Considering the value of leveraging a virtual chief information security officer (vCISO)

The Uncharted Path for New Security Leaders

Ensuring the confidentiality, integrity, and availability of information must be at the forefront of any business in today’s environment. While many think they are up to this task, there’s a lot that goes into protecting data. Cyberattacks and data security breaches are at an all-time high in 2020 due to the increase in remote work, and according to a recent Information Systems Security Association and Enterprise Strategy Group survey, 63% of cybersecurity professionals have seen an increase in cyberattacks and security breaches related to the pandemic. This ultimately is a call to all businesses today that we all need to take the proactive steps to remain safe and secure.

A company’s in-house chief information security officer (CISO) is a key component to making sure the risk of a cyberattack or security breach is greatly reduced. The responsibilities of this position are critical for businesses working to protect themselves against cyberthreats, but the reality is, some companies can’t afford to add another member to the c-suite with an average salary of up to $250K. However, there’s another option: a virtual CISO or vCISO.

For a fraction of the salary of a full-time CISO, companies can hire a vCISO, which is an outsourced security practitioner with executive level experience, who, acting as a consultant, offers their time and insight to an organization on an ongoing (typically part-time) basis with the same skillset and expertise of a conventional CISO. Hiring a vCISO on a part-time (or short-term basis) allows a company the flexibility to outsource impending IT projects as needed.

A vCISO works closely with senior management to establish a well communicated information security strategy and roadmap, one that meets the requirements of the organization and its customers, but also state and federal requirements. Most importantly, a vCISO can provide companies unbiased strategic and operational leadership on security policies, which includes:

Guidelines, controls and standards
Regulatory compliance
Risk management
Vendor risk management
Infrastructure planning
Business continuity
Database management

Since vCISOs are already experts, it saves the organization time and money by decreasing ramp-up time. Businesses are able to eliminate the cost of benefits and full-time employee onboarding requirements. Also, if another employee had been handline the responsibilities of a CISO, a vCISO frees up some of their workload, enabling them to take on other priority tasks.

Many in-house IT departments are multi-faceted and may not have the time or resources to properly manage all IT functions, especially as they relate to information security. A vCISO can align a company's information security program to a business's overarching strategy to provide predictive budgeting to senior management.

There are also disadvantages to hiring a vCISO. One is that the vCISO most likely will need time to understand the culture and business operations of a company. Second, depending on the contractual arrangements made, a company can have unrealistic expectations that they are getting a full-time person for the cost of someone who works less than 20% of the time. The truth is, vCISOs most likely have other clients who they are involved with, so unless a company is hiring a vCISO full time, his or her time may be split between multiple companies. Finally, those who market themselves as vCISOs may lack the current knowledge of the industry. While these vCISOs may have years of technical experience, they may lack managerial security experience. Organizations must take care to properly vet a vCISO’s experience.

Information security is complex and everchanging. New vulnerabilities and threats are identified daily. Keeping up with threats, risks, and vulnerabilities is often a full-time job in larger organizations. Developing a strategic information security plan and program is a difficult task, and not everyone has the skills or the time to do it effectively. The right vCISO can provide a business with quality executive level information security experts by collaborating with executive management to make smart decisions on various security, privacy, and compliance requirements and issues.

A seasoned vCISO will have had the advantage of seeing hundreds of companies struggling with many of the same challenges, and knows which policies, procedures, and technologies are best for solving specific problems. Overall, the main objective of a vCISO is to act as a bridge to the business and its technology team by providing a long-term framework that can be continuously modified as information security goals and threats evolve.

This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.

John Roman is President and COO of The Bonadio Group's Information Risk Management and Cybersecurity Division, FoxPointe Solutions. In his role at FoxPointe, he is responsible for all aspects of the operations of a national cybersecurity consultancy.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.