[BreachExchange] Can't Afford a Full-time CISO? Try the Virtual Version

Wed Dec 2 11:01:08 EST 2020

https://www.darkreading.com/operations/cant-afford-a-full-time-ciso-try-the-virtual-version/a/d-id/1339386

A vCISO can align a company's information security program to business
strategy and budgeting guidance to senior management.

Ensuring the confidentiality, availability, and integrity of a
company's, their users', and their customers' information must be top
priority for organizations, but it's easier said than done. Data
security breaches and cyberattack threats are occurring more
frequently – according to a recent Information Systems Security
Association and Enterprise Strategy Group survey, 63% of cybersecurity
professionals have seen an increase in cyber-attacks related to the
pandemic – which means businesses today need to take additional steps
to remain secure.

An organization's in-house chief information security officer (CISO)
is critically responsible for establishing and maintaining the
enterprise information security vision, strategy, and program to
ensure information assets and technologies are adequately protected.
However, the reality is, some companies (particularly small- to
mid-sized businesses and nonprofits) do not have a need for a
full-time CISO or the financial resources to add another member to the
C-suite, not to mention their 6-figure salary. For those
organizations, there's another option: a virtual CISO (vCISO).

For a fraction of the salary of a full-time CISO, companies can hire a
vCISO, which is an outsourced security practitioner with executive
level experience, who, acting as a consultant, offers their time and
insight to an organization on an ongoing (typically part-time) basis
with the same skillset and expertise of a conventional CISO. Hiring a
vCISO on a part-time (or short-term basis) allows a company the
flexibility to outsource impending IT projects as needed.

A vCISO will work closely with senior management to establish a well
communicated information security strategy and roadmap, one that meets
the requirements of the organization and its customers, but also state
and federal requirements. Most importantly, a vCISO can provide
companies unbiased strategic and operational leadership on security
policies, guidelines, controls, and standards, as well as regulatory
compliance, risk management, vendor risk management, and more.

Since vCISOs are already experts, it saves the organization time and
money by decreasing ramp-up time. Businesses are able to eliminate the
cost of benefits and full-time employee onboarding requirements. Also,
if another employee had been handling the responsibilities of a CISO,
a vCISO frees up some of their workload, enabling them to take on
other priority tasks.

As an example, I am currently the vCISO for four companies ranging in
size from 40 employees up to 15,000. My typical responsibilities
include ensuring compliance with state cybersecurity guidelines such
as New York's SHIELD Act or Massachusetts's Cybersecurity Regulation –
both of these regulations require companies to have a CISO. As a
vCISO, I prepare annual information security budgets, identify key
security initiatives for the coming year, perform annual risk
assessments, work with technology vendors on behalf of my clients, and
provide advisory services to senior management on the latest
information security threats. In any given month, I spend 4-20 hours
per client.

Many in-house IT departments are multi-faceted and may not have the
time or resources to properly manage all IT functions, especially as
they relate to information security. A vCISO can align a company's
information security program to a business's overarching strategy to
provide predictive budgeting to senior management.

For organizations that already have a CISO, a vCISO is particularly
useful as a trusted information security advisor to the present CISO.
If you're a growing organization, or between CISOs, then a vCISO will
help avoid rushing the long process of hiring the right full-time
CISO.

There are also disadvantages to hiring a vCISO. One is that the vCISO
most likely will need time to understand the culture and business
operations of a company. Second, depending on the contractual
arrangements made, a company can have unrealistic expectations that
they are getting a full-time person for the cost of someone who works
less than 20% of the time. The truth is, vCISOs most likely have other
clients who they are involved with, so unless a company is hiring a
vCISO full time, his or her time may be split between multiple
companies.

Finally, those who market themselves as vCISOs may lack the current
knowledge of the industry. While these vCISOs may have 30-40 years of
technical experience, they may lack managerial security experience.
They may also have been out of the industry for several years due to
retirement or downsizing and have not kept up with security industry
trends, rules, regulations, and models. Therefore, care must be taken
to properly vet a vCISO's experience.

Information security is complex and everchanging. New vulnerabilities
and threats are identified daily. Keeping up with threats, risks, and
vulnerabilities is often a full-time job in larger organizations.
Developing a strategic information security plan and program is a
difficult task, and not everyone has the skills or the time to do it
effectively. The right vCISO can provide a business with quality
executive level information security experts by collaborating with
executive management to make smart decisions on various security,
privacy, and compliance requirements and issues.

A seasoned vCISO will have had the advantage of seeing hundreds of
companies struggling with many of the same challenges, and knows which
policies, procedures, and technologies are best for solving specific
problems. Overall, the main objective of a vCISO is to act as a bridge
to the business and its technology team by providing a long-term
framework that can be continuously modified as information security
goals and threats evolve.