By Claus Thorhauge
Even large companies have a hard time locating, maintaining and developing the right competencies when it comes to information security. The task requires ever deeper, wide-ranging competences - and requires constant up-to-date knowledge. In response to this challenge, businesses can loan a CISO (Chief Information Security Officer) from NNIT.
Outsourcing of information security is a new and growing area that we will be seeing more of in the future. One of the reasons is that the securing of information has become so complex that it may be difficult to solve effectively using solely in-house competencies.
“Businesses can have difficulties in finding IT people with the right skills when it comes to information security. These specialized skills are coveted, and businesses need a deep and broad range of compe- tencies,” says Management Consultant John Clayton from NNIT.
He points out that information security has become a crucial parameter for the business, that the task has become far more complex, and that it requires strategic, tactical and operational competencies.
“There are widely differing needs, and it is both costly and difficult to obtain the right people to resolve all aspects information security for your business. On top of this, there’s the challenge of keeping the competencies of the security staff up to date, whilst managing to hold on to your CISO,” he adds.
In response to this challenge, businesses can loan a CISO from NNIT. NNIT calls this concept CISO-as-a- service, and it is an offer that includes expertise from more than one hundred security specialists.
“We have a large number of information security specialists, who together have an enormous range and depth of competencies. And we constantly strive to ensure they become even more skilled,” says Esben Kaufmann from NNIT, manager for Security Projects.
The NNIT security team is able to respond to strategic challenges in top and senior management, assist with advisory tasks relating to daily operations , and collaborate with the business’s own specialists in the IT department. The security team covers a wide range of areas, including Security Advisory, Identity & Access Management, Critical Systems Security and Computer Emergency Response.
“Maybe the most important thing is that we have people who understand the language of management and its needs. They have a great deal of experience in working with information security from the perspective of the board of directors and management,” explains Esben Kaufmann.
With CISO-as-a-Service, customers have access to a skilled, certified security manager who will advise on a strategic and tactical level, and who has access to specialists at all levels - in one package. With a CISO from NNIT, a business will literally be able to benefit from having access to a whole portfolio of security competencies.
“Our people can draw the lines connecting informa- tion security with the daily business. A business can quickly overspend on security if it is trying to secure everything. But with a skilled CISO, the business can establish the most cost-effective solution without having to compromise.”
“There is a qualitative gain to be achieved by acquiring assistance with security tasks. We can identify the right level of security, we have the necessary hands- on competencies and we keep our fingers on the pulse. The management will not be left with vague descriptions of what they ought to be doing. We make sure that we complete the task, throughout the entire organization,” explains Esben Kaufmann.
CISO-as-a-service can be adjusted to accommodate any organization. It is not a standard solution.
“Some customers enter into a service contract, while others make a short term agreement with us on an hourly or daily basis, in order to resolve specific tasks. There is no one-size-fits-all in our CISO concept,” says John Clayton.
“CISO-as-a-Service can also be a supplement to the in-house security manager of the business. In connec- tion with larger projects or special security problems, we often see that the security manager needs to draw on external competencies and resources. He can have access to those at NNIT”, says Esben Kaufmann.