[BreachExchange] 5 Ways vCISOs Move the Security Needle

Thu Jul 9 09:46:08 EDT 2020

https://www.scmagazine.com/home/opinion/executive-insight/5-ways-vcisos-move-the-security-needle/

Data has become more valuable than ever and organizations must make
protecting it a top priority. According to IBM and the Ponemon
Institute, the average data breach now costs American companies $8.19
million. On top of that, the recently-released Verizon Data Breach
Investigations Report found that 86 percent of all breaches were
financially-motivated.

As attacks become more sophisticated and complex, data breaches can
more quickly undermine a company’s growth and erode customer trust.
This growing concern places an incalculable value on the role chief
information security officers (CISOs) play, as they possess both
technical expertise and business acumen to implement security
strategies that enable business.

However, despite the growing need for the guidance a CISO can provide,
38 percent of 2019 Fortune 500 companies operated without one, and of
those companies, just 16 percent listed any executive at all as
responsible for cybersecurity strategy. In the absence of a CISO,
critical responsibilities are often transferred to IT managers, which
can result in fragmented policies and lax practices that leave systems
vulnerable.

Today, many organizations have turned to virtual CISOs (vCISOs) –
on-call security and business experts who can quickly assess and
manage a company’s many challenges. Additionally, vCISOs can serve as
an interim CISO as organizations look to fill the position
permanently, bring in fresh perspectives for projects and strengthen
overall security and business strategies as an ongoing consultant.

While motivations for considering a vCISO vary, organizations can use
their services to address any or all of the following challenges:

- Manage massive amounts of sensitive data. IBM and the Ponemon
Institute found that an average of nearly 26,000 documents are
compromised with each data breach. A vCISO can quickly determine where
critical data and assets reside and what level of protection is
necessary.

- Sort out organizational complexity. There are any number of
intersecting factors to consider when determining risk, like the
distribution of architecture, the lifecycle of applications, and the
data and technology stack. A vCISO can sort out these complexities and
identify current and future risk factors.

- Assess risk. A vCISO can coordinate efforts to examine perceived and
actual risk, identify critical vulnerabilities and deliver a better
picture of risk exposure that can inform future decisions.

- Identify the attack surface. Organizations face internal and
external threats that are both known and unknown. A vCISO can identify
security blind spots, determine the probability of compromise and
quantify the potential impact.

- Implement compliance. Because vCISOs are well-versed in regulatory
standards, they can implement processes to remain compliant today and
offer strategies that allow the organization to prepare for potential
regulation changes.

When considering a company’s data assets, companies can’t view
security as a set of checked boxes. Rather, security has become a
critical element of business success. Moving forward, we expect to see
vCISOs play a more prominent role in organizations across all
industries. Their technical expertise can help establish a strong and
consistent security strategy, and their business insight will help
companies meets their goals by integrating security measures into
every aspect of the business.