Virtual Chief Information Security Officer (vCISO)

Not just one Cyber and Information Security Specialist, but the support of a whole team of unparalleled experts to help protect you and your clients.

All Boards must demonstrate clear ownership of Cyber Security in their management team, however the average salary for a Chief Information Security Officer (CISO) in the UK is around £120,000 to £180,000 and not all organisations have the required resources or the need to fill this role on a full time basis.

Black Arrow offers a cost effective virtual Chief Information Security Officer (vCISO) service to lead your Cyber and Information Security with your leadership team. We are a specialist team of experienced world-class professionals with an allocated time budget to suit your business profile, delivering significant advantages compared to a full-time resource.

Independent, impartial and objective, we complement your in-house and/or external IT team. We are supplier agnostic and do not have a vested interest in any other provider, but can provide direct access to our independent established relationships with leading market providers of technology, people and governance solutions.

Our team has unrivalled experience and industry-leading qualifications in Cyber and Information Security, HR, Operations, IT and Finance, giving our clients greater flexibility of availability and service to provide continuity of cover beyond standard business hours with no gaps for holidays and absence.

Our team works with Board level clients across multiple sectors and jurisdictions to upskill the leadership team in Cyber Security. This includes establishing a proportionate Cyber Security Strategy aligned to your risk profile and appetite, and leading your existing team or third party providers to implement your agreed plan with frequent updates to your Board. Our team-based approach enables us to consider different perspectives to address the challenges facing our clients and the ever-evolving threat landscape.

Cyber Security Gap Analysis

Our independent and objective analysis is strong and reassuring evidence to your stakeholders that you are taking cyber security seriously.

Our experience in gap analysis reports, including the GFSC Thematic Review, has enabled us to refine our structured methodology for helping clients to achieve and demonstrate compliance with leading practice including the GFSC Rules while minimising the commitment on resources.

Our gap analysis report compares your existing cyber security posture to the NIST framework as expected by the GFSC, investors, customer and the media. Critically, the review is objective and independent of IT providers and covers the GFSC’s requirements across people, operations and technology to demonstrate the Board’s recognition of business-wide risk. It is clear that a review conducted by an existing IT provider, where they assess their own work, will not achieve this objective.

Cyber Security Strategy

We work collaboratively with Boards to define and implement proportionate controls across people, operations and technology, to achieve the desired risk profile.

We help Boards to own and govern their Cyber and Information Security risk, with a strategy developed in collaboration with the Board to demonstrate to clients and Regulators that risks are being managed seriously. Our approach is to upskill Boards through knowledge transfer to enable their informed decision making and confidence in owning the Cyber Security Strategy.

It is essential that the Cyber Security Strategy should include the aligned controls across people, operations and technology. That is why is it not owned by IT, but by the Board. For example HR has a key role in driving a ‘safety first’ culture by using performance and reward management as well as education and awareness. This is where our HR qualifications and experience separate us from IT consultancies. Equally, the Cyber Security Strategy should include the operational controls that will protect the organisation, including the procedural controls that identify and challenge anomalous activity.

Our governance and transformation experience from working with global clients enables us to support clients in driving the implementation of the strategy at pace in the context of wider business activities and priorities.

Cyber Security Readiness Exercises and Simulations

From the moment you learn that something has gone wrong, what you do next determines whether your firm survives and how quickly you can get back on your feet.

A strong Cyber Security strategy includes not only robust technology and people controls, but also a well defined approach to managing and recovering from an incident.

We can work with you to devise and rehearse a cyber incident response plan that fits your business and priorities, based on our suite of table-top scenario exercises around Cyber Security events such as ransomware and data loss. The outcome for you is a rehearsed action plan involving your representatives in Communications, Legal, IT and HR to maintain the confidence of your customers and investors while quickly bringing your business back on board.

Education, Awareness and Training

One employee clicking on one email can bring down an organisation. Your employees are available to be part of your controls, if you show them how.

Protecting your business against a cyber attack requires the aligned controls across people, operations and technology. For your users, that means not only do they need to be vigilant for people-enabled attacks but they must also know the value of the other controls that you have put in place and the consequence of disregarding them.

Cyber and Information Security training should never be a tick-box exercise, because that will not make a difference in your security levels. For the same cost and time, you can achieve a credible increase in resilience against failures in your cyber controls, and demonstrate to the Regulator and stakeholders that you are taking security seriously.

That is why this is not ‘IT training’, and it needs a wider view than an IT provider.

Your users are available to be part of your controls. Our experience and qualifications in HR, business operations and Cyber and Information Security makes us ideally placed to help you gain the most from strengthening your controls across people, operations and technology.

Boards need to be aware of the current threat landscape and re-evaluate where they should prioritise their limited resources to maximise their level of protection.

Our experience in British Intelligence, Central Government, FTSE100 and Offshore financial services, the Guernsey Financial Services Commission and the Channel Islands Information Security Forum (CIISF), has shown us that Cyber Security is constantly evolving and affects businesses in different ways.

We constantly monitor open source intelligence and various news feeds on Cyber Security, and discuss these insights with our peers both on and off the Islands, to add depth to our expertise and understanding. We couple this with our knowledge from working with clients, and our understanding of the services and products on the market. We use these insights, on an anonymised basis, in our work with clients on all the services offerings described above.