If your company is like most, you’ve grappled with the high cost of a Chief Information Security Officer (CISO) and/or a shortage of qualified candidates—either to serve as your CISO or to “fill in” any knowledge gaps in your technical staff.
A recent worldwide Poneman Institute survey of IT security personnel showed 73% of respondents find their organization has trouble attracting and retaining qualified candidates. As a result, their organization's upper-level IT security functions are typically understaffed.
This means that not only are large companies hard-pressed to find and retain a well-seasoned and highly experienced person in this position, their IT security resources are often stretched far too thin. Projects are neglected or assigned to staffers with inadequate expertise in a certain area.
Small to mid-size businesses have it even tougher. They’re usually not even in the game, thanks to the high salaries CISOs command. They sit on the sidelines as non-technical c-suite execs try to figure out the company’s basic needs.
In this age of an increasingly hostile cybersecurity threat environment, it’s imperative that your company is armed with employees with stellar technical expertise. If you’re having a hard time finding or affording a CISO, one potential answer is a virtual CISO (vCISO).
vCISO to the Rescue
A vCISO is an excellent solution for businesses of all sizes. This intelligent solution to cybersecurity is an idea that has come into its own and made top-echelon personnel accessible for even small companies.
Here are some advantages a well-rounded vCISO can offer your business:
1. Serve as an Interim Solution - If your CISO moves on to another position or leaves due to financial issues, the vCISO can fill in the gaps in your team.
2. Be Cost-Effective - A vCISO is usually a fraction of the cost of hiring an experienced and knowledgeable CISO. The virtual CISO possesses the same skills and answers as a CISO—and sometimes, has even greater knowledge. This can be especially true when a vCISO is actually a team of experts working together as opposed to one person.
3. Supplement Resources - Many times a business will have resources stretched thin, due to maternity leave, job transitions or illness. A vCISO can handle ongoing projects and help with specific coverage while the employee is out. A vCISO can also serve as the right hand of a CISO who has knowledge gaps or is just spread too thin.
4. Maintain Institutional Knowledge – Remember that talent and retention issue we mentioned earlier? The average CISO remains in his or her position for just two years. This means that institutional knowledge often suffers upon the CISO's exit. However, having a vCISO in place as a supplemental advisor means the knowledge base remains intact, even during transitions. Plus, finding a new CISO can take weeks or even months; if there’s a breach or other crisis during that time, a vCISO is already up-to-speed.
5. Train New CISOs – If you promote someone who has risen through the ranks with purely technical knowledge, they may need help gaining the business skills needed to present to the c-suite and board. Conversely, if you have a new hire from outside, there’s always a learning curve and often the CEO lacks both the time and the technical knowledge to get them up to speed.
6. Advise the c-suite – As mentioned above, CEOs usually lack technical skills. Virtual CISOs with tech and business skills can map the threat landscape, highlight regulatory requirements, define an appropriate strategy, and build a roadmap for the entire system.
7. Build a business advantage - When it comes to information security, there is a tendency to view it as IT-centric or entirely IT, while a great vCISO views it as a business process that involves a lot of IT. For example, security scores are becoming very important during a partner selection process. A vCISO can help with all the processes that boost that score and work on other projects where tech can further your business strategy.
8. Serve as a neutral party – Everybody's got a vested interest within an organization. This usually means there are, at least to some degree, competing interests. A vCISO can be an objective third party that tactfully “speaks the truth” and builds bridges with different parts of an organization. A trusted partner who isn’t aligned with any internal interests means your business gets truly useful advice.
9. Meet Regulatory Requirements – When companies work with the federal government for the first time and are faced with all the checklists, they often realize that they need some outside assistance. (It’s also not uncommon, in our experience, for companies to initially try to wing their way through the requirements and run into obstacles.) A vCISO with experience in these matters can make the process quicker and easier.
What should you look for in a vCISO?
Here are some qualities that will ensure you find a good fit for your organization. Look for:
- Adaptive intelligence – While this is obviously crucial for a vCISO who is usually jumping into fast-moving situations, learning isn’t just about tech. When you interview, be sure candidates can quickly grasp your business’s environment, needs, and strategy.
- Technical skills – Okay, we admit this one is obvious. Still, make sure you have a good handle on the duties and corresponding skillsets you want your vCISO to have.
- Business acumen – This is often overlooked, but we can’t emphasize this enough—business skills are crucial. A combination of tech and business ability is hard to find in a CISO, but is often accessible—and much more affordable—in a vCISO.
- Great communication – Make sure your vCISO is skilled when it comes to presentations, especially ones that involve the c-suite and board.
- Varied expertise – If you want a deep breadth of knowledge, your best option is often a team approach. A group of experts naturally has a broader expanse of experience and skills; this is especially important with vCISOs, since they are often filling a gap in the company’s knowledge. For example, you may initially bring in a vCISO to help with regulatory requirements, but realize you have broader needs in the long-term. A team can ensure that you have access to the resources to do that.
- Vendor-neutral suggestions –Your vCISO should not have a vested interest in making money off products they suggest. We believe this is a very important screening question in interviews.
- Flexible pricing – A vCISO should work with you to put together a package that gives both of you what you need at a price you can afford.
What Types of Industries would Benefit from a vCISO?
The use of a vCISO is becoming popular across many businesses, such as:
When a business has short-term needs and has a tight budget, a vCISO can come in pretty handy. The vCISO is affordable and efficient, and it does not require the necessary time and money for recruiting, hiring and training new team members.
The tasks that a vCISO handles will vary according to the job requirements. The contract between the vCSIO and the business will list the necessary functions. Typically, a vCISO provides these central tasks:
- Creating threat intelligence
- Managing business' security
- Providing privacy and security standards, policies, guidelines, and standards
- Engaging with executive management
- Directing Information Security teams
- Running risk assessments
If you’d like to learn more about Cadre’s vCISO or Fractional CISO solutions, please contact us. We’d love to help you find a solution that fits your needs and budget!