SeComPass = Security+Compliance+Assurance - SeComPass Industry Blog by Jatinder Oberoi

The Complete Guide to Hiring a Virtual CISO for Your Business

Fri, 25 Apr 2025 00:35:33 +1000

Introduction

In an era of escalating cyber threats and complex compliance requirements, small and mid-sized businesses (SMEs) across Australia are under pressure to safeguard their digital assets. However, hiring a full-time Chief Information Security Officer (CISO) is often cost-prohibitive. That’s where a Virtual CISO (vCISO) can make all the difference—offering high-level security expertise on a flexible basis.

In this complete guide, we explore the role of a vCISO, key benefits for Australian businesses, when to hire one, and how to choose the right partner.

📌 What Is a Virtual CISO (vCISO)?

A Virtual CISO is a contracted cybersecurity executive who provides strategic guidance, risk management, and security oversight remotely—usually on a part-time or project basis. The vCISO role is perfect for SMEs that require senior-level cybersecurity leadership without the cost or complexity of a full-time hire.

💡 Why Australian SMEs Should Hire a vCISO

✅ Cost-Effective Expertise

Avoid the AUD $200K+ cost of a full-time CISO.

Gain access to industry-leading security skills on a fractional basis.

✅ Tailored, Scalable Support

vCISOs adjust to your organisation’s size, sector, and stage of maturity.

Ideal for growing businesses and digital transformation initiatives.

✅ Compliance and Governance Alignment

Support for local regulations like the Privacy Act 1988, NDB scheme, and APRA CPS 234.

Assistance with ISO 27001, NIST CSF, and Essential Eight compliance.

✅ Independent Cyber Risk Assessments

Get a fresh perspective free from internal bias or legacy systems.

✅ Fast Response to Evolving Threats

Quickly address vulnerabilities, improve posture, and build resilience.

🛡️ Key Responsibilities of a vCISO

A skilled vCISO will support your business through:

Security Strategy Development

Governance, Risk & Compliance Management

Policy and Procedure Development

Security Architecture Review

Third-Party Risk Assessments

Incident Response & Crisis Management

Security Awareness Training Programs

Executive and Board Reporting

🚩 When Should You Hire a vCISO?

Consider engaging a vCISO if your business:

Lacks dedicated cybersecurity leadership

Is preparing for a compliance audit or certification

Has experienced a cyber incident or breach

Is migrating systems to the cloud or scaling operations

Requires risk reporting for executives or the board

🤝 How to Choose the Right vCISO Partner in Australia

When evaluating a virtual CISO provider, ensure they offer:

✅ A proven track record with Australian clients

✅ Local knowledge of Australian legislation and threat actors

✅ Experience in your industry sector (e.g., healthcare, legal, fintech)

✅ Flexible engagement models—hourly, monthly retainer, or project-based

Pro Tip: Ask for case studies and client references during your evaluation.

🌐 SECOMPASS: Your Trusted vCISO Partner

At SECOMPASS, we help Australian businesses secure their digital future through strategic, cost-effective vCISO services. We’re more than consultants—we’re partners in your security journey.

What we offer:

Cybersecurity program development

ISO 27001 readiness and compliance

ASD Essential Eight implementation

Incident response planning

Ongoing virtual security leadership

👉Learn more about our vCISO services or schedule a free consultation.

📈 Final Thoughts

A Virtual CISO empowers your business to respond to today’s threats and tomorrow’s challenges—without the burden of a full-time executive hire. For Australian SMEs, this model offers the perfect balance of cost, capability, and compliance.

Get More Info on our vCISO Service

Book a Free Consultation

Why It's a Must to have an Assessment of Business CyberSecurity

Mon, 30 Jan 2023 07:39:00 +1100

Why Assess Cybersecurity

Cybersecurity is a hot topic. And we have seen big cybersecurity and privacy gaps in organisations who previously didn't have any compliance obligations. This is especially true for small businesses who hold a lot of confidential/personal/financial information or intellectual property (patents).

CyberSecurity for Businesses in NZ vs Australia

Currently in New Zealand, there are no security compliance obligations by authorities. Albeit in Australia, the Federal Government has mandated ISO27001 for any organisation to work with them. This will come down to New Zealand sooner rather than later, so be ready.

