Does the role of 'Virtual CISO' make sense?

With constant reports of cyber attacks in the media, most small and medium-sized organizations have become aware of the reality of cyber threats in recent years.

As cyber security becomes a threat to businesses, organizations must allocate resources to develop, implement, and maintain an effective information security program.

In addition, new compliance requirements require that these same organizations have an Information Security Officer (ISSO) on staff to oversee all aspects of information and cyber security.

While this role has become vital within most organizations (72% of organizations have a CISO), and they are currently the most sought-after professionals in the business world, many organizations cannot afford this type of resource, particularly smaller organizations, both because of their high salaries and because they tend to stay on the job for a short time, and change companies frequently.

For this reason, many organizations have recently chosen to hire a virtual CISO (vCISO) to fulfill this role or to complement their current CISO.

What exactly is the vCISO?

The figure of the virtual CISO is neither more nor less than an external CISO, which could be described as a freelance, or an outsourced company that offers its security professionals to fulfill their role as CISO, which usually uses more than one individual and operates remotely and part-time. In addition, it is common for you to meet with company management not in person, but via video conference, and to work remotely as well.

They are usually professionals with many years of experience in the industry and in a variety of scenarios, and who function as a management consultant for tasks related to information security. Among their role is:

• Design and establish the Vision of Cybersecurity of the organizations.
• Establish, design and prioritize the Cybersecurity strategy to meet the vision and objectives of the organization.
• Establish prioritized Action Plans to reduce risks, and continuously assess new threats and vulnerabilities, generating a process of continuous improvement in cybersecurity.

vCISO Projects and Tasks

Due to the demand for this solution, there are already many companies offering this service fulfilling a virtual CISO role for many clients, helping organizations to develop, implement and maintain an effective information security program through their virtual CISO service.

These companies typically help:

• Develop and implement IT security policies and procedures
• Help maintain compliance with the various legal regulations and security standards applicable in the organization. In this way, with a single service, and taking advantage of the synergies and similarities between the different regulations, information security compliance could be covered in a homogeneous and comprehensive manner. These regulations can be:
  • Personal data protection regulations (DPO support).
  • National Security Scheme (ENS).
  • ISMS Security Management System (ISO 27001).
  • Business Continuity and SGCN Continuity Management System (ISO 22301).
  • Security Sector Regulations (PCI-DSS, Solvency II…).

• Assist in the development, implementation and maintenance of an organization’s Information Security Program
  • Conducting security risk analysis.
  • Design of security plans.
  • Support to vulnerability management.
  • Control and monitoring of security projects.
• Inform executive leadership of current threats and compliance updates to help them make smarter business decisions
  • Conducting technical audits and ethical hacking
  • Training.
  • Support to standards certification.

Benefits of vCISO

Hiring a virtual CISO has many advantages, the most common being cost effectiveness, but there are more:

• Profitability: finding a qualified CISO to join an organization can be costly. But hiring a vCISO can be profitable, since you are only paid for the time you work in the organization.
• Flexibility: vCISO’s services can be tailored to complement a company’s internal capabilities with specialized skills in specific areas where the skills or capabilities may not be available full-time.
• Experience: vCISOs possess a wealth of knowledge. They have a great deal of business and security experience. Having an established track record and experience allows vCISO to start working at the time they are hired.
• Independent: This can be a double-edged sword, but having a vCISO that is independent means they are free from conflicting policies and agendas.
• Established relationships and connections: Many vCISOs have an integrated network of contacts and have many connections with vendors and industry professionals. Being able to leverage this network can make growth more efficient and profitable.
• Scalability: The service can be scaled up or down depending on the workload and demand of the business, for example, you may want to increase the service when you are starting a new program, and then scale it back down when you return to normal operations.
• Objectivity balanced with in-house knowledge: A long-term relationship with a vCISO often provides the right balance between the knowledge of an in-house person and the objective perspective of an external consultant.
• Continuity: On average, CISO roles change every 2 years. A vCISO service from an organization with several experienced specialists as mutual support means that there is no turnover of staff or periods when you do not have a CISO on board.
• Proven Methodology: A leading vCISO service is generally based on proven methodologies and approaches to ensure the effectiveness and efficiency of the service, not just “body shopping” by experienced people.

Disadvantages of a vCISO

While bringing a vCISO can be very helpful, it is also good to understand the disadvantages. Below are four disadvantages that organizations struggle with when it comes to hiring a virtual CISO:

• Timeliness of responses: Since virtual CISO supports many organizations, it can sometimes be difficult to obtain urgent responses in a timely manner. To overcome this, it is advisable to discuss or document an SLA with the candidate before incorporating them into the company. If it is known in advance that a response is needed within four hours, then it is easier to manage expectations.
• It is not integrated 100% within the company: vCISO technically works for the company, but does not invest much in it. They do not interact daily with the staff, they do not know everyone by name, nor do they live the day-to-day life of the organization as many internal employees do.
• Lack of risk responsibility: when hiring a VCISO, you must look carefully at the contract and talk about risk responsibility in an open and honest way. Make sure that they accept some of the organizational risk in case of mismanagement on their part. In other words, if an organization’s security is violated due to a mistake or poor vCISO strategy, you must ensure that it does not leave unscathed.
• Expensive at the time of need: Having a virtual CISO can be very profitable, but if the organization grows quickly or experiences a major breach, the work for vCISO becomes complicated and therefore can increase its price, and can be quite high.

Is the figure of the vCISO necessary in the company?

After seeing both its benefits and disadvantages, the answer to the question of whether this figure is necessary varies and is not necessarily the same for everyone. To begin with, well-qualified full-time CISOs can be difficult to obtain, often stay on the job for two years or less, and critically, especially for smaller companies, may demand six-figure salaries.

In contrast, VCISOs are estimated to cost 30 to 40 percent of a full-time CISO and are available on demand. But, in addition, the benefits go far beyond the cost. Virtual CISOs generally do not require training, can start work and are not required to follow office policy. In this model, it’s all about results, and worthwhile CISOs will provide reasonable KPIs and reports.

Startups and growing companies are the perfect candidates for the external resources model, and are the best option for small and medium sized enterprises (SMEs), to complement the existing management team or simply as an interim solution. Many of these companies have highly qualified personnel to develop their core business. But where they will need support is in understanding the threats they face, in their needs related to legality, and in defining appropriate strategies and action plans.

Conclusions

As a company grows, so do its compliance and safety commitments. Having a virtual CISO that can be called upon when needed can be incredibly helpful and will save a company a lot of headaches when trying to navigate the ever-changing regulatory world, or keep up with the rapid growth of emerging security threats. Plus, having a vCISO can make the compliance process much easier to navigate.

vCISOs are tailored to the needs of each business. They are professionals with extensive experience in cybersecurity who are able to establish strategies, plans and apply different security methodologies in multiple organizations.

In any case, the specific scope of the vCISO service should be configured based on the internal resources available and the security needs of each company. Obviously, and like any decision to outsource services, it should be supported by a previous analysis that shows that efforts and budgets are indeed optimized to ensure legal and regulatory compliance of information security.

As a further investment in information security, it must be adopted taking into consideration the same aspects as for other investments in security: it must be oriented towards managing real risks, aligned with the organization’s security objectives and within the established budgetary ranges.

In short, an alternative that, now more than ever, can be very useful due to the growing importance that information security and associated compliance are gaining, and the need to address them in a global, profitable and guaranteed manner.