Ensuring the confidentiality, availability, and integrity of a company's, their users', and their customers' information must be top priority for organizations, but it's easier said than done. Data security breaches and cyberattack threats are occurring more frequently – according to a recent Information Systems Security Association and Enterprise Strategy Group survey, 63% of cybersecurity professionals have seen an increase in cyber-attacks related to the pandemic – which means businesses today need to take additional steps to remain secure.
An organization's in-house chief information security officer (CISO) is critically responsible for establishing and maintaining the enterprise information security vision, strategy, and program to ensure information assets and technologies are adequately protected. However, the reality is, some companies (particularly small- to mid-sized businesses and nonprofits) do not have a need for a full-time CISO or the financial resources to add another member to the C-suite, not to mention their 6-figure salary. For those organizations, there's another option: a virtual CISO (vCISO).
For a fraction of the salary of a full-time CISO, companies can hire a vCISO, which is an outsourced security practitioner with executive level experience, who, acting as a consultant, offers their time and insight to an organization on an ongoing (typically part-time) basis with the same skillset and expertise of a conventional CISO. Hiring a vCISO on a part-time (or short-term basis) allows a company the flexibility to outsource impending IT projects as needed.
A vCISO will work closely with senior management to establish a well communicated information security strategy and roadmap, one that meets the requirements of the organization and its customers, but also state and federal requirements. Most importantly, a vCISO can provide companies unbiased strategic and operational leadership on security policies, guidelines, controls, and standards, as well as regulatory compliance, risk management, vendor risk management, and more.
Since vCISOs are already experts, it saves the organization time and money by decreasing ramp-up time. Businesses are able to eliminate the cost of benefits and full-time employee onboarding requirements. Also, if another employee had been handling the responsibilities of a CISO, a vCISO frees up some of their workload, enabling them to take on other priority tasks.
As an example, I am currently the vCISO for four companies ranging in size from 40 employees up to 15,000. My typical responsibilities include ensuring compliance with state cybersecurity guidelines such as New York's SHIELD Act or Massachusetts's Cybersecurity Regulation – both of these regulations require companies to have a CISO. As a vCISO, I prepare annual information security budgets, identify key security initiatives for the coming year, perform annual risk assessments, work with technology vendors on behalf of my clients, and provide advisory services to senior management on the latest information security threats. In any given month, I spend 4-20 hours per client.
Many in-house IT departments are multi-faceted and may not have the time or resources to properly manage all IT functions, especially as they relate to information security. A vCISO can align a company's information security program to a business's overarching strategy to provide predictive budgeting to senior management.
For organizations that already have a CISO, a vCISO is particularly useful as a trusted information security advisor to the present CISO. If you're a growing organization, or between CISOs, then a vCISO will help avoid rushing the long process of hiring the right full-time CISO.
There are also disadvantages to hiring a vCISO. One is that the vCISO most likely will need time to understand the culture and business operations of a company. Second, depending on the contractual arrangements made, a company can have unrealistic expectations that they are getting a full-time person for the cost of someone who works less than 20% of the time. The truth is, vCISOs most likely have other clients who they are involved with, so unless a company is hiring a vCISO full time, his or her time may be split between multiple companies.
Finally, those who market themselves as vCISOs may lack the current knowledge of the industry. While these vCISOs may have 30-40 years of technical experience, they may lack managerial security experience. They may also have been out of the industry for several years due to retirement or downsizing and have not kept up with security industry trends, rules, regulations, and models. Therefore, care must be taken to properly vet a vCISO's experience.
Information security is complex and everchanging. New vulnerabilities and threats are identified daily. Keeping up with threats, risks, and vulnerabilities is often a full-time job in larger organizations. Developing a strategic information security plan and program is a difficult task, and not everyone has the skills or the time to do it effectively. The right vCISO can provide a business with quality executive level information security experts by collaborating with executive management to make smart decisions on various security, privacy, and compliance requirements and issues.
A seasoned vCISO will have had the advantage of seeing hundreds of companies struggling with many of the same challenges, and knows which policies, procedures, and technologies are best for solving specific problems. Overall, the main objective of a vCISO is to act as a bridge to the business and its technology team by providing a long-term framework that can be continuously modified as information security goals and threats evolve.