###### tags: `Red Team & vCISO`
![](https://hackmd.io/_uploads/Sy50YbJ2j.png)
# Spearbit vCISO and Security as a Service 🦾
## About Us
### The Role
If your Chief Information Security Officer (CISO) role is vacant or you need a project-based executive expertise then our community of vCISO's is the solution for you.
Our vCISO's serve as a technology leader responsible for advising on high-level technical guidance, smart contract best pracitces, architectural review and development/testing framework during your software development lifecycle by directly reporting to the CTO, CEO, and Founders.
By embedding this individual or pairing of vCISO's onto your team this allows you to prepare for external reviews, execute on technical development and reduce risk.
#### World Class Leaders
Spearbit has to date built one of the largest communities of security personel in the blockchain space.
The canidates for vCISO have years of auditing experience in web3, solidity expertise, background in web2 front-end development, and have led numerous Spearbit led audits for clients such as OpenSea, Optimism, and Connext to name a few.
#### Reduce Risk
Our CISO's help you evaluate best practices when it comes to building out and deploying smart contracts. Offering an outside perspective on overall system architecture prior to any external review.
#### Terms of Service
The vCISO works on an hourly rate to be determined on a by client basis at a maximum of 5 hours per week. This also comes with the agreed upon incentive of equity allocation since this role is pivotal in the foundational layer of your protocols development.
The channels of communication include e-mail, telegram, and discord. As we are flexible per the clients needs.
## Client Case Studies 📝
### Optimism
In December of 2022, Optimism, a layer 2 blockchain that uses optimistic rollups to help Ethereum scale, reached out to Spearbit in preperation for their system upgrade to [Optimism Bedrock](https:/https://www.alchemy.com/overviews/optimism-bedrock-testnet-migration-guide/). This upgrade introduced a series of performance improvements from its existing rollup architecture design.
For a one week sprint our vCISO's worked alongside Optimism's developer team to critically think through best practices and understand the design architecture to ensure a successful implementation.
Here are a few quick examples to highlight this:
* Provided technical guidance on smart contract upgrades, emphasizing the importance of only making necessary updates to minimize security risks.
* Advised on compiler version selection, emphasizing the need to carefully review release notes and bug fixes to determine the safest option.
* Warned about potential risks of user funds loss during smart contract upgrades, suggesting a general precaution of avoiding deposits near the upgrade time.
* Suggested avoiding advertising specific risk vectors to minimize user confusion and promote overall security awareness.
![](https://hackmd.io/_uploads/S1AUEbJhj.png)
### Covey
In August 2022, Covey, a community of investment analysts, reached out to Spearbit in preperation for their public launch to provide guidance on their smart contracts related to data ledger, tokens, and staking. The developer team at Covey didn't have the expertise in-house to critically think through the implications over their architectural design decisions.
For a three month period our vCISO's worked alongside Covey's developer team to critically assess the current state of their smart contracts and ensure a successful launch.
Here are a few quick examples to highlight this:
* Advised on the token selection for deployment. We suggested the use of ERC-20 tokens rather than ERC-777 for their intial equity token launch. By avoiding using a token type that is less compatible with existing protocols we created an efficency within their intial design.
* Provided debugging expertise of an ENS setter issue by safely thinking about variable naming and class member modification.
* Reviewed the smart contracts by doing a spot check for any common vulnerabilities.
* Provided critical analysis of the staking mechanism development by applying mitigations to address the risk of impermanent loss, high gas fees, and slashing events.
![](https://hackmd.io/_uploads/BJirtZknj.png)
## Questionnaire ❓
Please take a moment to answer the following questions about your organization's cybersecurity needs and objectives. This information will help us match you with the right virtual Chief Information Security Officer (vCISO) for your specific requirements.
1. What are some expectations and responsibilities you would have of the vCISO? This service is meant to be advisory in practice assisting with: technical guidance, best practice, development and testing framework, and architectural review.
2. How long of a time period are you looking to have the vCISO available? We are aiming for 3-6 month engagements with a maximum of 5 hours per week for their consulting services.
3. Please outline for us your current team structure (ie org chart).
4. Help us better understand your roadmap in terms of the period the vCISO is involved.
5. Any specialized expertise you are looking for? Our community has a wide range of web3 and web2 experience.