CISO as a Service (CISOaaS)

We provide the expertise and resources to protect your systems and information, so you can have confidence in developing great products and delivering quality service…without disruption or compromise.

Why Information Security? The key questions...
  • Do you view information security as a business function?

  • Do you have the right enterprise security architecture?

  • Do you utilize a network and security monitoring service?

Information Security decisions are increasingly being made in the boardroom. That’s why your security staff needs greater exposure to the business, and the business needs to see the security staff as a partner.

Large and small organizations alike face the risks of information security breaches. The potential losses are substantial, with the average quantifiable cost for a data breach in the U.S. being $4.24MM (IBM), not to mention the qualitative cost of reputational harm.

At Garnet River we recognize security is not a point in time solution. We work with clients to develop processes that mitigate risk and enable the scalable, secure handling of information to operational, information, practical, and educational security needs. Our end-to-end services include:

  • Compliance Review and Policy Development. The first rule of information security is to understand the risks that exists in your environment. The first step toward compliance is in identifying these risks and the proper controls to mitigate them. We work with you to establish pre-audit planning, development of Plans of Action and Milestones (PoAM), and the development of continuous compliance systems.

  • Enterprise Architecture Services. Enterprise security architecture provides a context for the implementation of policy into practice. It provides frameworks to guide, roadmaps to direct, and implementation assistance to enact. The goal of architecture services is to take you from your policy requirements onto the solid ground of practical risk mitigation.

  • Vendor Evaluation Services. Garnet River performs product reviews, recommends vendors, and assists with the development of procurement plans. By its nature, a vendor evaluation agreement provides you with access to a variety of security and assurance experts and enables those experts to act on your behalf without product preference or dependency.

  • Network & Security Monitoring. Garnet River offers access to a proprietary security appliance, reports from our concurrent network monitoring application, and provides human oversight from our Security Operations Center (SOC).
Michael Weisberg, Chief Information Security Officer
Michael Weisberg

Identified as an expert Information Security influencer by (ISC)², Michael is CISO and vice president of Information Security for Garnet River. In addition to serving as past EISO for New York State, he was founding director of cybersecurity at Sage Colleges, Lead Information Security Architect for the U.S. Federal Reserve, and vice president of Information Security for Bank of America.

What to know about Michael: He’s just a little bit obsessed with security and compliance, which is great. It means you don’t have to be, but having Michael on your team can help you execute like you are.

Chief Information Security Officer as a Service (CISOaaS)

Why a CISOaaS

  • Controls costs, as trained Information Security professionals are rare (and expensive)

  • Drives outcomes, as most businesses have the need for a program, not a person

  • Allows for the effective training of internal resources

  • Ensures compliance by understanding applicable policy, standards, and procedures

  • Encourages clear, directed communication with board members and leadership

  • Establishes plans that integrate with business needs

  • Offers access to a team with a variety of expertise

  • Provides specificity of role, which ensures a focus on Security while allowing the client to focus on business

We can help!

This field is for validation purposes and should be left unchanged.


  • Enhance an already successful program.
  • Benefit from a second set of eyes.
  • Get validation.


  • Strengthen a failing security program with new emphasis, programs, and expertise.
  • Policy/guidance standards.


  • Rebuild a failed security program.
  • New materials & policies.
  • Corporate emphasis, improved communication