[BreachExchange] Virtual CISO: Solving cybersecurity growing pains?

Destry Winant destry at riskbasedsecurity.com
Fri Sep 13 10:17:45 EDT 2019


There comes a time in every company's life when events force
management to take a new look at how they handle IT. In some cases, it
is simply that they realise the current situation is holding them
back, risks are being taken and mistakes made. For others, it will be
their success, where it becomes necessary to have greater and more
dedicated resource allocated to IT.

One of the key drivers for hitting that crossroad is certainly IT
security - and usually on the back of a series of near misses or a
confirmed attack of some kind, whether a virus, hack or data breach.
The pain and reputational damage experienced after such an incident is
lasting and something most companies want to move quickly to avoid
happening again. A 2019 Ponemon Institute research report revealed
that a data breach results in abnormal customer turnover of 3.9% on
average. Indeed, the financial consequences of customer attrition
comprise the majority (36%) of the total cost of a data breach.
However, organisations with an incident response team minimise this
cost by an average of $370,000. Organisations with a senior-level
leader, such as a Chief Information Security Officer, directing
initiatives that improve customer trust helps retain customers,
consequently reducing the cost of a breach.

The outsourcing itch

The problem is that building an IT team, and specifically a
cybersecurity team, takes time, money and dedication. Great people
with extensive industry experience are in short supply, top Chief
Information Security Officers (CISOs) are expensive, and even if they
can join your company it might be six months before they can start.
Even once they are through the door, the process of assessing the
cybersecurity posture of the company, planning and implementing
changes, or indeed hiring and training staff, can take months.

For some, deciding to outsource all IT operations has helped overcome
some of the key problems with building a team. However, it is not a
realistic option for companies that are large enough and lucky enough
to already have a good IT team, or those that are growing, but lack
the ability to make the kind of financial investments for a dedicated

Outsourcing IT wholesale has its risks too. In the case of security,
it simply becomes one of the many tasks an external team needs to get
through in the limited time that they have, in much the same way as an
internal IT team would struggle. Sure, they will check all the
essential firewall and other configurations are in place and maintain
systems - but those are purely fundamental tasks. In the long-run this
is ineffective and can lead to a false sense of security.

It doesn't need to be all or nothing

For large and growing companies, a much more strategic approach is
needed towards cybersecurity.  One that encompasses current needs, the
strategic direction of the company, as well as the evolving threat and
technology landscape.

A different way to approach the challenge of gaining immediate access
to an experienced CISO that can offer the support a company needs to
rapidly improve their security posture, is hiring a virtual CISO. This
is an individual with decades of industry experience that a company
can use to enhance and advise its internal IT team, without needing to
find, wait and pay for, an expensive CISO to join the company.

Some companies use virtual CISOs as an external risk auditing
resource, whereas others will take advantage of their industry
experience to assess technology for mitigating future threats and
build an implementation roadmap that aligns with the future goals of
the company.

For some, the idea of being tied to external outsourcing companies is
an uncomfortable one, but the role of virtual CISO is really one of a
trusted advisor. Whilst they can of course play an active role in the
implementation of technology and running cybersecurity operations,
their key benefit is their experience and strategic insight. For many
companies this is used as a bridging mechanism, a way to deal with
their immediate security needs, but using the virtual CISO's
experience to build the internal team, processes and resources that
will eventually replace them. Even acting as part of the selection and
interview process for their direct replacement.

A CISO worth considering

Whatever has led a company to the position where it knows it must up
its cybersecurity game - speed and strategy are of the essence. The
virtual CISO can be a role that enables both, without being a
long-term investment. It can remove complexity and that ‘rabbit in the
headlights' feeling, buying a company time to make more considered and
strategic decisions, whilst rapidly and cost effectively solidifying
its stance on cybersecurity. It's a different approach worthy of
consideration when cybersecurity is forced to the top of the IT and
boardroom agenda.

More information about the BreachExchange mailing list