Virtual Security Officer
When asked about my job at – say – at a birthday party, or other social event and I tell them, people pause for a few seconds, then, usually with a puzzled expression ask, “but what exactly does a Virtual Security Officer do?”. Often, people confuse my role with that of a ‘physical’ security officer who might be responsible for securing access to buildings and other sites. My job is quite different; and although more people are now aware of it, I thought I’d explain what I do in a little more detail and make the importance of it clearer.
Information security (or cybersecurity) is the security of information, basically all virtual information or data, stored on premises, on devices such as laptops, phones, iPads, connected devices, and in the cloud. This can be all sorts of information, from personal details of your employees, log in details to your bank account, customer details recorded by a customer service employee, sensitive information about a new development, all the way to, government secrets.
When this information is being created and stored in an environment where its security is not considered, this can have serious consequences. Personal information can be leaked and fall into the hands of people with bad intentions; leading to data breaches and abuse of personal information and payment information. Not forgetting the implications for organisations, for instance, when their systems are taken hostage in return for a high ransom. Occasionally, the hacker leaks (distributes) information to the public, pressuring organisations into paying the ransom. In this scenario, I refer to the hacker as the person that has arranged access to data, usually by breaking into the system without consent, and is requesting ransom to return access to the system owners.
A hacker (sometimes known as a pen tester, short for penetration tester), is not always a “bad guy”. To give you a better understanding, I will explain the difference between the ‘white hat’ hackers and ‘black hat’ hackers.
White hat hackers work together with organisations to test their security provisions, to fix any issues and improve their overall defences. These are otherwise known as ethical hackers – as they clearly work on the right side of the law. Black hat hackers, conversely, exploit weaknesses in systems to gain access to data and systems for various reasons, such as financial gain, political influence, revenge and so on – definitely not ethical in any way!
Being the victim of an information security incident can lead to long term reputational damage for organisations. In addition, it can be costly restoring the business operations – if you haven’t been taking proper care of your information security and get caught, you’re probably going to pay a large fine for infringing privacy laws such as GDPR.
Increasing number of organisations aim to protect their crown jewels
Luckily, organisations are becoming increasingly aware of the importance of their organisation’s information security posture. Organisations can protect their information security assets in various ways:
- Having a strong firewall and anti-virus protection
- Operating with zero trust and providing access only to people that should have access (on a need-to-know basis) by regulating the identity and access management
- Complete and timely patch-management
- Security information and event management (SIEM)
- Regularly (pen) testing the security of the web application and infrastructure security
- Creating a human firewall through awareness programs for employees
The starting point, in my opinion, is good Governance, Risk and Compliance, and developing a plan for the organisation’s information security throughout.
I can imagine that the terminology can be confusing, but in summary and essence, it is about defining your starting point – drafting a plan for the information security of your organisation, executing it, testing it, adjusting where necessary based on the tests, and monitoring whether the implemented information security activities are executed in alignment with your plan (governance). However, it is utmost important that the laws and regulations are considered and are borne by the organisation. This is where compliance comes in play, and where internal and external auditors come to the rescue – to check if your organisation is cohering with applicable standards and regulations and whether you are in control of your organisation.
What the Virtual Security Officer can mean to your organisation?
Now that you have an idea about information security and what organisations can do to improve their security posture, you’re probably curious what role a Virtual Security Officer has in the process.
The Virtual Security Officer views the information security organisation from a people, process and technology perspective and aims to ensure the availability, integrity and confidentiality of information and systems. The Virtual Security Officer aims to improve the organisation’s security maturity, and thereby advises and provides guidance to the management and/or board regarding information security. As a result, processes will be clearer and better structured, documentation will be complete and up to date, sufficient thoughts are put into the handling of incidents and privacy breaches; and everything will be recorded in a governance that is reviewed regularly.
The Virtual Security Officer will be aware of internal and external risks and handles these according to the best risk management strategy for your organisation. The rapidly changing information security landscape and increasing threats and threat actors, makes organisations more anxious and aware of information security every day – not always voluntarily, sometimes as the result of a (targeted) attack.
Organisations should be aware of their ecosystem and the position that they have within this ecosystem. Who are their supply chain partners and where are the dependencies in this supply chain? When this is not the case, an information security attack or incident, can have far reaching consequences throughout the supply chain. Therefore, organisations should start the conversation about information security with their employees, clients, suppliers, and other parties in their supply chain; to understand how their information security is arranged and where risks can arise from the ecosystem.
A Virtual Security Officer can help navigate these conversations with your partners and help to mitigate risks. Luckily, more organisations are aware of these threats and subsequently require their (supply chain) partners to prove to have their information security in place. This can be addressed through certifications that are proof that your organisation adheres to information security requirements, such as ISO27001. The Virtual Security Officer can even help you in your certification journey.
When considering the people aspect of information security, it is crucial to increase internal information security awareness. Staff and colleagues are often an underestimated asset to an organisation but can be a risk too. Therefore, the Virtual Security Officer can steer the development and roll out of awareness programs for employees.
The Virtual Security Officer also contributes to the design of the security organisation, which entails the definition of roles and responsibilities in the organisation and also ensuring accountability. From a technical perspective, the Virtual Security Officer ensures that systems and applications are secured – by good firewalls and anti-virus, access management, and proper password management. In addition, back-ups are continuously created and are stored safely, providing timely access in case of incidents and disasters. The web application and infrastructure of the organisation is regularly tested and improved.
All these activities are essential in preventing breaches and incidents from happening, but also aim at guaranteeing a rapid recovery and continuity of the business processes with minimum loss when an incident occurs. Now that you have educated yourself on information security, ask yourself: how is the security posture of my organisation.