vCISO case study: Retailer

Virtual chief information security officers, or vCISOs, can offer businesses the enterprise-caliber expertise needed to architect and implement customized security, privacy, and compliance solutions.

CohnReznick recently had the opportunity to support a large retailer as a vCISO, helping to strengthen their policies, procedures, and capabilities in a number of critical areas.

Visibility: Management did not have enough cybersecurity visibility for their IT program and eCommerce platform.

Solution: CohnReznick provided various sets of ongoing activities to keep management informed of cybersecurity risks across the organization, and provided monthly and quarterly cyber reports.

Strategy: The company did not have an established cybersecurity vision based on their business objectives, and had limited knowledge of where investments needed to be made.

Solution: CohnReznick established a cybersecurity strategy that consisted of an adopted framework and short- and long-term goals for the company to achieve that were based on their evolving business strategy.

Risk awareness: IT and management did not have the resources in place to continuously identify and report cybersecurity risks.

Solution: CohnReznick performed a comprehensive technical risk assessment that reviewed security controls on the company’s eCommerce platform and infrastructure based on an industry standard.

Vendor risk: There was a lack of processes in place to understand risks that were being inherited from vendors and service providers.

Solution: CohnReznick established a vendor risk management program that was scalable for the organization to adopt, and helped define the process to perform due diligence activities, such as identifying vendor cybersecurity risks and risk-rating vendors.

Compliance: The company did not have enough resources to continuously be aware of new data-related regulations applicable to its eCommerce business.

Solution: CohnReznick performed an assessment to identify gaps and alignment with the Payment Card Industry Data Security Standard (PCI-DSS), and continues to advise the company of applicable U.S. state and global data privacy-related regulations.

Security awareness training: The company had a reactive approach in its security awareness and training program and capabilities.

Solution: CohnReznick helped the company enhance its security awareness and training program with reoccurring training and phishing exercises.

Incident response: The company did not have documented procedures and communication protocols in place for responding to, managing, and reporting security incidents and data breaches.

Solution: CohnReznick helped establish an incident response plan with detailed workflows and processes for the incident response team to respond to security events; triage and prioritize security incidents or data breaches; and report them to necessary stakeholders.