In Australia, the last few months have been quite challenging for the businesses where the breaches went to a new high, e.g., Optus and Medibank breaches among others.

In New Zealand also, the breaches have been touching a new high e.g., Mercury IT, Pinnacle Health, Air New Zealand, Reserve Bank of New Zealand, Waikato DHB (now a bit old), New Zealand Stock Exchange.

3 Benefits of doing ABC assessment

Know your top business cybersecurity risks without breaking the bank.
Get an assessment aligned with an international framework (ISO27001).
Make sure you implement some easy ways to reduce the business cybersecurity risks.

SeComPass has been working with organisations in New Zealand, Australia and the US. When talking to small businesses, we felt that they didn't have a lot of money to spend on cybersecurity. So SeComPass has specially created this assessment framework and as a result, ABC Assessment is a unique way to assess the gaps and risks, thus attaining a better level of understanding within days rather than weeks and months and without breaking the bank.

Sign-up Process for ABC assessment

We intake only 5 organisations every 3 months.
Once you are offered a place, we do an initial chat to get to know your specific needs as we don't take a cookie-cutter approach.
After the initial chat, we complete the ABC Assessment with the top management.
After that, we discuss the assessment results including the top 5 ways you can reduce the risks.

If you want to know more, you can register your interest by clicking below and know what it could mean to you and your business.

Upcoming FMA Regulations regarding CyberSecurity

Mon, 16 May 2022 16:05:35 +1000

Last year FMA (Financial Mar kets Authority) mandated the new requirements for companies and people looking to get the Financial Advice Provider (FAP) licence.

The target date for Class 1 and Class 2 license applications was 30 September 2022.
The target date for Class 3 license applications was 30 June 2022.

Some of the requirements are cybersecurity and business continuity plan (BCP) related and require some technical know-how and understanding of the business as well. In addition to the FAP full license application kit, and other resources available on FMA website, the FMA is developing self-assessment tools to help Class 1 and Class 2 license applicants identify where they might need to do further work to meet the full licencing requirements. A Cyber Security and Business Continuity Planning (BCP) self-assessment tool had recently been published on the FMA website.

FMA will continue to accept applications for full licences at any time. However, if you’re a transitional licence holder and you want to continue providing financial advice services under your own licence from 17 March 2023, you must apply for a FAP full licence as soon as possible to ensure it is processed by the time your transitional licence expires at the close of 16 March 2023. Note that the turnaround time for processing applications is up to 60 days and FMA are closed for the summer holidays from 20 December 2022 to 9 January 2023 and will not be processing any licence applications during this time.

For these licenses:

FMA specifically asks for an approved, documented cyber security policy and the details of its approved, last review and next review.
If you don't have this, you need to ensure that you comply with the business continuity and technology systems license condition

SeComPass have created a light-weight framework to fulfill those requirements. Our consultants can swiftly help you fulfil the FMA requirements for cybersecurity and BCP.

Many organisations don't know where to start with for the FMA requirements. If you think, you need a little bit of advice, we can discuss it over phone and swiftly work with you to provide the documents and policies in required format, according to your needs.

Book a No-Obligation Consultation

Do you need a Certification

Mon, 16 May 2022 15:22:50 +1000

This blog post talks about why organisations need certifications and assurance reports.

There are 5 main reasons why an organisation needs a security certification like ISO27001 or SOC1/SOC2:

My customers are asking me to fill in big questionnaires and all sorts of questions.
The competitors don't have any security certifications and this will be my point of differentiation.
My customers are asking me specifically for security certification like this or they would go to other suppliers- end of story.
I am fed up of proving to the customers that we have top-notch security tools and processes in place.
Some organisations we work with are fully compliance-driven and need security certifications.
We want to ensure that I take due care of information provided by the customers and employees.

The competitors don't have any security certifications and this will be my point of differentiation

My customers are asking me specifically for security certification like this or they would go to other suppliers- end of story.

I am fed up of proving to the customers that we have top-notch security tools and processes in place.

Some organisations we work with are fully compliance-driven and need security certifications.

We want to ensure that I take due care of information provided by the customers and employees.

