Red pill, blue pill? The Virtual CISO (vCISO).

A new best friend for SME's? Not a new concept but in today’s new world order, is it a concept of growing importance.

There has much written over the last 4-5 years about the vCISO as a service and I would like to re-shine that light onto this strategically important role given my use of the vCISO, my experience of providing vCISO support – all in the wake of the ever-changing business environment.

Included in my vCISO capacity, for those that have read my previous articles, you will know that I am on speed dial for my mother (remember, Europe’s largest one person botnet) for all manner of cyber security related technical or awareness issues! And my father is rapidly adding to the cyber security burden of their house! The MOST demanding of roles – believe me! (not actually a picture of my mother!)

During these pandemic / post-pandemic times we have seen a quantum shift in ways of working. In the last 16 months organisations have had to accelerate remote working practices at lightning speed; those 2–3-year strategic plans to enable agile and flexible working have had nitrous poured into them in order not simply get agreement for funding but to resource, execute and deploy.

In an already resource deficient market, the demand for cyber and information security professionals has been acute. I have remarked in previous articles about the U.K. shortage of qualified cyber security professionals. We have had a?lack of skills?in?cyber?security for a number of years, and the issue's only getting bigger.?Since 2014, the number of?organisations?reporting a problematic skills shortage has?more than doubled?from 23% to 51%.?And by the end of 2021, it's?predicted?we'll have a global shortfall of 3.5 million cyber security jobs.?

The combination of the warp-speed efforts to support agile working from home, a dangerous combination of mounting cybersecurity threats and a lack of in-house expertise to meet the challenge, allied with the increasing (sometimes eye watering) cost of cyber security support has created yawning gaps for some smaller firms.

Management firm Tecforte said the advancements in technology have led to a high demand for cybersecurity skills with global statistics predicting that the cyber crime damage would be US$6 trillion annually by this year.

Smaller organisations have typically allocated responsibility for information security to a member of the operations or financial team and given IT the responsibility for technical cybersecurity. In most cases these responsibilities are secondary to the allotted individual’s main role, resulting in issues around prioritisation and conflicts of interests. These smaller companies are trying to protect cash flow as they hold onto whatever liquidity they have on their balance sheets. Yet they are faced with increased threats, increased regulation and increased demand to support remote working. With the average salary of a CISO being north of $200k – is an vCISO the answer?

Ever since we saw the advent of the first CISO role in the mid 90’s there has been a growing acceptance of the importance of the role. It is now commonly understood that having a person, or team, solely accountable for cybersecurity has become a necessity if an organisation is to adequately protect itself from cybersecurity threats and meet its legal obligations to secure data. Without this, businesses often struggle with the complexity of interconnected technical, physical and personnel controls that make up a complete cybersecurity framework.

What about the vCISO?

Is a vCISO the answer for your company? Make no mistake, the CISO role is key to limiting business disruption, legally securing your data, building security and resilience and lowering risk.?A tall order that comes with a pretty high price tag!

There are pros and cons for ‘outsourcing’ this key strategic position to a virtual appointee. vCISOs are an effective, affordable alternative for businesses of all sizes, from small start-ups to small to medium enterprises.

?PROs

Cost Efficiency

I’ve already highlighted the average salary of a CISO above. Remember, this does not include stock options, health benefits, office space, sick pay etc. That is why hiring a well-established vCISO becomes crucial.?In salary alone, you can save at least 30 – 40% and you don’t have to pay all of extras.

Impartial support

A vCISO is invested in your success of your organisation. Why, because their operating model depends on delivery of a quality service. Therefore, without being a part of the institution, they are not engrained into your company politics. They conduct an unbiased assessment of your current state of cybersecurity and offer you real-world cost-effective solutions to solve your problems. Since they are external, they provide you an insight that is neutral, unbiased view based solely on what is best for your business.

Diversity of knowledge

You wont be their only client. Therefore, they generally span several companies across multiple sectors. This in turns leads to best practice bleed across industries. They are constantly implementing strategies to protect businesses of different sizes against changing threats, gaining valuable knowledge they can apply to your company’s security needs. This can be more effective than hiring a full-time, in-house CISO who may have only worked within one business environment during their career.

Depth of network

The vCISO is more likely to have wide-ranging industry contacts from across their career. They tend to maintain strong relationships with fellow cybersecurity specialists. Evidence suggests they remain engaged in industry bodies and associations (not least for the employment opportunities) and gain exclusive information on emerging threats and build networks of useful connections.

CONs

Availability

As above, you are likely to one of at least 3-4 clients for the vCISO. Scheduling conflicts could prevent the vCISO from being on site when called upon. If there is a crisis event (data breach), will the vCISO prioritise you over her / his other clients?

The ‘beat goes on’ ?

Your business, in whatever stage of growth is constantly evolving. Day-to-day decisions still need to be made, sometimes, time critical decisions. These still need to be made by full-time managers that typically can’t wait for the vCISO. Therefore, is the cost of the vCISO outweighed by the cost of management time? The cost savings may be greatly diminished as demands on the vCISO's time increase.

In Summary

Do you take the red pill and leave it to esiting resource or do you take the blue pill and invest in the vCISO?

The process of ‘renting’ a CISO can be highly beneficial to most small to medium organisaitons that currently don’t have an experienced cyber security leader to help meet their technical security needs. In fact, contracting a vCISO, as pointed out above, can be far more effective than hiring a full-timer – for the right company.

The right vCISO is going to be fully up to speed on the latest best practices. They have experience dealing with a wide variety of scenarios, spanning multiple sectors and they are well-positioned to train your internal staff. If this is within the agreed scope.

A vCISO can be invaluable; don't wait until you receive that call from your IT team that you’re been compromised, that you’ve compromised a client – don’t wait until that breach occurs. Within risk management prevention is always better than cure.

For those vCISO’s out there, there is a role available for taking care of my parents; highly demanding, at times stressful, no pay, lots of love. DM me for digits!!

?