A flexible CISO service for SME’s

Flexible CISO service to the on-demand market for SME’s

The flexible CISO service by QuoStar can help SME’s navigate the ever changing cyber-security landscape.

Cyber crime is changing quickly, it’s a global issue and its ramping by the day. The cybercrime industry is on-target to cost the world $6 trillion in 2021 and is forecast to cost $10.5 trillion by the end of 2025. Everyone is under threat. From the individual sat at home on their iPad or mobile phone, through to small, medium, and large-scale enterprises – even countries! 

So how do mid-market and smaller organisations protect against the clear and present dangers? Cyber Essentials? Without a doubt, cyber essentials ‘does not’ make you secure – it is the absolute bare minimum you need to be doing; look at it like locking the doors to your house. It is the same with anti-virus and firewalls – they are no longer enough. 

  • Does the board and IT team really understand the true level of risk they face in every area of the organisation?
  • How are those risks to evaluated and controlled?
  • Can they make the right budgeting decisions? 
  • How do they respond if there is a breach?
  • How do you do deal with regulators, such as the ICO (Information Commissioner’s Office)?
  • Is their security stance continually improved?  

That’s where QuoStar’s flexible CISO service comes in

As a Leading IT consultancy, QuoStar is offering you access to an on-demand CISO (Chief Information Security Officer) service that can provide organisations with flexible and cost-effective access to senior cybersecurity leadership as and when they need it – from a fully seasoned professional.  

Our on-demand service provides clients with ongoing senior IT leadership and guidance on cybersecurity strategy, management, and response from a certified and experienced CISO. They will be able to identify, control, and manage the multitude of threats and challenges businesses face in today’s rapidly changing security landscape from the get-go.  

The on-demand service operates in close partnership with senior business leadership and IT teams to ensure both parties hold the relevant responsibilities and accountabilities. They will also help to run and implement Information Security Management Systems, such as IASME or ISO27001. This facilitates enhanced security governance, compliance, and ongoing continual improvement of an organisation’s security position. 

The flexible CISO service is led by QuoStar’s Head of Security, David Clarke, who has over 25 years of experience working in cybersecurity, formerly as Global Head of IT Security at BT and other FTSE100 companies. David currently oversees the development, implementation, and support of QuoStar’s clients’ information and security-related risks. 


David Clarke - Chief Information Security Officer at QuoStar

David Clarke, comments:

“As a result of the pandemic, company boundaries have become much more fluid. So many employees now work from home. It’s not always clear what belongs to the company and what is personal. Businesses are now having to manage different servers, cloud services, and access control issues. Their technology needs to be safe and compliant in all these areas before it can be performant.  

“Organisations need to adopt a multi-layer approach to security to manage these risks effectively, but that can be costly. With our on-demand service, however, businesses can truly afford to get the best protection possible, without putting undue strain on the bottom line.” 

The on-demand CISO service follows the successful launch of our on-demand CIO (Chief Information Officer) service earlier this year. Our on-demand CISO service has already seen a rapid uptake of interest, with several businesses already taking advantage of the offering.  


Robert Rutherford CEO at QuoStar

Robert Rutherford, CEO at QuoStar, comments:

“We are delighted to add the CISO service, alongside or CIO service. QuoStar gives mid-market and ambitious smaller businesses access to top talent at the level they need. We’ve always been passionate about delivering measurable business outcomes to our clients. Our aim is to reduce risks and improve the bottom line. 

We’ve always taken IT security extremely seriously. We have always kept up to speed with the technical controls to IT security risks. The evolution of the risk landscape, accelerated by COVID and the rise of hybrid working means we need to implement enhanced IT security governance into our wider client base. Relying on technology just doesn’t cut it any longer – organisations need to be proactively managing risk, continually.” 


Find out how your business could benefit from our CISO Service why not get in touch? Or request a free online consultation from our team today.  


Cyber-Security: Going Beyond Technology

Cyber Security Beyond Technology

Cyber Security beyond technology: a White Paper write up based upon a webinar hosted by David Clarke – QuoStar Head of Security & CISO, and Chris White – QuoStar Head of Consultancy & the CIO Service in July 2021.

Why is cyber security beyond technology such a hot topic?

Cyber-security is an increasing threat that all sized businesses should take seriously. It is a topic that should regularly be on the board’s agenda.

A day doesn’t pass without a business being targeted via ransomware, phishing or DDoS attacks – all causing significant disruption to businesses. For some businesses it has been so bad that it’s affected customers and meant closure.

The destructive rise of state sponsored attacks mixed with organised ransom focused crime gangs has changed the threat landscape dramatically.

Most firms are global 24/7, and their assets are mostly digital. The current ransomware situation is dire. Huge due diligence needs to be taken within supply chains now, particularly when working with the government.

We fall like dominoes if we’re not careful

What are the main threats to today’s landscape? Due to the technological set up of industries today, the knock-on effect of digital disruption is now very large. For example, the US fuel pipeline issue effecting the entire east coast of America was down to digital disruption. The possible effects of digital disruption have always been there, but now the impact and knock-on effects are  massive.

Follow the Swiss Cheese Risk Model

In today’s threat landscape layers of cyber defence need to be in place today. Not one or two, but several layers. Similar to the model that was used in the aircraft industry: the Swiss Cheese risk model!

When Swiss cheese is sliced it has holes, and that’s ok. The problem is when several holes inadvertently line up – if applied to security measures – that’s when disaster can strike. The force magnification is one large risk rather than a few small risks at lower levels.

