security Technology Reviews

Why your Company Needs a Virtual Chief Information Security Officer

Organizations looking to establish and run an effective cybersecurity program but cannot afford a conventional CISO should consider virtual options.

With national surveys showing recent total cash compensation ranging from $208K to $337K per year, hiring a full-time Chief Information Security Officer (CISO) may not be within reach for most small or midsize businesses, despite increasing regulation focus on information security in the wake of high profile data breaches and compromises in recent years.

An effective information security strategy requires a layered, cross-functional approach that spans all areas of the business. Contrary to the common conception that security is purely a technical discipline and just another job function of a typical IT manager, an effective security program spans technology, operations, finance, human resources, legal and more.

As such, designing and operating such a program requires not just a strong background in the technical aspects of cybersecurity but in the business aspects as well.

The good news for organizations looking to build an effective cybersecurity program and engage the appropriate leadership in their organization is the developing trend in “virtual” or “fractional” CISO offerings.

A fractional or virtual CISO enables smaller organizations to access to the same caliber of cybersecurity leadership as their larger counterparts but at a level of engagement and cost appropriate to their size and level of need.

And, with the high cost of hiring competent talent and the continued skills gap in the cybersecurity profession, this growing trend toward fractional services is great news.

So you might be wondering…

What is a Virtual CISO (vCISO)?

A Chief Information Security Officer (CISO) is an executive leader responsible for designing, implementing, and managing an organization’s information security program, focusing on mitigating and managing cybersecurity and business risk at a level acceptable to the business.

Some of the common duties and responsibilities of a CISO include, but are not limited to:

  • Strategic information security planning and guidance
  • Security program development and management
  • Policy, procedure, standard, guideline creation, and maintenance
  • Risk/security assessments (internal and third-party)
  • Compliance
  • Security control design, selection, tailoring, and scoping
  • Audit preparation and remediation
  • Building internal security team (hiring, mentoring/upskilling for promotion or additional duties)
  • Assist with vendor evaluation and selection for security products and services
  • Security program metric development and reporting
  • Third-party/vendor risk management
  • Business Impact Assessments
  • Business Continuity/Disaster Recovery Planning

Much like a full-time resource, a Virtual CISO (vCISO) is equipped to assist with any or all typical duties associated with running an organization’s security program but does so at a fractional level with a mix of consulting, advisory, coaching, and project management and implementation tailored to the needs and situation of the business.

Despite the greater availability of qualified cybersecurity leadership and increased focus on and awareness of cybersecurity risks, many organizations still mistakenly overlook their need to develop and run a formal, measurable cybersecurity program. Some of the common reasons for this misconception include the following:

We are not a government agency or subject to regulation.

Although you may not be subject to regulation, you are still expected, and therefore liable, for exercising due care and performing due diligence in leading a business organization. In the event of a data breach that results in the disclosure of personal data, significant interruption of service to your customers, or other damages, you may be subject to financial liability, particularly if there is clear evidence of negligence regarding information security. Furthermore, the damage to your reputation in the court of public opinion and the loss of trust with your customers may be even worse.

We are too small to be a target.

Possibly, but you are also not an island by yourself, either. The surprising expansion in ransomware raids such as WannaCry and Petya/NotPetya indicates that no one is immune to these attacks. In an increasingly interconnected and often outsourced digital world, third-party risk and associated “supply chain” attacks are becoming increasingly common and have resulted in some of the most devastating attacks over the past several years. Unless you are carefully managing your overall security posture and risk associated with your third-party vendors and suppliers, then make no mistake – you may very well be at risk for an attack that could end your business.

We don’t have anything anybody would want.

Are you sure?

Would you be in business if not?

As a test, try disabling or preventing access to various systems and data and see whether you can continue to deliver your products or services and generate revenue. The degree to which you can (or cannot) operate is the degree to which you rely on the reliable availability of the applications and data you use to conduct business. And maybe you’re not the target, but if you’re using major vendors such as Microsoft, Google, Amazon, and others. You can be sure they are targets, making you a target by association.

We can’t afford to employ a CISO, so we will place an IT manager or engineer in charge of security.

To be truly effective, information security needs to span all areas of the business – not just technology. While technical cybersecurity controls are important in ensuring the organization’s security posture, so are administrative controls such as policies, procedures, standards, and guidelines, along with physical controls.

As recent high-profile incidents have underscored, information security is a business issue more than a purely technical one. Whether it is a major data breach, major hurricane or natural disaster, war or other threat that impacts business operations and the ability to fulfill its mission, a holistic approach to information security is needed to anticipate, monitor, and address the many and varied threats that pose risks to the business.

This role requires a resource with both technical and business, operations, finance, risk management, and leadership experience.

Why Choose K3 Virtual CISO?

K3’s Virtual CISO offering can provide Information Security leadership to your organization at a fraction of the cost of hiring a full-time executive.

All our virtual CISOs have accomplished professionals with senior-level management and leadership experience and multi-disciplinary backgrounds spanning cybersecurity, operations, information technology, and risk management, making them well suited to engage with your executive team, management, board of directors and to represent your company externally to auditors, regulators, vendors, and clients.

As a member of your leadership team, they play a key role in helping to develop, implement and operationalize a comprehensive and effective security program to satisfy compliance requirements, mitigate risk and provide a level of functional information security in alignment with the objectives, needs, budget, and risk appetite of your organization.

We view information security primarily as a business initiative designed to enable, safeguard, and serve the mission and objectives of your organization. As your virtual CISO, we act as a true cross-functional member of your executive team, working with, advising, and coaching your leadership and management to foster and develop a culture of security integrated throughout the people, processes, and technologies that drive your organization.

Whether you need a resource for a specific project temporarily or are interested in augmenting your team on a longer-term basis, we offer flexible arrangements tailored to your organization’s specific situation and needs.

. . . comments & more!