A virtual Chief Information Security Officer (or vCISO) can be a great resource to a company. But how do you know when your company is ready for one? Rob Black of Fractional CISO shares four telltale signs to watch for.
Maybe you have a steadily growing business. Everything is going well, but you wonder: ‘is my firm everything that it could be?’ ‘Is our organization undertaking undue risk, and is there adequate oversight for executives to know the answer to that question?’
These are the kinds of questions a Chief Information Security Officer (CISO) can help a firm answer. But a full time CISO is a big financial commitment, especially in a competitive hiring market. One alternative is to hire a part time (a “fractional” or “virtual”) CISO, who advises a small number of firms, splitting his or her time between them.
Cost and Consistency
Suppose that at your company, there’s a consensus that it’s time to take steps to staff up and focus on good cybersecurity management. Well, why not just hire a full-time CISO?
Just take a look at the price tag! Salary.com lists the average base salary for a CISO to be $220K annually, with $268K in total compensation. In addition to those costs, the CISO is likely to have a team and a budget for that team, making the real cost much higher.
The cost makes a CISO prohibitive for small and many medium-sized organizations. Most organizations of fewer than 200 employees would have a difficult time justifying hiring a full-time CISO. Even larger organizations might choke on the bill. But even if the company “has the money,” that doesn’t mean that hiring a full-time CISO is the right way to spend it.
Then there’s the prospect of turnover: even if the company decides to hire a CISO, you can expect change in the role eventually. CISO’s typically leave an organization within two to four years. This can be challenging for an organization to manage – it degrades all of that value that the firm put into getting a “permanent” CISO, because just a few years later, the company is right back at square one.
A vCISO can make much more sense, where the price tag is measured in the tens of thousands of dollars instead of hundreds of thousands. Companies can also often expect more consistency from a vCISO: a relationship with a good one can last many years; it’s an agile model with much less of a capital outlay up front, which means the company can try it out and see what happens.
Signs a Virtual CISO is Right for You
Certain types of companies have the most to gain from getting vCISO services in place. At my firm, Fractional CISO, we see four main “drivers” for making the hiring of a vCISO even more important.
#1: Your customers tell you
Your customers might be asking you lots of uncomfortable questions such as: “Have you performed a pen test?” “Do you have a security report?” “Do you have a SOC 2 certification?” or “Can my security team talk to your security person?” If you are embarrassed by your answers, then a vCISO is likely to be able to help out, quickly and efficiently, by applying specific professional experience to those questions and their answers.
The vCISO can also implement a plan that puts your organization’s security in the best possible light. vCISOs typically have cost-effective tools that will allow your organization to answer “Yes” to your customers’ difficult security questions – because the firm will have the right industry-specific protections and data in place.
Your technical security person might be able to address some of the issues, but a vCISO is more likely to be able to tackle all of them at once. Then there’s also the question of strong customer skills or “people skills.” Your in-house person may be fully qualified, but if the customer skill set is missing, there is a noticeable gap. One of the traits of a good vCISO is to have strong management and customer skills. Someone who is only focused on technical cybersecurity but doesn’t know how to communicate may not offer the firm the ability to fully capitalize on its planning objectives.
#2: Your regulators tell you
There are regulations, like the New York State Department of Financial Services (NYDFS) Cybersecurity Regulation, that literally specify that organizations “shall designate a qualified individual… CISO.”
If regulators say you need a CISO, but a full-time CISO is too expensive or logistically challenging to put in place right away, a vCISO might meet your regulators’ requirements – and quickly.
In addition to NYDFS rules, there are plenty of other regulations to comply with as well. If your organization has regulators to appease, a vCISO can lighten the regulatory burden and make the firm look better to a full range of outsiders.
#3: Mergers & Acquisitions (M&A) demand it
If you are on either side of an M&A deal, a vCISO will help to reduce the risk inherent in the process. As the recent travails of Yahoo and its acquisition by Verizon show, cybersecurity “dirty laundry” can stop or radically change the terms of an acquisition. A vCISO can help you get your company’s security in order so that a merger or acquisition can move ahead smoothly.
If you are the acquiring firm, you want to make sure you understand all of the risks of the company that you are acquiring. What happens when you are Marriott and acquire Starwood without doing the proper cybersecurity due diligence? Okay, so Marriott needs a big cybersecurity team. But the point is that the acquiring company could be undertaking undue risk if the company that they are buying does not have a solid cybersecurity plan.
#4: Your gut tells you
Maybe none of the above three signs apply to you. You may just have a nagging feeling that something is not right. Or maybe you have hard evidence in terms of spotted vulnerabilities, regulatory gaps, or other solid indicators.
Either way, clients can come to us to perform a risk assessment or sign up for a full set of cybersecurity services. Organizations that perceive the risk are often proven correct when they dig into the details. These organizations need to fund security to be able to reduce their risk.
It’s usually not enough to have a set of mid-level people or contractors tackling cybersecurity. Companies need someone looking at the “big picture” and putting together a fully comprehensive plan for cybersecurity.
Suppose the company has a CIO, CTO, Chief Compliance Officer or another executive who covers the whole waterfront – do that person’s other duties spread him or her entirely too thin? Or, a company might use a mid-level technical manager for the cybersecurity role. Again, time and resource issues, issues with buy-in and authority, and other issues can prove that the existing model just isn’t working well.
A vCISO works on the full gamut of cybersecurity duties, including:
- Comprehensive strategy and business environment planning
- Threat analysis and prevention work
- Overseeing all relevant teams and evaluating org structure
- Discovery, triage, remediation and evaluation of threats
In addition, a vCISO can help a business to align cybersecurity strategy and plans. The vCISO works as a top-level resource to make sure that everything is provided for in terms of risk management, compliance, auditing and last but not least, real, vibrant cybersecurity and data and operations protection.