Merit Offers Scaled CISO Consulting Services to Fit Every Member Organization
In an ideal world, every organization would have a chief information security officer (CISO). However, in reality, not every organization can afford to have one. That is why Michigan’s research and education network, Merit, debuted its Merit Community CISO program earlier this year.
"[W]e have an immense capability to do an immense amount of good for the state and for our community.” — Kevin Hayes, Merit CISO
The program offers its members, which include nonprofit organizations, universities, public health organizations, and community anchor institutions like K-12 schools and libraries, something unique: CISO services that are tailored to each organization’s size and budget.
The Merit Community CISO program offers 4 “layers” of CISO services:
1. CISO Premium Engagement. This highest service level is a comprehensive, point-in-time security assessment with approximately 60 hours of consulting time that yields detailed recommendations. Merit’s CISO, Kevin Hayes, and another security member visit the site for two days to conduct a battery of interviews, perform a full network vulnerability scan, and host-based vulnerability scan.
Importantly, the assessment comes with full written reports for all of the Top 20 Center for Internet Security (CIS) Controls and the U.S. Department of Commerce’s National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), including grading.
“I love the CIS Top 20 because it is very practical; it gives you very simple and actionable advice. By their own admission, there are gaps with what it assesses, specifically from the incident response and governance perspective. That’s where the NIST Cybersecurity Framework comes in and really ends up sealing up those gaps,” says Kevin Hayes, Merit’s CISO.
The Merit team produces executive summaries, recommends actions to take immediately, identifies what the organization is doing well, and presents findings to the organization’s board or leadership team.
2. CISO Advocate Program. This year-long service focuses on ongoing project guidance and feedback over a 12-month period. The Merit team initially conducts expedited discovery on-site, and then the organization gets monthly contact with Merit’s CISO. Typically, about an hour a month is reserved for consultation, where Merit helps to move along a member’s project plan, and another consultation hour is devoted to special projects.
“They want that trusted partner looking over their shoulder making sure that they’re not missing anything,” says Hayes.
One of Merit’s first CISO Advocate program customers was a county that only had an IT shop of two people. Merit worked with them on both special projects and general project management.
“Being able to see where they were six months ago and where they are today is just absolutely amazing. They’ve taken away local admin rights, they’ve redone all their backup procedures, they’ve turned on firewalls and other controls, and they’re actually doing business continuity planning now. It is so incredible to see,” added Hayes.
3. CISO Micro Assessment. The micro assessment is a one-day, intensive engagement focused on the tops 6 CIS Controls and recommendations. “It’s actionable advice at an inexpensive price,” says David Dennis, executive director of product management at Merit.
It is for organizations that need help with setting a great foundation, like hardware vulnerability, software vulnerability, and inventory management. “Simply doing those six things often gets you about 75-80% of where you need to be. These are the ways you work to reduce the scope of the problem you’re trying to address,” says Hayes. "This experience is about getting them a springboard that they can then launch from."
Organizations get an abbreviated report to use as a starting point to improve their security posture.
4. CIO Scanner Service. Continuous vulnerability management is one of the CIS Top 6 basic controls, but oftentimes organizations do not have a scanner in place. “A lot of the solutions out there are very, very pricey. For a lot of our smaller members, conducting the required scanning, both from a price point and also from an expertise point, is out of their range,” says Hayes.
Merit’s scanner is a self-service tool available in the Merit member portal. Members pay an annual fee for unlimited access to the scanner tool. The basic tier scanner service scans up to 750 IP addresses and lets members mark vulnerabilities with a disposition status like In-progress, False Positive, or Accepted Risk.
Members can save results and review them before and after remediation efforts. The scanner service is backed by analysis and expertise from Merit’s CISO. “Ideally, you are only in this tool for 15-30 minutes a month, but that time is going to be extremely valuable because you are going to have that visibility into the pain points on your network,” says Hayes.
Merit plans to continue to build out its security portfolio based on the lessons it has learned from talking to its membership.
“We continue to ask our members, How we can best deliver value? We have the capabilities and the knowledge and skills to do just that,” says Hayes. “Knowing that we have an incredible resource here in everything that we’ve made, from the Michigan Cyber Range to our CISO services, we have an immense capability to do an immense amount of good for the state and for our community. It’s what continues to drive us forward to make the products that make a difference.”