Many organisations don't know what to start with when looking for certification. If you think, you need a little bit of advice, we can discuss it over phone and customise the process. according to your needs

Book a no-obligation consultation

Is Blockchain Technology GDPR Compliant?

Fri, 31 Dec 2021 14:07:00 +1100

Spoiler Alert: Whoever is thinking of using the blockchain in their technology and systems, needs to understand their compliance obligations especially GDPR.

The new privacy regulation by the European Union known as the General Data Protection Regulation (GDPR) took effect in 2018 and then NZ Privacy Act came into effect in 2020. But it seems that most of the companies are still in state of denial and burying their heads in the sand, waiting until the last moment and hoping for a miracle to happen where their governments will relinquish the alignment of the national legislation with those GDPR and NZ Privacy Act requirements.

While there are many privacy implications for various companies around the world, we are more interested in one particular GDPR case, namely in companies that offer solutions based on blockchain technology, given that it was one of the most emerging technologies in 2017. Many promising implementations have been catapulted the last years ranging from new cryptocurrencies, tokens, company shares representation, identity directory to copyright and intellectual property protection. Some of these new solutions should also meet the GDPR requirements if they are going to be used by European residents. From the above examples of blockchain technology implementations, let’s take a closer look at how cryptocurrencies, and in specific the leading cryptocurrency Bitcoin and the privacy oriented cryptocurrency Monero, are impacted by GDPR. While there are many requirements in GDPR we will look only at a few key requirements to show the impact of GDPR.

Confidentiality

According to GDPR you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised (Article 5(1)(f) of the GDPR). Any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier is considered personal data (GDPR article 4). This means that a crypto wallet address can be regarded as an identifier that directly relates to information on the blockchain of an individual. Bitcoin is fully traceable and doesn’t ensure confidentiality. If you know the wallet address – you can check the existing balance and all transactions history of anyone. Monero on the other hand, is designed with privacy in mind. Even if someone knows your wallet address, they cannot check your balance or transactions history.

Right to access

According to GDPR Individuals have the right to access their personal data and supplementary information (see Articles 12 and 15 and Recital 63). Bitcoin meets this requirement as content is fully traceable and you can access your personal data and supplementary information anytime. The downside is that your data is not only for you accessible but for everyone. Monero, like bitcoin, is also fully traceable and you can access all your data at any time. But with Monero no one else than you can access your data.

Right to erasure

The GDPR introduces a right for individuals to have their personal data erased (see articles 6, 9, 12, 17 and Recitals 65, 66). This is also called the right to “be forgotten”. Meeting this GDPR requirement is impossible when using Bitcoin. In fact, blockchain has not been designed to “be forgotten”, but rather to remember all transaction data since the genesis of a blockchain. In Monero also the right to be forgotten is extremely simplified. If you want to be forgotten, just “delete” all your keys.

Right to rectification

The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete (see articles 5, 12, 16 and 19). Both cryptocurrencies do not meet this requirement, since both of them are subject to the second restrictive blockchain characteristic: immutability. This means that you cannot modify existing blocks in the chain as this will affect the control sum of all next blocks. While Monero strictly doesn’t meet this requirement, it doesn’t necessarily expose a risk since no one has visibility or can access your (wrong or incomplete) data.

Privacy by design

GDPR requires you to consider and implement technical and organisational data protection measures and to integrate them into your processing activities during the design phase (article 25 GDPR). As for Bitcoin, it wasn’t developed with privacy in mind and any new application relying on Bitcoin will have to deal with this caveat. It’s worth noting that hundreds of other blockchain projects, whether launched via an ICO or not, have currently similar privacy problems. Monero on the other hand, was designed with privacy in mind. With the recent move to protect the blockchain against centralization and ASICS, they once again have shown and applied “privacy and security by design”.

Conclusion

In conclusion, applications based on block chain technology, such as Bitcoin, by default don’t meet GDPR requirements and will have to put extra effort to compensate for certain fundamental properties of blockchain technology such as transparency, immutability and recording to align their solutions with GDPR. Some, however, like Monero have been designed with privacy and security in mind and are more compliant with GDPR than others by default. Note that in this article we have only looked to a few GDPR requirements and that full compliance with GDPR would require many other technical and organisational measures to be considered.

