- Principia Raid
Searching for an effective CISO? Here's why going virtual can deliver the best value....
In today's challenging threat landscape there are still many companies that have not employed a CISO (Chief Information Security Officer). At the end of 2019, according to data from ISACA (Information Systems Audit & Control Association), an international IT governance group, about 72% of organizations had a Chief Information Security Officer.
Sideways question - what does a CISO do? (Yeah, yeah, you probably already know this) A CISO is a company's Chief Information Security Officer who typically sits at the C-level table or reports into the CIO (Chief Information Officer) and uses their breadth and depth of experience to help companies establish a strong cybersecurity program, adopt effective cybersecurity policies and drive the implementation and operation of effective information security programs. Many CISOs 'tick the box' but a GREAT CISO protects a company from suffering data breaches, loss of intellectual property, and potentially costly and disruptive legal problems.
Also according to ISACA's 2019 survey, less than 55% of companies have increased their budget for Cybersecurity in the last year. The increasing threats to your data PLUS the tightening of available spend on InfoSec equals a pretty serious problem, evidenced by all of the breaches in the news on a daily basis. On top of that, for many small to mid-sized organizations where budgets are already tight, hiring a full-time CISO may be a luxury they can't afford. And let's be honest - talent doesn't come cheap, especially in this area. Hiring any CISO is expensive - hiring a leader for your InfoSec function that actually knows what she or he is doing will set you back on average at least $240K annually before bonus and other costs, so the fully loaded FTE cost for this one stacks up pretty fast. If your requirement is in a high demand region that number goes up significantly with top CISO salaries in some US metros hitting $380K plus. Take that and add the current shortage of qualified CISO candidates with relevant experience in today's market and you're potentially going to pay too much for not enough value.
This cost and availability equation has created a pretty significant problem, as evidenced by the continuously increasing data breaches.....because finding a great CISO can be challenging AND cost-prohibitive, many organizations are simply forgoing the requirement even though they have a legitimate need. Some organizations may only need a CISO for a specific project or program with a short timeline and set budget. Other companies have had problems hiring and retaining the right candidate. With all of these challenges, the role of a virtual CISO (vCISO) has emerged as a more viable option for many organizations.
Simply put, a virtual CISO is a Chief Information Security Officer on retainer - it's the same job description and same responsibility set. It's the same senior level executive accountable for establishing the enterprise vision, strategy and information security program to protect the business data and valuable intellectual property. The vCISO role just happens to be ourtsourced and not onsite full time, which can deliver some serious benefits and economies of scale. This approach helps businesses only pay for as much CISO as they need, which often is NOT a full FTE role. Why pay for a full time role to simply answer the same contract security questionnaires over and over again when you could just engage the right expertise on-demand? Wouldn't it be both more convenient AND more cost-effective to have the skills in place only when you need them instead of all the time? Think of a vCISO like just-in-time supply chain inventory management - the resources you need show up just when you need them so you're not incurring extra costs.
Let's be clear - there are LOTS of companies whose security programs may require a full-time CISO in-house. Even here there can still be value in having a vCISO service to assist these companies when they need to scale their efforts or when more specific expertise may be necessary in a certain area of concern, not to mention the regulatory assessments that require third-party arms-length objective services or audits.
When the vCISO use case makes sense for an organization, however, there can be some SERIOUS benefits. Arguably, some companies with full-time in-house CISOs would be getting more overall value from moving to the vCISO model. WHY? What are the advantages of this approach?
VALUE - the vCISO approach can be incredibly cost-effective. The on-demand model makes more fiscal sense in so many scenarios, which is why the industry has been trending in that direction. You get to decide how much CISO you need and pay for that amount only. You can still leverage your IT security investment with lower cost in-house analysts or engineers who will work at the strategic direction of the vCISO. No benefits costs. No onboarding costs. No relo costs. Immediately effective.
