For modern-day companies, information security forms its very own area of operations.
The massive emphasis on data in today’s business environment and the slew of regulations on handling personal information make infosec a vital component of any enterprise.
And just like your marketing and sales departments need competent experts to run and manage them, so do your digital security.
That’s where Chief Information Security Officers, or CISOs, come into the picture.
A CISO is an executive in charge of everything and anything related to keeping your digital information safe. According to the most recent surveys, a majority of companies, and over eighty percent of large corporations, have a CISO on the payroll.
The scope of a Chief Information Security Officer job can be broken down into three basic categories:
- Security Ops: This includes all the real-time analysis of immediate dangers, and collecting intelligence on threat trends and potential vulnerabilities to the company’s network. It also includes managing security protocols for how employees interact with the company’s data assets and hardware.
- Security Architecture: Planning, buying, and rolling out security hardware and applications that are best suited for the business’s unique needs. It is here that the Chief Information Security Officer needs to work with the IT people to plan and design technology with security in mind.
- Governance: This means making sure all of the company’s security needs run smoothly: getting the funding they need, the cooperation with relevant departments, and the attention of other executives.
With this synopsis in mind, you can get a pretty good idea of the broad skill set required for this position. An ideal CISO needs to have an expert level of technical proficiency, be a great manager and implementer, and must also be a top-notch advocate with the ability to coordinate across multiple domains.
(NOTE: If you’re considering a Virtual CISO, the free tool below matches your organization with top-rated vCISOs that suit your budget and requirements.)
Why Go Virtual?
While having a CISO on the team is definitely an asset, bringing on such an executive presents many firms with serious challenges.
First and foremost is cost. The salary for a CISO easily surpasses $150,000 a year. True, the benefits of a secure network far outweigh those costs, but it’s still a heavy price tag for most firms.
Second is the age-old problem of redundancy. As in several other areas of business, information security overlaps with many other company departments: the technology department, the operations department, and– since information security is such a highly regulated domain–any other office that deals with laws and compliance. What this translates into for many firms is a conflict of tasking between their CISO and a number of other company divisions. Yet at the same time, completely forgoing the CISO role produces the opposite extreme. The attitude of “we’ll just hand information security off to Operations” means an already overwhelmed COO won’t keep up to date with day-to-day security tasks, and certainly won’t be able to manage crises when they occur.
What’s a Virtual CISO?
These problems and others are what spawned the Virtual CISO (vCISO).
The vCISO is not a job position but rather a service. A vCISO package is designed to make top-tier security experts available to organizations who need security expertise and guidance on demand. Companies that have information security challenges beyond what can be picked up by their other departments – whether that’s due to lack of manpower or expertise – can contract a vCISO to fill that gap.
Having a vCISO largely replicates an in-house CISO in the most important ways.
One of the more common concerns of not having an on-the-scene security officer is that there’ll be no one to handle urgent security issues as they arise. There are two reasons this concern is unfounded. First off, most of the CISO role consists of routine tasks, not in-the-moment crisis management. But more importantly, taking on a vCISO doesn’t have to mean compromising on emergency response. If managed well, a vCISO service will allow you pretty quick access to advice and consultation when issues come up.
In addition, vCISOs have a huge advantage on the cost end, as paying for this service will be a fraction of a CISO salary. But we’ll touch on the cost factor a bit more later.
Good Vs Bad Virtual CISO
Of course, any shift away from an in-house employee to service will incur trade-offs.
As far as running your information security program goes, the biggest drawback to a virtual service is the lack of hands-on familiarity with your network and company culture.
A CISO who’s physically on-site is going to have (or at least develop over time) knowledge of your network and security practices from the inside. And that’s a big deal. Indeed there are quite a few security issues where this could be a vital asset. With authentication and digital identities, for instance, knowing how company rank-and-file accesses their work stations, what type of information each department is interacting with, and how comfortable individual employees are with a given authentication app, are essential to a well thought out strategy.
Granted some of this ‘distance’ factor can be mitigated if a vCISO knows what they’re doing. They’ll ask the right questions and familiarize themselves with your company and its unique needs. Furthermore, the majority of information security work is generic in any case, and not knowing the particulars of your business needn’t be a hindrance. Still, this is something to keep in mind and certainly something you want to discuss with any provider you’re considering taking on.
How Does a Virtual CISO Integrate With Your Existing Teams?
Ideally, companies taking on a virtual security service will be receiving a good balance between (a) experienced infosec oversight and (b) guidance for in-house IT personnel. The vCISO should be able to help pull together all the big-picture stuff and create a plan you can follow. This includes security policies, guidelines, and standards, which means all relevant regulation that pertains to your industry (HIPPA for medical firms for example) and any region-specific rules (ie, Europe’s GDPR).
