Benefits of a virtual CISO over a full-time CISO

Benefits of a virtual CISO over hiring a full-time CISO

It doesn’t take much these days to realize cyber security is a big topic. We can hardly go a week without hearing about a cyberattack on the latest high-profile target. Facebook, Adobo, Panera and Sony are some recent companies that had some big, high-profile breaches. Companies with lots of users, servers or sensitive data need to evaluate their risk position when it comes to cybersecurity. This quickly becomes a conversation about whether to hire a Chief Information Security Officer, CISO. There are a lot of companies out there with a high-risk position that can benefit from a CISO.

Making an infrastructure manager into the CISO

Most organizations without a CISO overlay the CIO with the CISO responsibilities. This could be a conflict of interest. The CIO has competing priorities at times to keep systems available and make them more accessible to internal customers while the CISO’s main focus is to protect the organization and in the course of developing those policies often create more roadblocks to access and is not in the business of streamlining processes. Also, a CIO is not making decisions based on risk more than they are prioritizing based on budget and business demands, which creates another conflict.

The CISO position is probably 30% technical and 70% policy, procedure and process. infrastructure managers have a primary focus on availability and performance of networks and systems. The CISO has a primary focus on keeping bad actors away. They require a deeper understanding of regulatory requirements, integration, security privacy policies and data governance. The infrastructure manger knowledge base is only a component of an overall security program.

When does a company need to hire a CISO?

Ultimately the organization must determine what their risk exposure is and their tolerance of that risk. They need to consider the number of servers, sensitive data and integration with third-party vendors to name a few criteria. Their tolerance must be tempered with impacts on the business, reputation, and incident response cost if they are attacked. Could it cost the company business? Do major client leave? Does it violate contracts? Could it hurt their branding, hence lead to the decline in sales?

There is also a regulatory requirement that needs to be considered. Healthcare organizations, as an example, are required by law to have designated personnel with security credentials who have responsibility for security program management.

Being a CISO takes Training and Certification

Running a network operation center and the security operations center have a lot of overlap, but they are not the same. The SOC charter extends beyond the uptime of hardware and software. It looks at policies, procedures and movement of sensitive data. It takes a keen eye towards intrusion prevention and detection training. Certifications associated to CISOs, like the CGEIT and CISM, take some time to prepare for and are not cheap.

Technology is only one side of the CIS coin. The CISO spends a lot of time on education, policy, procedure and training. The education may be as simple as making sure employees and contractors know how to avoid phishing campaigns. A more involved procedure overhaul could be reviewing procedures for assigning user accounts and groups. There’s no shortage of companies who have plentiful exceptions in their account assignment. Betty is a member of a software development group because she is a programmer. He is put into the Accounting group, as an exception, to get access to some data. Betty leaves the company, but who cleans up that exception? Who has the inventory of these exceptions? Hackers love this.

Its Tough to Find a CISO

A CISO is an expensive hire. It is not uncommon CISOs are being offered over 200K a year. There is no shortage of companies looking to pay that dollar amount for someone with the right experience. Good CISOs don’t need to look at job boards. These skill sets are in demand. There are plenty of recruiters out there calling on the bulk of CISOs.

On top of the recruiting fees and base salary the company still must pay for the benefits, bonusses, ongoing security training, PTO, company-specific training and everything else associated with the full-time employee. Having a virtual CISO eliminates many of these expenses.

Skip the Politics / Focus on Cybersecurity

Inevitably, if you are hiring a full-time individual for the CISO, they are going to spend a certain percentage of their time on internal company activities. This could be corporate politics, sensitivity training, HR issues and other activities. While these are important to the company, these activities do not do anything directly to improve the cybersecurity position.

Having a virtual CISO allows a company to have this individual focus solely improving the cybersecurity activity and reduce the risk position.

Is This Really a Full-Time Job?

For many companies, the actual work and activity improving the cybersecurity position is not a full-time job. If you are trying to turn an infrastructure manager into that role, it could be a full-time job by the time getting the training done.

A fully qualified CISO already comes in with that cybersecurity training, knowledge base and experience. It comes from working with other companies. A virtual CISO can immediately improve the cybersecurity position without a lot of extra time. In short, the actual work reduced to cybersecurity risk may be less than full-time.

For many organizations, a full-time CISO makes sense. They have enough sensitive data, people, hardware and systems to justify it. There are benefits to having that expertise in-house and part of the management team. Still there are companies that need the benefits of a CISO with the full cost of one. These companies are well-served to consider a Virtual CISO.

Are you finding it harder to locate the good technical and IT talent? Many companies find them selves in the same situation. There are some better ways to locate and attract the right it and technical people to your company. Contact us to learn more.