Date: 19 June 2017
Skills & Budgets
The job site Indeed.com recently published research indicating that in the UK, the gap between employer demand for cyber security expertise and the number of people who have the necessary know-how is the second largest in the world!
The global shortage of skilled and experienced labour means even large multinationals are unable to hire and retain the right talent. Where talent is available, it comes at an exorbitant cost with salaries for averagely skilled professionals, in the UK, reaching over £130,000! Most small-to-medium sized organisations simply do not have the budgets to hire experts at even half this salary.
For many small and medium sized companies, hiring a CISO is not a possibility and that’s where a V-CISO, or Virtual CISO, comes in. It is not uncommon for smaller businesses to outsource certain services; in fact, this practice has been with us for many years, so why not outsource the role of information security.
Note: We must warn the reader to be aware. This shortage of skills and experienced executives has created a steady supply of the inexperienced, dilettantes and dabblers looking to make a quick buck.
Download our FREE no-jargon - CEO/CFO focused, 5 Steps to increase your cyber resiliency without breaking your budget.
Benefits of using a V-CISO Service
There are two key benefits of using a V-CISO service from a reputable service provider.
Significant Cost Savings: your business hires top professional talent without paying full time employee salaries. In addition, you don’t incur the additional costs of training, holiday and sick pay, or redundancy payouts.
Expert and Experience Talent: you are able to employ expert and experienced practitioners who have held leadership and CISO roles, and have a wealth of industry experience. The experienced V-CISO can dive straight into the deep-end and offer immediate and tangible outcomes.
The Ideal V-CISO
Buyer beware! The market is full of charlatans with CVs decorated with three, four and five letter professional-sounding acronyms. Before hiring a V-CISO, ensure he/she and the organisation providing the service meet the following requirements.
The V-CISO must have:
- Practitioner experience and have been a CISO in their career.
- Experience in various domains of information security including information risk management, governance and compliance.
- Be able to communicate with senior management and have worthwhile discussions with technical employees.
- Be impartial and vendor neutral and offer advice that does not favour any particular product.
- Understand the basics of audit and compliance and be able to deal with internal and external auditors.
- Understand the basics of business and commerce.
In the organisation providing the service, look for flexibility. The whole premise of the V-CISO concept is based on the fact that the business cannot either afford a full time time employee or does not have the requirement given its size. To that extent, the service provider must offer flexible terms that allows a business to scale their requirements up and down in line with changing requirements, without punitive charges.
Ideally, the V-CISO service must be based on a business's individual information security and business requirements, the organisation size and complexity of its business. The service can range in duration from just a few hours per month to an interim full time CISO.
Finally, look for a V-CISO who is happy to mentor and can leave your employees with sufficient knowledge transfer over time.
For more detailed information about our V-CISO service do visit our V-CISO page.
Download our Free mind map on how you can prepare your business to detect and respond to a cyber attack.