Chief information security officers (CISOs) are increasingly in-demand, and the very good ones are expensive and difficult to lock down. As more and more organizations who are without CISOs suffer breaches, how should they go about bringing such talent into their businesses?
Could an on-demand virtual CISO (vCISO) be the appropriate solution for them? A vCISO is essentially a security practitioner who provides their advice and insights to an organization on an outsourced and ongoing basis, usually part-time and remotely.
But why would a business engage a vCISO when they can hire a full-time CISO? The answer to this is not a simple one. Firstly, a vCISO is not a good fit for all organizations. Secondly, highly-regarded, experienced CISOs are not easily found, generally stay in a role for 2-3 years, and most importantly, come with a salary that is prohibitive for small to medium enterprises (SMEs).
vCISOs usually cost around 40% – 60% of what you would pay a full-time CISO, and their services can be delivered on-demand. Their benefits usually way exceed their costs. Virtual CISOs are highly experienced, knowledgeable, don’t have learning curve challenges, can integrate easily into a business, and won’t see the need to tiptoe or play nice when it comes to corporate politics. With this approach, it is strictly about outcomes, and a top-tier vCISO will provide critical board and executive engagement, metrics, and high-level reporting.
While different vCISOs come with varying skillsets, most should be able to deal with a plethora of activities from strategic to tactical. They can develop your information risk assessment methodology. They can create a robust framework of policies, procedures, standards, and guidelines. They can help your organization come to terms with GDPR, PCI-DSS and other compliance issues. They can address outsourced vendor risks, for example around cloud computing and IoT services. They can also assist with recruitment and establishing a high-performance team, devising the security vision and strategy, leading the RFP process for security solutions, refining incident response processes, and implementing COBIT 5.0 and ISO/IEC 27000. They might also support the coaching and training needs of newly hired CISOs and conduct awareness training and reporting to the Board of Directors.
Virtual CISOs are best suited to startups and growing companies, and are an ideal approach for bolstering the already in-place management team or basically leveraged as a short-term solution. The best vCISOs must be good communicators – vertically and horizontally, and especially at the board level. They must be able to work with companies across diverse industries and with varying risk profiles and backgrounds. They must be capable of communicating clearly what business risks companies are exposed to as it relates to cybersecurity. An effective vCISO must also be adaptable and quickly learn about the unique business environment their customer operates in. And once these things are known, the vCISO needs to bring their knowledge and skills to bear in terms of aligning the cybersecurity strategy with the business’ strategic objectives.
As they generally operate without budgets or responsibility for implementation, it is best if vCISOs are viewed as advisors and not as auditors or change managers. Cybersecurity is largely a business of relationship management, and traditional CISOs must win the hearts and minds of the executives and organizational leaders if they’re to move the enterprise forward. vCISOs don’t necessarily need to do this, as they are not visible and likely won’t be around for the long-term.
Niel Harper 