Clients increasingly want to understand the security measures taken by a business. This in turn means questionnaires, audits, hoops to jump through before business can be conducted.
Requirements need to be met.

Unfortunately, due to the increase in cybercrime over the last couple of years, it’s more a case of WHEN it happens than IF it happens.


Prevention is better than cure

Businesses need to start preparing for an attack, rather than preparing to handle one. If you are handling it, it’s too late and the financial damage to deal with it has already been done. The down time caused by having to deal with an attack can cost millions a day potentially. In this case prevention really is better than cure.

The consequence of a breach is not just dealing with the ransomware attack. It’s that it may lead to having to rebuild your whole IT infrastructure. You may need to move physical servers, migrate networks or change cloud systems. Things that take a huge effort but need to be done in a very short timeframe before you are out of business – days or weeks maximum. The Law Firm DLA Piper paid 15,000 hours of IT overtime as a result of their attack!

Smaller organisations still face huge financial impacts and disruption to both them and their clients. Firms must take care of client data too. Breaches of that data can impact reputation, as well as run the risk of potential fines and punishment that can escalate rapidly. Regulators, including the ICO are becoming increasingly interested in these types of events.

So, how can we avoid successful attacks? It is much cheaper to get your security layers in there first. The layers don’t need to be expensive, just suitable, with good architecture.


When will they come for you?

It may seem obvious, but most attacks happen when you’re most vulnerable – for obvious reasons. Particularly during long weekends and bank holidays. So, have a robust plan of how to record a risk, even out of usual hours. Once reported, a risk can be managed or monitored from there at least.


It is a real struggle to get this message across to boards. If you’re responsible for security (not just IT but business issues, with IT holding a major stake) have a really robust, easy to use process so anyone can escalate an issue no matter how trivial it is. No, this does not include having to read a 500-page document just to submit a threat.

Stay in touch

A security manager would much rather be called with a minor issue to solve at 3am, than to not be told at all and find out a few days later that there is a huge security breach to deal with and very few options left. Have a robust submitting system. Ideally calling, rather than email, so that someone knows it is being dealt with.

Know all the links in your chain

Supply chains are often the biggest cause of problems. You need to ensure there are correct contacts in place for when issues arise. Who are your contacts? When are they available? Know in advance because you need an immediate handle on things when it hits the fan.

Even in large firms, the demand on digital tech security is not there in the same capacity as it is for physical tech security on a daily basis.


The more the merrier?

Companies tend to worry about the role of security if they have thousands (or tens of thousands) of staff. But in reality, the actual number of calls that come through to security as risks are very low, and 98% of those calls are well worth looking at.

The advantages of cloud vs. on premises

Data centres are highly complex – the building itself must be highly resilient. If you are reliant on one data centre or server room, sooner or later, they will go down. Generally, the cloud takes that risk away.

If done right, moving to the cloud shouldn’t be a barrier. But remember whichever you choose security isn’t a one and done deal. It’s a moving target – it needs to be managed, and the risks  monitored, all the time.

What are the risks with the cloud?

Are there additional risks in moving to the cloud? And if so, what can we do to mitigate them? The usual objections of moving to the cloud are security. But there is an argument that the cloud provider knows more about security than most businesses do – it’s their bread and butter.

Companies should be working on the basis that, at some stage, they may be hit – and should know what to do if that happens. There needs to be upfront planning and putting procedures in place.


The Regulators are watching

Regulators want us to take due care and attention of our client’s data. That’s why breaches cost the company. One of the first questions posed by the UK ICO is: Have your staff been trained? Most breach enforcement notices happen due to lack of training or management, as opposed to for the breach itself. This training needs to be demonstratable on an ongoing basis.

A security aware culture starts at the top.

The security aware culture starts at the top. That should be followed by various layers beneath – technology, end point protection, patching. The layer around staff is based in awareness and  knowledge to mitigate situations, as well as supplier due diligence.

There needs to be upfront planning and procedures put in place. There are philosophical decisions to be made before a security breach happens. You could well experience something that propagates. Your customers could also come under attack. Do you focus resources on protecting customers first or the business?

To best manage cyber-security risks, assume the worst-case scenario in order to avoid any unnecessary surprises – and prepare/plan for it.

Business Continuity has been put to the test

Covid has made us test all major categories of business continuity. A few years ago, we’d test things like ‘building unavailable’. Businesses have been put into the real-life working situation of no building available, no public transport, fewer staff numbers and sick and absent staff. We have been hit with all the major categories of business continuity at the same time.

Businesses have done a phenomenal job to keep going. To keep people working from home.

A shortage of senior cyber-security professionals

However, with a global shortage of senior cyber-security professionals, coupled with the prohibitively expensive costs of retaining a full-time, dedicated expert, many businesses may struggle to access the appropriate level of support required.


QuoStar designed the CISO Service to address this problem

Businesses get access to a dedicated Chief Information Security Officer who will provide senior security leadership and take responsibility for identifying, controlling and managing risk. Making sure the business’s security posture is strengthened.

Book your free consultation now. Find out more quostar.com/ciso-as-a-service


Fill out this form to download a PDF copy of this Cyber Security Beyond Technology white paper.

This write-up covers aspects of cyber-security, threats, actions to be taken, the risks of moving into the cloud, responsibilities, managing vendors and how to build a security aware culture.

If you’d like to attend one of our live webinars you can see the upcoming events in our calendar.