Michelle Drolet is CEO of Towerwall, a specialized cybersecurity firm offering compliance and professional cybersecurity solutions.
getty
As businesses across the world expand their technological footprint, they are becoming increasingly vulnerable to a vast array of cyber crimes such as cyberattacks, CEO fraud in the manner of business email compromise (BEC attacks), theft of intellectual property, privacy breaches and much more. Threat actors are upping their game constantly, making cyberattacks more serious with each passing year.
One of the key challenges facing organizations today is a general lack of understanding their own levels of risk exposure and resilience. Since many C-suite leaders aren’t entirely security-savvy, they often need an executive-level advisor like a chief information security officer (CISO) who can speak the language of the board, provide an overview of risks, create strategic plans and help deploy the right levels of security controls and governance. In such a scenario, hiring a virtual CISO can be a compelling proposition. Here are five key reasons why:
1. Reduced Cost Over Time
Virtual CISOs are far more affordable than an average full-time CISO. Today, the average salary of a full-time CISO is roughly $584,000 (excluding bonuses and company equity). In contrast, a vCISO with comparable credentials will cost at least 35 to 40 percent less (or even lower, depending on the scope of work) and comes without the baggage of a full-time executive. vCISOs can be hired as needed on an hourly basis, when you need them the most and you can choose to scale their engagement up or down as your project nears completion or your security posture begins to mature.
2. Breadth of Knowledge, Depth of Skills
Since vCISOs are contracted across a range of businesses and industries, they are fully up to speed with the latest security best practices and have in-depth experience in dealing with any number of security scenarios. From serving as an interim CISO to chairing a governance panel, from procuring technical security controls to upgrading the security infrastructure, from analyzing risks to building a cybersecurity strategy, from ongoing risk monitoring to becoming compliant with privacy regulations, from training your security teams to building a culture of cybersecurity, from responding to cybersecurity incidents and recovering from them, vCISOs provide expert guidance in a variety of security-related functions and decisions.
3. Faster Onboarding, Lower Turnover
Hiring and retaining cybersecurity talent is not easy. The cybersecurity industry is already experiencing a massive talent shortage. Finding a seasoned security professional with the right experience and leadership skills is even more difficult. What’s more, CISOs are high in demand and have high turnover rates. Studies show the average time to recruit a CISO is around six months and they routinely leave the hiring organization in less than two years. A vCISO can be recruited and onboarded instantly, businesses don’t have to deal with HR onboarding and a benefits package, or spend efforts on retention, reducing the disruption a departure creates for the business.
4. Unbiased And Impartial Feedback
When facing an urgent cybersecurity issue or a complex data and privacy challenge, sometimes it is in the business’s interest to seek an impartial opinion that is free from any conflict of interest. Under such circumstances, relying on a vCISO who is not only trusted, but also provides unfiltered feedback and unbiased guidance can prove extremely useful. Businesses can also leverage vCISO expertise and guidance in discussions relating to severe vulnerabilities, forensic investigations, active compliance violations, fines and lawsuits, as well as cyber insurance claims.
5. Access To A Team Of Experts
Cybersecurity is such a vast domain, it is difficult to find expertise in every area. When businesses leverage a vCISO service, they usually get access to a group of experts the vCISO can bring in depending on the needs and requirements of the business. For example, if a company wants to identify security loopholes in their infrastructure and processes, a vCISO can bring in penetration testers and forensics specialists that can help assess the security posture of the organization. If a business wants to improve security awareness to reduce phishing scams, a vCISO can suggest tools and trainers that are specialists in that area.
vCISOs can be a great choice for organizations that struggle with limited resources (like startups and SMBS). Allowing the system administrator to assume the CISO role can lead to a major security hazard. vCISOs cover a broad range of functions both strategic and tactical, and their services can be tailored to suit client requirements. For example, businesses can either go with a long-term retainer or hire someone short-term on a project basis, buy a chunk of support hours or agree to a fixed-fee, delivery-based approach.
A vCISO is definitely not a replacement for a full-time CISO, especially in large enterprises. Below are some other reasons why a vCISO may come up short:
• Cost and time obviously are key factors here. If your business is large enough to afford a full-time executive or has the patience to wait for the right candidate and the time to bring them up to speed, then hiring a CISO full-time makes sense.
• If your enterprise has a legal obligation or pressure from the board for a senior CISO to join the staff permanently (or strictly for the optics), then your organization needs to onboard a full-time CISO.
• Your business may need someone who is fully integrated and invested in security on a full-time and not part-time basis.
• Usually, in highly regulated industries, the nature of the business is such that it has a high degree of sensitivity to security and does not prefer to involve a third party.
Whether your business is small or large, and whether its struggling with resources or struggling with cybersecurity, a vCISO is a pragmatic option for boosting cybersecurity resilience.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
