How expert virtual CISOs can protect organizations – and save resources
Strategies to address the limited applicant pool in the cybersecurity industry
The chief information security officer (CISO) is a critical internal information security resource who ensures your organization’s technology and information assets are protected. Trouble is, there aren’t enough to go around.
With a 0% unemployment rate in the cybersecurity field, businesses are often hard-pressed to find the right candidate, leaving their entire systems vulnerable to security threats.
If you don’t have the skills, infrastructure, or resources for optimal cybersecurity, what are your options? In our two-part series about addressing the limited applicant pool in the cybersecurity industry, several of our experts share their advice about the best course of action for your organization.
If your organization does not have the skills to define its current and proposed future state around cybersecurity, what are your options?
Derek Gabbard: You have a few options. The first is to do the reading and grow your skill set internally. This, however, comes with its own risks and can be time consuming. You can also hire a CISO. But this is not always easy.
Alternatively, you can bring in strategic consultants and virtual CISO (vCISO) players to lay out a roadmap for your organization, accelerating knowledge acquisition while keeping your chain of command intact. From a more hybrid standpoint, a vCISO can also take on an advisement role, coaching your team through the intricacies of the necessary cybersecurity measures.
Brad Bowers: To build on Derek’s points, it’s common to see organizations utilize a vCISO to lead specific high-profile cybersecurity programs or initiatives. Sometimes this is because of security resource limitations, but it is more often because of a lack of internal expertise in a specific area.
As an example, many industry verticals — financial and healthcare sectors — have highly complex compliance and regulatory cybersecurity requirements. By leveraging a vCISO, the organization can better ensure they are aligning with these requirements while simultaneously helping transform their technologies, processes, and workflow to be more secure.
What is the value of a virtual CISO, and how can the role be most effective?
Garth Whitacre: A vCISO’s value is threefold. First, it can save money and resources by eliminating the need to recruit, hire, and incorporate an in-house employee at an organization. Secondly, he or she can act as a mentor to internal staff, educating and empowering them with the tools needed to redefine their security methodologies. And lastly, the vCISO can alleviate some of a CISO’s workload, which encompasses compliance, privacy, legal, and more.
Brad: Additionally, vCISOs are also sometimes brought in to provide a fresh perspective or to help affirm or validate senior leadership’s direction. This stems from the simple fact that effective cybersecurity within an organization is often about finding “balance.” Balance between security controls and business needs.
If security is too restrictive or burdensome, the business will suffer or users will circumvent security controls. Too permissive and the organization may get compromised or experience a data breach. Senior leadership will often solicit feedback from a vCISO or external counsel to validate security direction and ensure the right balance between business and security.
How should a virtual CISO be positioned within an organization?
Derek: It depends. Most vCISOs operate from a strategy and advisement level, typically interacting with the senior executive and governance levels within the organizations. Some are brought in to respond to a security incident — they roll their sleeves up and do the work to address the issue.
From a more proactive perspective, a vCISO can also be brought on to navigate specific regulatory or governance issues as mentioned before, or to prep for an IPO, acquisition, or other strategic events that require tactical execution.
Does the virtual CISO typically create a communication plan for the new policies and processes?
Garth: Other than asset discovery, change management is probably the most important component for securing an IT program. Without enforcing a change control process, systems will suffer configuration drift, unauthorized or unwanted systems will be deployed, and the risk to the environment itself will increase. Change control, along with the other defined processes derived from developed policies, will help determine what type of staffing is required and how tasks must be prioritized.
Brad: A vCISO plays an important part in both the communication and development of new policies and processes. As we discussed, the vCISO should have their thumb on the pulse of the business, IT, and security practices. From this vantage point, they can effectively advise and provide clarity around new policies and processes that support business and security goals.
Additionally, a vCISO will often work with internal stakeholders and IT to ensure the right types and amounts of security controls are woven into new policies and processes. This is often critical because of the need to align with compliance requirements and security best practices.
As cyberattacks mount and become more complex, organizations must put extra stock into ensuring they’re sufficiently protected against threat actors. This may be more challenging with a 0% unemployment rate for the cybersecurity industry, but there are steps you can take, including investing in a vCISO.
A vCISO can take on many of the CISO’s typical roles and responsibilities without needing to be integrated as a full-time employee, redefine your security strategies, and be an invaluable resource to your workers. And if you’re searching for the right partner to take on this position, we’ve got you covered.
Learn more about how SHI’s virtual CISO solution can help assess and address your cybersecurity needs while saving you time and resources.
In the second part of this series, we examine how SHI can help take a vCISO to the next level.