The role of the CISO is complex and diverse: it requires specialist knowledge in the field of technology, policy, security suppliers (e.g. pentesters, or network equipment), incident response, making estimates regarding new reports and findings, and solving security issues. But good knowledge of your organization, stakeholders and interests are also required to secure your organization. That is why many organizations choose to purchase CISO as a service from us: CISO-as-a-service. We cannot do this alone, because you know your organization like no other.
This works best in collaboration with you and your colleagues: You know your organization and interests like no other, and depending on the need, we are the partner with CISO-specific knowledge to support you or take your organization to a higher level. For one organization this means that we guide pentests as a sparring partner, and audit suppliers, and coach development teams. Together with the other organization, we set up the policy and help the existing CISO organization to improve security, while we keep a finger on the pulse via our CaaS platform and define the next step for improvement, or sound the alarm in case of irregularities.
We work on the basis of the following pillars:
Information security policy. Together with you, our consultants set up the information security policy that suits your organization and the required security level.
CaaS platform. The information security policy is linked to the controls in our system, which ensures that your IT landscape is tested against the chosen policy, while your stakeholders and the Void Pointer consultants have insight based on the reports and analysis of our platform.
Continuous monitoring and collaboration. The next step is to continuously determine, based on the reports, what is needed to maintain or improve the security posture. What action should be taken on a recently discovered problem in a library? Is it time to pentest your critical application, in which we can put you in touch with the right party, and are happy to guide this process from start to finish. Or should there be an investment in software/hardware to prevent vulnerabilities and attacks?