Types of Penetration Testing
To start off we need to define penetration testing. What is it?
The term virtual Chief Information Officer (vCIO) has been around for well over a decade now, but even today, if you ask ten different people what a vCIO does you may well get ten different answers.
This article does not claim to be the definitive answer to the question of what a vCIO does, but we will do our best to explain:
We will start with a look at the c-suite of a typical large enterprise.
Let’s review the various technology roles represented on this enterprise org chart. On the far right, we’ve got Amber Thomas, Chief Information Officer (CIO), with a CTO (Tyler) and a CISO (Toby) reporting to her. This business has the resources to assign a dedicated full-time person in the C-suite for each role of Information, Technology, and Cybersecurity as separate functions.
Over on the left side, we see Barrie Turner as responsible for Project Management and Eric Wells for Change Management. And next to them, we have Alan Miller and Angelica Frisch responsible for data governance and data privacy. If we do some simple addition we will find that this business has no less than seven (7) full-time positions dedicated to information technology governance.
Now, let’s take a look at how many of these positions have full-time representation in a typical nonprofit.
Wow, that’s a lot of vacancies in our nonprofit C-suite, right? Now, just because our nonprofit doesn’t have anywhere near the budget to fill these missing positions does not mean the functions don’t need to be performed. Our nonprofit certainly needs a high level of overall information technology services (the CIO’s responsibility). We still need reliable and high-functioning technology (CTO) and robust cybersecurity (CISO). We need data systems that support our workflow, reporting, and analytics needs (CDO) and ensure we are compliant with existing and emerging data privacy laws (DPO). We need to successfully plan and implement projects (PM) and effectively support the organizational change those projects entail (CM).
Our nonprofit has these needs, but no budget for positions to fulfill those needs. So what is Miriam, our smart, resourceful, and dedicated leader, to do? Well, here’s what we most often see Miriam try:
Miriam turns to her trusted, hard-working, and incredibly competent COO, Liza, and asks her to oversee the organization’s technology.
Good luck, Liza!
Liza may have one or two people or even a small team of internal IT staff that are under her management, but they will typically have titles like “System Administrator,” “IT Manager,” or “WordPress Developer” and may or may not have the skills to adequately perform any of the IT roles missing from our nonprofit c-suite. Or, perhaps Liza engages an outsourced technology provider (sometimes called a Managed Service Provider or MSP) in which case Liza has the same issue, but with outsourced resources.
In either case, now Liza is tasked with supervising the organization’s IT function and determining the appropriate resource allocations, cybersecurity posture, data quality, service delivery, and everything else. Liza may be a fantastic COO and an incredibly smart and capable person, but in being given responsibility for Information Technology, she’s being asked to manage a function she doesn’t feel nearly as competent to manage.
Liza is not sure what to expect from our nonprofit’s IT resources and if they are performing above or below industry standards. Liza reads about ransomware and other cyber threats and isn’t confident that our nonprofit has a reasonable cybersecurity posture. Liza reads about emerging data privacy laws such as GDPR, CCPA, NY SHIELD, and others and wonders if and how they affect our nonprofit. Liza is tasked with deciding whether to renew a big contract for a longtime database vendor or migrate to Salesforce and she is not confident in her ability to evaluate these choices. Liza is noticing a certain inertia taking hold with technology at the organization. Changes only happen when critical. Important, but non-urgent technology projects stagnate.
As a result of all this, Liza begins feeling overwhelmed and unsure of how she can govern information technology at the high standard she expects of herself.
We mentioned that Miriam and Liza are both incredibly smart, capable, resourceful, and hard-working. So after some time, they both realize that the organization is not being served well by this arrangement.
Miriam and Liza discuss what to do about this and they decide to hire a virtual CIO, let’s call him Adam Afumba.
Adam and Liza begin meeting regularly. Adam spends some time learning about the overall organizational strategy and where the information technology is succeeding or failing in supporting that strategy. Adam works with Liza to make sure he understands the larger organizational needs and only then begins working with Liza on the information technology strategy.
Adam meets with the IT staff (and/or the outsourced vendor(s)) and establishes appropriate expectations for roles, responsibilities, and service delivery. Adam works with Liza to establish key measures of success for IT. Adam helps Liza better understand the current cybersecurity posture, identifies risks, and provides recommendations for risk mitigation. Adam helps clarify what data privacy regulations apply to our nonprofit and helps establish a two-year roadmap toward compliance.
When Liza gets tasked with managing the information technology component of the annual financial audit, Adam helps Liza and the team review the prior year’s findings and coordinate the gathering and providing of requested documentation to the auditors. Adam also sits in on the IT audit meetings and helps our nonprofit respond to audit questions and findings.
After several months of working together, Adam and Liza gathered a group of senior leaders at our nonprofit and formed a technology steering committee. Twice a year, Adam and Liza prepare a comprehensive presentation for the steering committee that includes an updated technology roadmap, a strategic technology plan, and an executive summary of both completed and planned projects.
Through all these activities, Liza not only feels a much higher level of confidence in her ability to effectively govern technology at our nonprofit, but she is getting a much higher level of input and buy-in from key stakeholders across the organization.
This is perhaps the most subjective part of this article, but based on my experience both working with CIOs and providing vCIO services, here are the attributes I recommend you look for in a potential vCIO:
Without all (or at least most) of these qualities, it will be very difficult for a vCIO to achieve success.
If you are interested in whether a vCIO might be a good fit for your organization, we would be delighted to speak with you. You can request a free consultation here and one of our professionals will be happy to speak with you to learn more about your needs and help you determine whether vCIO services are right for you and your organization.
To start off we need to define penetration testing. What is it?
Your computer won't turn on. This is a problem that can have a lot of different causes, but don't worry, we are here to help! In this blog post, we...
Here’s something we hear a lot, "We use Gmail so we don't need to worry about backing up our email".