A recent study on cybercrime confirmed that cyber attacks are on the rise. The average number of security breaches grew by 11 percent in 2019, and the average cost of an attack continues to increase, creeping up to $13 million. It is no surprise then, that many organizations are bringing a dedicated security expert to the C-level, via a Chief Information Security Officer (CISO).
A full-time CISO can be quite expensive (and good ones are hard to find), so many enterprises are going the route of a virtual Chief Information Security Officer (vCISO). It’s a smart way to get the same benefits without the full-time cost.
If you’re considering virtual CISO services, you may have some questions you want answered before you move forward. We have detailed what you need to know about this role, including how to decide if you need one and what to look for in a qualified candidate.
What is a vCISO?
As the name suggests, a virtual CISO performs the same tasks and provides the same insights that a full-time, permanent CISO offers. The major difference, of course, is that a vCISO operates on an outsourced, usually part-time basis. Meetings may be held in-person or remotely depending on the need and nature of the agreement.
Even though the vCISO is not a permanent member of the payroll, the arrangement typically requires a minimum contract length (usually a year or more). This allows the vCISO to get up to speed on your organization and its cybersecurity needs and to stay current as your situation changes. A short-term relationship would be a disservice to your company.
vCISO responsibilities include:
- Conducting a comprehensive analysis of your cybersecurity risk
- Providing strategic and operational insight into your cybersecurity strategy and policies
- Creating and sharing best practices in cybersecurity within the organization
- Overseeing compliance with regulations and cybersecurity frameworks, such as HIPAA, PCI DSS, and ISO 27001
- Ensuring a proper cybersecurity remediation strategy is in place
- Providing ongoing support for the cybersecurity strategy, especially as new threats emerge
The benefits of a vCISO include:
Cost savings—Highly-qualified and experienced CISOs are a hot commodity. Salaries typically go well into the six-figures, with the current average hovering around $227,000. An on-demand, virtual CISO typically costs anywhere from 30-40 percent of a full-time, permanent CISO, making it a more cost-effective choice. Additionally, with a vCISO, you only pay for the time you need.
A holistic view of cybersecurity—A piecemeal approach to security will not protect you from the broad range of attacks. A vCISO provides expert strategic and operational knowledge of cybersecurity and helps design a comprehensive security program that protects every door and window into your organization.
Deeper and broader experience—The knowledge gained from working with companies of various sizes and across industries arms vCISOs with the expert experience and perspective to help you defend against an attack.
Scalability—As your security needs ebb and flow, you can easily adjust the number of hours the vCISO devotes to your company. Due to their work with other clients, they also have relationships and connections they can use to get work done more quickly as your needs change.
Education of your in-house security team—As the vCISO implements new policies and programs, they will pass along knowledge to your in-house IT and security teams that will benefit your organization for the long-term.
Objectivity—A vCISO is not a permanent member of the organization, giving them an invaluable and objective view. They can weigh business goals and provide guidance without being dragged into internal politics.
When do you need a vCISO?
You can’t find (or afford) a qualified permanent CISO
With cyber attacks on the rise, this is not a role you want to fill with an under-qualified candidate. You’re better off outsourcing the job to someone who has the strategic knowledge and business insight to help you create a comprehensive and effective cybersecurity strategy. Additionally, depending on the size of your company, you may not even need a full-time CISO.
You have a specific cybersecurity project that needs expert attention
If you don’t have a full-time CISO, but you’re starting work on a big security project, a vCISO can make sure your project is completed successfully. For example, if you need to comply with a specific cybersecurity framework (or more than one), a vCISO can oversee the project to make sure you avoid penalties and the reputational damage that comes with non-compliance.
You need an interim CISO
It can take a long time to find a qualified CISO, while a vCISO can quickly come on board and get up to speed. You can take your time searching for the right candidate without having to worry that security isn’t getting the attention it needs.
You have critical data to protect
If your company stores or transmits data of any kind that needs protection, someone needs to be making sure the right steps are taken to prevent a breach. While financial and health data are often the first to come to mind, a breach of any kind can have damaging long-term effects on the business regardless of your industry.
You want to prepare and defend against a cyber attack
In today’s world, it’s not a matter of if you will be attacked. The question is when. A vCISO makes sure you have the proper defenses in place to reduce the risk of an attack and that an effective remediation plan is ready to launch should one occur.
What should you look for in a vCISO?
- Experience—A vCISO who has worked in many industries has gathered more knowledge that can benefit your organization. Ask about the types of companies they have worked with and the kinds of cybersecurity issues they have handled.
- Speed—A qualified candidate needs to gain a deep understanding of your business and cybersecurity needs and risk quickly.
- Responsiveness—When an attack occurs, you need help immediately. If a candidate is not getting back to you right away, this is a sign they may not be as quick to respond in an emergency.
- Personability—A good vCISO knows how to provide guidance without making waves. This is particularly important in this type of outsourced role in which the vCISO needs to work well with permanent, full-time C-Suite executives.
Now more than ever, it’s essential to make sure all of the pathways into your systems are locked. A qualified vCISO brings the operational and strategic vision to your cybersecurity program so you’re less likely to suffer from an attack and ready to spring into action should one occur. Protect your business with a comprehensive cybersecurity strategy and program without breaking the bank, courtesy of a virtual CISO.