The discussion above is based on our experience and should open some discussion points to your next stand-up. If you have succeeded in using blockchain technology successfully while integrating compliance in the design process itself, please share with us and the world your revelations..

If you want to know more about how we have done this with our customers and saved them effort, book a free consultation by clicking below.

Book a Free Consultation.

Do you need a Data Protection/Privacy Officer (DPO)

Wed, 15 Dec 2021 14:07:00 +1100

GDPR and New Zealand Privacy Act requires (in certain cases) companies to designate a data protection/privacy officer (DPO). Tailored to your privacy needs, SeComPass provides a Virtual Data Protection Officer (vDPO) service. The vDPO will support you by informing, advising, monitoring compliance and acting as your point of contact for the supervisory authorities

The flowchart above is based on our experience and should open some discussion points to your next stand-up. If you have implemented privacy successfully in your organisation while keeping the costs low, please share with us and the world your revelations.

If you want to know more about how we have done this with our customers and saved them effort, book a free consultation by clicking below.

Book a Free Consultation

How to make Agile and Security Work together

Wed, 15 Dec 2021 14:07:00 +1100

If you ask any random chosen person from the security industry you will very likely hear – “Agile and security don’t work together”.

But we think that Agile and Security can work together. Let us discuss how we can make it work together.

Constant pressure from executives to deliver results faster at lower costs has made Agile to very popular the last years. Even the Australian Prime Minister recommended to use Agile methodology in government projects. But is Agile really so good? Or maybe there's a hidden catch?

The answer depends on who is being asked those questions.

Here is why:

Lack of Design
Lack of Security Architecture
Constant and Frequent Changes
Security is Considered & Implemented as the Last Thing
No Security Owners within Agile Squads

Since every Agile project is different, you could face one or all of these issues at once. Taking the above points into consideration, they may (and very often simply do) lead to a security cataclysm. The definition of the security cataclysm is very wide – from a security breach, through revoking the certification for the whole company (i.e., PCI-DSS), up to compromising a government agency. The belief that Agile and security cannot work together is so strong that it’s hard to find security experts who are willing to take the challenge and make it happen. Fortunately, there are a few things that we can do and may change that perception.

1. The first measure is to assign a security consultant to all agile squads. Let him/her attend all the stand ups, planning & grooming session, retrospection meetings, and be responsible for security. This should allow him or her to address any security or compliance issues before they are implemented, in other words this is a preventive activity. The maximum successful ratio is one consultant per four agile squads.

2. But that is not enough. Security also has to work closely with the scrum master and together enforce design works – addressed as product backlog item (PBI’s). This second measure will allow the project to perform security reviews based on the designs. These early reviews will lower the cost of any required penetration testing activities later prior the “go live” event. You will need to assign a security assessment subtask to each PBI to perform a security review. By doing this, you should minimize the mitigation costs, and address immediately security & compliance requirements. Another benefit from having a design is higher accuracy and better results from penetration testing. After 2 or 3 months, you should see the first results. Penetration testing should identify less vulnerabilities, less compliance failures to national or industry standards and the security posture should grow within your environment.

Let's say that with the above measures security can be agile. But you will say - it is expensive. Is it? Maybe. There is always a cost attached to improving security. But you can lower the costs by for example creating additional features i.e. a checkbox for penetration testing in JIRA. This will enable the team to coordinate release plan with penetration testing schedule, resulting in decreased number of engagements with a security company. You may encourage squad members to learn practices from the security consultant and introduce cross-quad security assessments. The cross-squad security assessment will also ensure the segregation of duties principle.

However, despite all propositions above, there is still one crucial thing missing. In this approach the security consultant doesn’t have a holistic view of the products and/or environment. This is key for security to be able to assess and provide valuable input to the project. Since that is not available in agile projects, the security consultant starts her/his engagement with a gap analysis against the desired security standard. The desired state and input from some architects is all (s)he needs. Reassessing the gap from time to time (i.e., every 6 months) is recommended here as projects requirements and the desired state change frequently in agile.

The proposed solutions above are not based on the laws of physics, but should bring security and the agile dogma closer to each other. If you have succeeded in bringing those two enemies together by other means please share with us and the world your revelations.

If you want to know more about how we have done this with our customers and saved them effort, book a free consultation by clicking below.

Book a Free Consultantion