The role of a CISO is critical within a business that has significant risk and needs to implement and maintain an operational security program. But hiring this role is expensive, and it can be hard to qualify and identify the right candidate.
A growing popular alternative is bringing on a virtual CISO, or vCISO for short. This is a seasoned security professional that can bring the value of experience, relationships, processes, and mindset and balance that with your companies’ budget and security needs.
Below we uncover the overlooked benefits of hiring a vCISO.
Cost
Many companies know they can benefit from the value of a CISO, but do not want to invest the level of costs associated with hiring a full-time CISO. Businesses are trying to do more with less.
A full-time CISO salary can range from $180k to $250k. That can be a huge expense to businesses, but more importantly, than cost is the value. Does the company need a full-time CISO to gain the value of the risk reduction and program direction?
The website ‘bricata.com’ says it best, “it’s not whether it’s the correct amount in relation to the responsibility, it’s the value you received from a CISO that is going to really understand this space, drive compliance measures and help align and balance risks, in conjunction with the board.”
Skillset
The skills and experience to navigate today’s risks and threat landscape are numerous.
A CISO is a subject matter expert. Complimented by years of experience, training, and often industry-leading security certifications, this role greatly lowers the risk to the organization. The goal of the vCISO is to reduce risk to the organization to an acceptable level. In addition, a proficient and experienced vCISO will additionally decrease the cost to the organization. They do this by leveraging what they’ve learned, and their experience.
The start security with a security mindset and process-based approach that starts with risk. They understand that security products can be used to compliment people and process to achieve these outcomes, but are not solely dependent on the purchase of security equipment to achieve this. Products are viewed as tools in the toolbox. When used correctly on the right project, in the hands of the right talent, and applied with the correct process they can be highly valuable.
Sometimes companies will try to achieve this same level of outside expertise by leaning on their security ‘partners’. This approach fails due to starting with a product, instead of starting with a ‘people ‘ process ‘ technology approach. A common symptom we see in this model are companies with many products that have not been implemented to a level of operational efficiency, confusion on what product is doing what service, undertrained and equipped staff, and disparate systems.
Process Improvements
Riding on the heels of ‘skillset’ is the opportunity for process improvements. Cybersecurity is a highly disciplined practice with a ton of processes. When an organization takes time to identify when and where processes can be created, documented, and implemented, we see a huge return on investment and decrease on cost.
Take incident handling and response for example. Companies with a low cybersecurity maturity will respond to security incidents in an ad-hoc dynamic way that creates stress, are unorganized, require a lot of staff on ‘stand-by’ and takes more time and resources than required to achieve optimum results. A vCISO has experience in security process development and understands where process improvements can and should be made, to increase the impact of the security organization. Take our example of incident handling and response, a vCISO can implement an incident handling and response process that is created uniquely for your company, documented and approved, and work with all staff to educate and train them. This will lead to much higher efficiency in qualifying and responding to cybersecurity incidents and decreasing time to response, time to contain, and time to prevent. In addition, it shows auditors and regulators that an industry best practice process has been designed and applied. And if a breach does ever occur, the potential for fines and regulatory discipline will be greatly reduced by showing evidence these processes have been implemented, approved, and trained.
There a lot of security processes that can be implemented depending on your unique business. One additional one I’ll mention because I’ve seen it save companies a lot of money is a vendor solution vetting process.
A vendor solution vetting process allows you to specifically document your unique business need and security case before choosing and purchasing a product. It documents this process typically by building a decision matrix and listing all your requirements, scope, and deliverables. This allows you to rate and qualify vendor solutions and visually see and qualify which vendor solutions are the best fit. This is an internal process that allows you to be non-bias and step away from the sales process and instead focus on the risk reduction. This decision matrix will typically include product features, competition, experience, pricing, and references. I’ve personally seen this process revolutionize the way organizations make a buying decision and I’ve even seen the results of this process save companies enough money to pay for the vCISO service.
Relationships
One of the most underrated benefits of hiring a vCISO is their relationships. The people in this role have been in the security industry for a long time and know a lot of people. They keep their pulse on things and attend security conferences, participate in security industry associations, and mingle at cybersecurity happy hours. They know people. People they can introduce you to so that you can the highest caliber partners and relationships.
They know a lot of people.
If you need to hire cybersecurity talent, they have a scary ability to find people. They are trusted and respected by their peers. When they call someone, they pick up the phone. If your organization is looking to hire and retain security talent, the best way to do this by leveraging a vCISO. They take time to understand your organization and culture. They know the process knowledge, production knowledge, and talent required. They can scope and vet the right people and have pre-hire conversations with them that help qualify the right candidate.
Having a vCISO can also help you vet the talent you currently have. Through a skills assessment process, either formally or through informal discussions and ‘get to know you’ sessions, a vCISO can assess your current talent, the value it is providing, and help build a road-map for training or additional labor resources.
Flexibility
Depending on your company size, risks, compliance, and regulatory requirements, the scale of the role can be adjusted. A full-time CISO will always be on staff, whether providing value or needed based on business needs. But a vCISO can be scaled and adjusted based on the dynamic needs of the organization.
Many times, we find the time and cost of the vCISO decreases over time with the organization as frameworks are implemented, specific risk programs operationalized, and compliance requirements met with on-going scheduled governance efforts. The program moves into a ‘maintenance’ role. This achievement decreases company costs while still maintaining a high level of risk management.
Time commitments of a vCISO can range from just under full-time all the way to down to a couple of hours a week. Because of this flexibility, the organization is able to meet its original charter and goals while keeping costs low. Services are based on yearly retainer agreements. Time commitments can be adjusted annually, and sometimes even more frequently.
The ability to adjust time requirements, the business can balance risk with cost and achieve a high level of value from this service.
Economy of Scale
The most frequent question I was asked while acting as CISO was not, “how does this threat impact us”, or, “How do we lower this risk”. The most frequent question was,
“What are other businesses in our industry doing?”
One of the benefits of vCISO is getting this economy of scale of the wide breadth and knowledge of what others are doing. Because the role of vCISO is being a part-time CISO with you, they will also be a part-time CISO with others. This provides a high level of insight and value acts as a force multiplier. This unique benefit is one of the greatest advantages of hiring a vCISO and will provide industry insight and observations on what others are doing. Other’s successes can provide process improvements, speed up decision making, and reduce overall costs further. And in addition, learning from other organizations mistakes can further decrease costs to your company.
Summary
When it comes to hiring a vCISO, it shouldn’t be a cost decision but a value decision. There is so much value a vCISO can bring to your business. By extrapolating the individual value key points, you will quickly see that these disciplines, processes improvements, talent requisitions, and risk perspectives will cost exponentially more if purchased individually through workshops or other security service offerings.
If you want to have a conversation about your company, risk, and the potential benefit of a vCISO, schedule a free thirty-minute call.
Recent Comments