The Case for a Virtual CISO
Organisations today are facing a dangerous combination of mounting cybersecurity threat and a lack of in-house expertise to meet the challenge. Smaller firms have typically allocated responsibility for information security to a member of the operations or financial team and given IT the responsibility for technical cybersecurity. In most cases these responsibilities are secondary to the allotted individual’s main role, resulting in issues around prioritisation and conflicts of interests.
As such, it is now commonly understood that having a person, or team, solely accountable for cybersecurity has become a necessity if an organisation is to adequately protect itself from cybersecurity threat. Without this, businesses often struggle with the complexity of interconnected technical, physical and personnel controls that make up a complete cybersecurity framework.
Going beyond this, there is also a requirement for someone to create strategic security plans, lead on cybersecurity risk reduction activities and provide meaningful reporting at board level: this is the role of the Chief Information Security Officer (CISO)
Recruiting a CISO
In common with many cybersecurity roles, whilst the demand for CISOs is growing daily, there is a very limited supply of adequately experienced and qualified individuals. It has been many years since the Information Systems Security Association spoke of a missing generation in information security, pointing to an estimated 300,000 to 1 million vacant cybersecurity jobs.
In addition, retaining an experienced CISO can be extremely challenging - according to one Ponemon study, senior security executives leave on average after just thirty months on the job.
This all creates some serious issues when it comes to finding a CISO for your business. And of course, there is the challenge of determining whether someone is the right fit, when you don’t have the security experience needed to properly evaluate a CISO…
Enter the Virtual CISO
“Renting” a CISO could be the answer. In fact, contracting a virtual CISO can be far more effective than hiring a full-timer. With a virtual CISO, there's no need to worry about benefits or monthly overhead.
For smaller businesses, it simply doesn't make sense to invest in a full-time CISO when you can hire a virtual one and get all of the skills you need to draw up a strategic overview and deliver the big picture.
Larger organisations also often need someone to step in on an interim basis. Perhaps to provide supervision and advice for your in-house security team, or simply to ensure that you only pay for what you need.
A qualified virtual CISO is going to be fully up to speed on the latest best practices. They have experience dealing with a wide variety of scenarios and they are well-positioned to train your internal staff. The CISO will fill in where you need it the most, helping your CIO to create or review your security policies, guidelines and standards. That could entail anything from coming to grips with Security Standards or compliance, to staying on top of cybersecurity risk assessments.
A virtual CISO can be invaluable, don't wait until a breach occurs - prevention is always better than cure.
Bob Nicolson | Head of Consultancy