Why SMBs Should Go Virtual with the CISO Role
Chief Information Security Officers (CISOs) may not be the most famous people in the technology world. Most likely, you cannot name the CISO of Facebook, Microsoft, Google, or any other tech company, for that matter. However, these executives are among the most important people at their companies. They may not make or market the products, but what they do is just as critical. In this article, we will explore the CISO role and how, with the right partnership, a company of any size can employ the skills and knowledge of a CISO on a virtual basis.
The CISO role dates to 1994 when financial services company Citigroup set up a specialized cybersecurity office after suffering a series of cyberattacks. These attacks signaled that cybersecurity could no longer be buried in IT department’s long to-do list. Rather, Citi decided cybersecurity needed the resources and organization of its own specialized department.
Since then, both the cybersecurity department and the CISO role have evolved into various forms, but the mission among all of them is still the same. A CISO is the organization’s senior-level executive responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected. The key phrase in that sentence is ‘senior-level executive’. Though functions of the CISO may still be incorporated with other high-level roles such as the Chief Information Officer (CIO) or Chief Technology Officer (CTO), the CISO is the executive with the power and influence to shape policy to better align it with the company’s cybersecurity goals.
The full-time CISO
CISOs are often tasked with working with and directing other business functions to maintain the cybersecurity pillars of confidentiality, integrity, and accessibility. This responsibility makes independence in their position essential. However, if you are a small or medium-sized business (SMB), you may not have the resources to properly hire, train, or retain a CISO. According to salary.com, CISO compensation in urban markets is high, in the $300,000 to $400,000 range. What’s more, a full-time CISO may not be warranted if your firm does not employ a full-time IT staff. Many SMBs will outsource the setup and maintenance of their IT infrastructure to a managed service provider. If this is the case, then a full-time CISO may not make sense for your business. However, the responsibilities and duties of a CISO are still critical to your organization. Cybersecurity still needs to be a priority as a breach of sensitive or personal information, or a successful ransomware attack, could spell financial doom for your firm.
So, if your company still has an obligation to meet its cybersecurity needs, but it is impractical or impossible to hire a CISO, what do you do? Enter the virtual CISO (vCISO).
Partnering with vCISOs
A vCISO is a person or team who are not employees of your firm, but can be hired to manage the CISO responsibilities for you. One might ask…. having decided your firm does not need nor can you afford a CISO, why in the heck would you want to consider a vCISO when it’s not someone employed by your firm? To answer this question, we first need to examine what a vCISO is.
Yes, a vCISO is not a person directly employed by your firm. Rather they are an outside vendor, thus ensuring a fiduciary relationship. It’s also important to note that more often than not when you hire a vCISO you are not hiring an individual person. Since most vCISOs are not tied to a single client, they are often hired as part of a team that usually works with a Managed Service Provider (MSP). This is important when evaluating vCISOs and which one to partner with as you are not just evaluating the vCISO, you are evaluating the team and resources the vCISO will call on to fulfill their duties. A vCISO with a robust MSP behind them can be a major asset to your company. As stated earlier, a vCISO is a CISO, meaning a cybersecurity expert, who is dedicated to your firm through a service level agreement (SLA).
We have compared the vCISO to the CISO and established why hiring a virtual executive can be well within your firm’s reach. Now let’s look at why hiring a vCISO can have a positive impact on your company’s security posture. Much like a CISO, a vCISO is a cybersecurity professional who brings your organization critical, up-to-date knowledge on cybersecurity technologies, techniques, and methodologies. A major advantage of the vCISO, however, is they can customize their offerings to your firm’s needs. Have a major compliance project you need completed for regulatory purposes? Feel that your current firewalls no longer fit your environment? Thinking of a move into the cloud? A vCISO can act as a much-needed leader providing direction and a roadmap to accomplish these goals.
In addition, your vCISO can ensure your company’s cybersecurity posture is robust and can serve as a resource coordinator should an attack occur. Virtual CISOs can also focus on your organization’s high-level cybersecurity needs: policies, guidelines, compliance standards, risk tolerance, threats, risk acceptance and mitigation, and other cyber-needs. From a management perspective, a vCISO will allow your internal IT team to focus on day-to-day infrastructure upkeep and you to focus on running your business.
Executive leadership at a fraction of the cost
To recap, a vCISO is a person or persons who can draw on a wealth of industry experience to lead your organization’s information security efforts. The vCISO can bring a perspective your organization may not have. Even better, a vCISO who works within an MSP can call on their team’s knowledge and experience to improve your firm’s IT infrastructure and posture as well as provide incident response when necessary.
To some, a vCISO might seem like any other outsourced cyber service, such as threat monitoring. It’s important to note, however, that services such as threat monitoring are focused on one aspect of the business while the vCISO has a much broader scope. A vCISO functions as your firm’s high-level cybersecurity executive for a fraction of the cost.
Learn more about Infoaxis vCISO services
Our cybersecurity solutions help ensure your organization’s defenses are in place and deployed effectively. To learn more about our vCISO and managed services offerings, visit Infoaxis.com or contact us to get the conversation started.
About the Author
Joshua Silberman, CISSP, CCSP, CISA, is a cybersecurity leader responsible for the direction, design, and development of cloud transformation and cybersecurity at IT4cannabis.
Reach Joshua at 201.236.3000 or firstname.lastname@example.org.