Why your business needs a Virtual CISO
Date: 19 June 2017
The recent WannaCry ransomware attack that started on 12th May spread globally in less than a day and impacted businesses of all sizes. Importantly, this incident wiped away any thoughts that cyber criminals only target large organisations.
Everyone and all businesses are fair game for cyber criminals.
Indeed, the perfect storm seems to be brewing. On one hand, financially punitive regulations like the General Data Protection Regulation, or GDPR, are coming into force in the UK and throughout Europe. On the other hand, the cyber threat landscape is becoming increasingly hostile and hazardous. In the midst of this storm, organisations, small and large, are facing the growing threat of cyber attacks that can impact a business in more ways than one, including:
- Loss of customer trust.
- Negative brand impact.
Material financial damage to the bottom line.
What is a V-CISO and why your business needs one?
Where in the past, the IT director or CIO were responsible for addressing cyber threats, it is safe to propose that, today, cyber security and information risk need to be managed by specialist professionals who are skilled and experienced in taking on the technical and managerial challenges to reduce cyber risk exposure.
Typically, this specialist role is referred to as an Information Security Manager or Chief Information Security Officer, or CISO, and it is he/she who is in responsible for:
- Managing overall information risk.
- Ensuring regulatory compliance.
- Increasing the organisation’s cyber security maturity.
It is the CISOs role to work across an organisation’s departments ensuring that the necessary security policies, procedures and technology controls are working correctly and efficiently in order to reduce operational risks of cyber attacks. Duties may well include, but are not limited to, security awareness training, implementing business and communication procedures that are secure, as well as identifying and meeting security objectives.
Download our FREE no-jargon - 11 Week cyber security improvement checklist here.
Skills & Budgets
The job site Indeed.com recently published research indicating that in the UK, the gap between employer demand for cyber security expertise and the number of people who have the necessary know-how is the second largest in the world!
The global shortage of skilled and experienced labour means even large multinationals are unable to hire and retain the right talent. Where talent is available, it comes at an exorbitant cost with salaries for averagely skilled professionals, in the UK, reaching over £130,000! Most small-to-medium sized organisations simply do not have the budgets to hire experts at even half this salary.
For many small and medium sized companies, hiring a CISO is not a possibility and that’s where a V-CISO, or Virtual CISO, comes in. It is not uncommon for smaller businesses to outsource certain services; in fact, this practice has been with us for many years, so why not outsource the role of information security.
Note: We must warn the reader to be aware. This shortage of skills and experienced executives has created a steady supply of the inexperienced, dilettantes and dabblers looking to make a quick buck.
Download our FREE no-jargon - CEO/CFO focused, 5 Steps to increase your cyber resiliency without breaking your budget here.
Benefits of using a V-CISO Service
There are two key benefits of using a V-CISO service from a reputable service provider.
Significant Cost Savings: your business hires top professional talent without paying full time employee salaries. In addition, you don’t incur the additional costs of training, holiday and sick pay, or redundancy payouts.
Expert and Experience Talent: you are able to employ expert and experienced practitioners who have held leadership and CISO roles, and have a wealth of industry experience. The experienced V-CISO can dive straight into the deep-end and offer immediate and tangible outcomes.
The Ideal V-CISO
Buyer beware! The market is full of charlatans with CVs decorated with three, four and five letter professional-sounding acronyms. Before hiring a V-CISO, ensure he/she and the organisation providing the service meet the following requirements.
The V-CISO must have:
- Practitioner experience and have been a CISO in their career.
- Experience in various domains of information security including information risk management, governance and compliance.
- Be able to communicate with senior management and have worthwhile discussions with technical employees.
- Be impartial and vendor neutral and offer advice that does not favour any particular product.
- Understand the basics of audit and compliance and be able to deal with internal and external auditors.
- Understand the basics of business and commerce.
In the organisation providing the service, look for flexibility. The whole premise of the V-CISO concept is based on the fact that the business cannot either afford a full time time employee or does not have the requirement given its size. To that extent, the service provider must offer flexible terms that allows a business to scale their requirements up and down in line with changing requirements, without punitive charges.
Ideally, the V-CISO service must be based on a business's individual information security and business requirements, the organisation size and complexity of its business. The service can range in duration from just a few hours per month to an interim full time CISO.
Finally, look for a V-CISO who is happy to mentor and can leave your employees with sufficient knowledge transfer over time.
For more detailed information about our V-CISO service do visit our V-CISO page click here.
To download our Free mind map on how you can prepare your business to detect and respond to a cyber attack click here.