EXPERIENCE/EXPERTISE - even if you're paying for the in-house skill, how do you know you're getting what you're paying for? Unfortunately you likely won't know.....until it's too late. Most companies don't discover their security vulnerabilities until they're remediating the damage post-breach. The main benefit of the right vCISO service is the track record and proven expertise of the team you're hiring. The combination of business and security skills drives immediate value when you're hiring the experts who have been there, done that, got the T-shirt (and the bruises from years of real experience). The vCISO service typically allows many companies to punch above their weight class by hiring expertise on-demand that they couldn't afford full time. It's simply a better approach to rely on a team of industry veterans to define, implement and monitor your security program.
MATURITY/METHODOLOGY - onboarding a CISO because you either didn't have one or have hired a new one (hopefully not as a result of a post-breach exercise) typically involves an assessment and strategic review of current InfoSec plans/tools and programs to ensure the approach is right-sized for the business. Underspend AND overspend are common problems. A decent CISO should be able to handle this. A vCISO service, however, lives and breathes this - it's what they do. The right team will bring a tried and tested methodology for analyzing operations, classifying your data and analyzing risks, delivering a policy framework and data monitoring regime to protect your assets. Additionally with the evolution of regulatory frameworks today (CMMC, anyone?) it's gotten WAY more complicated to shoulder the burden in-house.
ADAPTIVE - one of the main advantages of any 'as-a-service' model is the scalability. If you're using any software-as-a-service it's likely because it's easier to scale and more cost effective that doing it in-house or on-prem. Guess what? Same goes for vCISO and the associated information security services. Need more data security for a new contract? No problem. The service and team can scale. Don't need as much anymore? No problem. Big audit requirement coming up? Great - here's some more help. Audit done? See you next time.
INDEPENDENCE - Does your company suffer from 'Green Shift' - the projects are failing but by the time the status reporting gets to the boardroom the red and amber lines have mysteriously turned green? Navigating the in-house politics connected with being the bearer of bad news can be disastrous to a career, so it's not unusual for any board-level exec to be concerned about the reliability of the data they're presented. Guess what? The vCISO service is free of politics or agendas, with an objective viewpoint similar to a third-party auditor. You might not like the answers, but you'll get the real ones, not the just the shiny ones.
RELATIONSHIPS/CONNECTIONS - also closely related to the experience benefit, a good vCISO will have the right set of established industry connections and relationships to bring to bear when necessary as well as the history with many different toolsets. From helping to select the right MSSP (Managed Security Service Provider) to the failings of some common endpoint security tools in use, the right team will know what to do and who to bring in. They've seen your problem before and fixed it. And if they haven't they know exactly who can. If you do this the right way you're not just retaining a single team, you're engaging with the entire InfoSec community.
So...if you're thinking that this all sounds like sunshine and butterflies and bunny rabbits, why shouldn't EVERYONE who has real information security requirements just go ahead and outsource the whole thing? That's a great question and there are some real reasons to keep things in-house when it makes sense - like all CyberSecurity concerns it really does come down to your individual requirements. While retaining a vCISO service can usually be more cost effective there are some gotchas if you don't approach it the right way.
Companies who've had a bad experience with outsourcing their InfoSec tend to have the same complaints. Response times can suffer if you don't consider your specific SLAs (service level agreements) as part of your engagement. If you retain a company that's juggling too many clients, you won't get the level of attention you're expecting, which is why it's key to right-size the agreement and make sure that's reflected in the Ts and Cs. And while the independence factor discussed above is something that the C-level and the Board will appreciate it can cause some concern with any existing in-house IT Security staff who will be worried about getting impacted if they're not doing their job effectively. It's also critical to consider the scale of the engagement. While overall it can be more cost-effective, if your requirements scale quickly or you have a major breach to remediate or if the risk you actually have is higher than the risk you THINK you have it can lead to short term investment that may be higher than expected.
What's the point of all this? Just like your business changes over time, so should your approach to information security. There's a good chance you might be spending more than you should. There's also a good chance you might be spending less than you should. And there's a chance that you might be able to be smarter in how you invest in your information security. We can help.