in place.
Vulnerability management: This metric measures your organisation’s ability to identify and remediate vulnerabilities in a timely manner. You can track metrics such as the number of vulnerabilities discovered, the time it takes to remediate them, and the percentage of vulnerabilities remediated within a specific timeframe.
Compliance: This metric measures your organisation’s compliance with relevant regulatory frameworks, such as HIPAA, PCI, POPIA and GDPR. You can track metrics such as the number of compliance violations, the time it takes to remediate violations, and the percentage of violations remediated within a specific timeframe.
Security awareness: This metric measures the effectiveness of your organisation’s security awareness training program. You can track metrics such as the number of employees who complete security awareness training, the frequency of phishing attacks, and the percentage of employees who report phishing attempts.
Third-party vendor management: This metric measures your organisation’s ability to manage third-party vendor risks. You can track metrics such as the number of vendors assessed, the percentage of vendors who meet your organisation’s security requirements, and the number of security incidents caused by third-party vendors.