Virtual CISO – An Appealing Alternative to CISO
The cybersecurity market is in a state of influx as it matures into a more mainstream information technology service. As the number of cyber-attacks from e-mail phishing to sophisticated data farming are exponentially growing, there are not enough cyber security experts to keep up with the demand.
According to a report from Emsi Burning Glass Market Research firm (now Lightcast), there are well over 700,000 cyber security positions yet to be filled, and existing cyber security engineers are in-high demand. There are several reasons for this massive gap in the marketplace, including the growing number of cyber incidents (i.e. ransomware), regulatory requirements demanding qualified cyber security specialists at both the federal and state levels, a lack of adequately educated and experienced cyber security professionals to address these challenges, and cyber insurance providers demanding investments by their insurer to harden their security posture.
Supply has not kept up with the demand and it has become increasingly challenging to recruit and retain qualified professionals, not to mention the continual increase of their wages. It is also important to note that in many cases, it is difficult to justify the cost or need for a full-time CISO-Level employee. Given this growing trend, most small to midsize organizations as well as various public sectors and non-profit organizations are faced with a crucial decision of meeting their cybersecurity needs while struggling to justify the growing expenditure. To address this gap and to provide organizations with qualified cyber security professionals at a much lower expense, a growing market trend is emerging. The concept is to recruit an information security officer from a reputable firm on a part-time basis with a time-limited contract to assist the organization in meeting its cyber security goals. They are referred to as a Virtual Chief Information Security Officer (vCISO). While there are ample individuals and firms that offer cyber security services, the key differentiators are the quality, experience, expertise, and access to other cybersecurity resources.
The Power of a vCISO
The latest report from CSO magazine argues that vCISOs are estimated to cost between 30% to 40% of a full-time CISO, and they are available on-demand with no training requirements. Therefore, they are able to deliver results in a short timeframe. Given that their role is a time-limited engagement they will remain objective, and their primary focus is getting a satisfactory result on an on-going basis, based on the pre-defined/pre-negotiated key performance indicators (KPIs).
Several large consulting firms have adopted the philosophy of over-hiring cyber security engineers with the understanding that most will not make it past the first few months and the field will correct itself by weeding out some of these individuals. The idea is to show clients that they have resources and strength in numbers. Unfortunately, this approach is short-sighted, and these underqualified experts could potentially cause more damage and create bigger issues for their clients down the road. It is imperative that organizations seeking a vCISO do their due diligence and work with a reputable firm. It is never the size of a firm that dictates their quality, but instead their reputation, work ethics, expertise, and most importantly their experience and positive client relationships. Many smaller IT delivery firms have a much better story to tell when it comes to engaging in the process of drafting a vCISO as a service.
There are a number of organizations that have opted to assign a member of their cyber security team to fulfill the role of an information security officer in addition to maintaining their daily assignments. This is challenging since these individuals will inevitably suffer fatigue due to the on-going volume of activities, and they might become a flight risk as well. Furthermore, most of these cyber security engineers favor their technical interest over their newly added assignments that includes—but is not limited to—policy review and development, security planning, security awareness programs, incident response planning and simulation, budgeting processes, staff assessment, management and mentorship, and engagement with cyber insurance negotiations. To avoid this potential adverse effect, it would be more practical to augment the team by commissioning an external vCISO. In addition to managing daily activities, these individuals could play a pivotal role in assessing the organization’s overall security posture and making objective recommendations.
Finding an Impactful vCISO
One area where a vCISO could provide an immediate impact is evaluation and implementation of a few key programs to reduce or to sustain the cyber insurance premium adjustments. The cyber insurance market is expected to grow from seven billion dollars to twenty billion dollars in the next four years, based on a study by Fortune Business Insights. While the number of claims has grown by 100% during the past three years, naturally, these providers will continue to pass the increase of their liabilities on to their clients. A stark contrast in a report published in netdiligence.com points out that in 2021, 99% of claims involved small to mid-size enterprises (SME) organizations (below two billion dollars in revenue), while only 1% of claims involved enterprise-class organizations. SMEs that have difficulties hiring or rationalizing a full-time CISO are poised to take advantage of vCISO services.
An organization embarking on the journey of selecting a firm for vCISO services should consider the following seven guiding principles:
- Outline the terms of engagement. It is highly recommended that a minimum number of hours (no less than eight per week), and a fixed timeframe (minimum of 12 weeks) is negotiated. This provides the vCISO the opportunity to successfully complete a few key deliverables.
- Develop a list of activities that the vCISO needs to complete during the engagement. This will be the baseline to measure this individual’s accomplishments.
- Clarify the reporting structure for the vCISO. A veteran vCISO will accept to report to a C-level executive or a person closer to the decision-making authority within the organization.
- Determine the role of the vCISO as it relates to supervising the cyber security team. There could be HR barriers related to this exercise.
- Establish a process to evaluate the vCISO’s accomplishments, and setup regular meetings to assess their progress.
- Prioritize areas that need immediate attention.
- Define the best method of information distribution to ensure the vCISO is not violating or overstepping corporate communication policies.
There are two famous quotes that come to mind with enormous relevancy in the process of evaluating and ultimately selecting a vCISO firm: first is an African proverb– “Tomorrow belongs to people that plan today.” Second, is George Patton’s statement, “A good plan today is better than a perfect plan for tomorrow.” While keeping these in mind, it is prudent to start the discussion about the merits of using a vCISO sooner than later, given the attention that a cyber security area requires on an on-going basis. Anticipate that there will be adjustments to the statement of work. The outside view of the vCISO will surely bring new perspectives and areas of consideration to the organization. To facilitate thoughtful planning, below is a list of services that should be expected or examined as part of the initial phase of engaging with a vCISO firm.
Responsibilities of a vCISO
vCISO services include but are not limited to:
- Evaluation of corporate or agency security policies.
- Participation in the annual incident response plan (IRP), and risk mitigation activities.
- Manage cyber security resources as deemed applicable.
- Participate in cyber security insurance discussions and make recommendations.
- Provide security with a gap analysis report and offer steps to improve the security posture.
- Assess the effectiveness of information in the security training program.
- Address and make recommendations on the practices involving cloud, end-point devices, servers, and applications access control.
- Managing security staff, if so required as part of their engagement.
- Assess compliance and regulatory requirements with key participants (i.e., HIPAA, PCI DSS, GDPR).
- Review existing cyber security tools and software and make recommendations for replacing or maximizing the investment.
- Recommend next generation technology delivery with cyber security controls in mind. These include, but are not limited to, low-code application development, cloud migration, and DR planning.
- Assess patch management and end-point device security practices.
- Participate in strategic and tactical cyber security budgeting processes.
- Assist C-Level executives and others in recruiting talented individuals.
eGroup | Enabling Technologies security experts and vCISO teams have extensive experience in various aspects of information security architecture. These C-level executives replicate the job function of a Chief Information Security Officer. They are positioned to provide guidance, develop policy, assess organizational security readiness, engage in evaluation of risk mitigation, deliver security gap analysis, and participate in auditing and compliancy processes while keeping an eye on the day-to-day activities.