At the same time, the vCISO should be capable of coaching your staff and anyone with security responsibilities. This will be key to successfully implementing any business objectives the vCISO will lay down.
This brings us to the issue of communication. All industry experts agree, hiring a vCISO will not act as a replacement for in-house participation in the information security program. There will have to be substantial input on the part of the on-premises staff when actually implementing policies. Even the best vCISO service will not be able to train individual employees, conduct effective day-to-day oversight, and see to all program installations and integrations remotely.
This is why smooth communication with your vCISO provider will be vital. The way to ensure the best outcome is to determine which on-site department will liaise with the vCISO and which executive/team member will be responsible for that. If it’s Operations, great. If you feel the IT department is best suited, that’s also fine. What’s important is to know ahead of time who is taking point. That department can then be the go-between for the firm and the vCISO and ensure any on-sight work is taken care of or delegated.
When this model is pulled off successfully, you typically don’t have to worry about office dynamics such as trust/relationship building, rapport, etc. The interaction will be more like a consultant delivering a plan of action which you then implement. But again, this is why expectations must be made clear to your on-site personnel from the outset. Let them understand the vCISO is not going to be an outsourcing of all infosec responsibilities but rather an asset and a guide to the in-office security program.
How Are Virtual CISOs Compensated?
Now, let’s talk about cost.
As we mentioned earlier, hiring your own CISO can be rather expensive. Going with the virtual option can cut the costs of cyber security management by as much as seventy percent. Indeed, the low costs of virtual CISOs compared to in-house ones are usually the biggest selling point of these services. To give a dollar ball-park figure, a good virtual CISO provider will run between $2,000 and $4,000 a month for a medium-sized organization. Keep in mind this cost could increase exponentially with the size of the organization.
Different providers have different payment models however it’s very common to have an annual retainer type arrangement. This makes sense considering that at the end of the day, a big part of what you’re paying the virtual CISO to do is to be available.
For a comprehensive guide to how Virtual CISOs are priced, see our article “How Much Does a Virtual CISO Cost?”
What Kind of Organization is a Virtual CISO right for?
After understanding some of the dynamics of vCISOs, it’s also important to know what type of organization is best suited for this type of service.
Generally speaking, vCISOs are going to be the answer for two types of organizations.
First, are the small businesses and start-ups looking to expand their cyber program. Perusing case studies in security management trends, one sees this as a common theme with companies hiring vCISOs. Companies, after achieving a certain level of growth, need help to define and set up a cyber program their in-house tech team can run. The convenience and efficacy of this approach explain the growing wave of firms still in the start-up stage seeking out a virtual CISO.
The second is the company that requires a supplement to an existing cyber security program or even as a temporary/interim solution when a specific need arises. A classic case is a firm requiring help with building a more comprehensive plan and incorporating existing compliance programs.
Another often seen case is when new legal or technical requirements require an extra boost of expertise or support. This is often seen in manufacturing, supplying, and other technical fields as companies reach a certain level of growth or face regulatory change.
How to Choose a Virtual CISO
So many Cybersec companies seem to offer Virtual CISO services and frankly, it can be hard to tell which one is ideal.
Some pointers to help move in the right direction are as follows:
Right off the bat, businesses have to determine their budget. Knowing that you have, for instance, a $40,000 annual allotment for cyber security management will help give some initial focus.
Second, and perhaps most important, know your needs.
As we laid out above, virtual CISOs deliver different types of value for your cyber security program. Having an understanding of what you’re trying to get out of your vCISO will be very helpful.
For start-ups and small businesses just beginning to build a cyber program, seek out virtual vCISO providers that have a proven background in this area. When discussing options with a potential hire, ask about your industry-specific needs–regulations and technical requirements being at the top of the list. If the provider cannot demonstrate familiarity with the rules that govern your unique industry, that probably is a red flag.
The same applies to firms looking for a cyber security supplement while continuing to mostly manage their programs in-house. In general, a good vCISO should be able to tell you how their plan can overlay and integrate with your own existing security programs. Is it quite unlikely you’ll have to start from scratch, and if a provider tells you that you do, it’s likely a sign you’re being sold a bag of goods.
Last but not least, it is essential to know from the outset how the vCISO communicates with you and your personnel. This includes who is the direct point of contact at the vCISO and the expected response time in case of a crisis.
Armed with this knowledge, you and your team will be in a much better position to decide on a virtual CISO provider.
Know your requirements. Inquire diligently on how the vCISO can cater to those needs. With this, you’ll be able to extract the most value from your vCISO service.