What Really Does a Virtual CISO Do? The Top 7 Mistakes C-Level Leaders Make (and Myths Technology Leaders Believe) When Hiring a Virtual CISO

It was recently suggested to me by a security colleague who works in penetration testing that I write this article. However, it was only when I was feeling a bit alarmed after talking with several people recently about the security services they are receiving (or providing - yes) that I thought I would share a few thoughts.

More and more people are asking me about my role as an Outsourced Chief Information Security Officer (CISO). I suppose I also feel a of sense responsibility to share these thoughts because I started to offer these services a few years ago when I could literally count on one hand all the people I knew who offered a similar service (two additional companies). I was either introduced to the individual after I started offering the services or intentionally tried to find others who offered this service. It was unheard of to do this type of work. In fact, I distinctly remember other security leaders laughing at me or walking away from me at industry events in the middle of conversations perplexed. Why would someone hire an Outsourced or Virtual CISO? When I started my company, focused on bridging the gap between physical and cyber security a year or two earlier, there was even more laughter. Of course, now, there is a greater understanding of that type of approach.

Additionally, since that short time, with the growth and size of the cybersecurity industry, Gartner predicts $133B in total spend of products and services by 2022. With regulations like the New York Department of Financial Services (NY DFS) Cybersecurity Regulation (23 NYCRR 500), the General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA), there are more and more companies offering an Outsourced or Virtual Chief Information Security Officer (CISO) service, cybersecurity services in general, and data privacy services.

After recently working with a $200M insurance company to meet NY DFS cybersecurity compliance requirements which was later validated by a regulatory visit from NY DFS, and additionally, in a role as Data Privacy Officer (DPO), working on a data privacy program to support organizational Binding Corporate Rules commitments to GDPR (which was validated by two other Data Privacy Officers), I continue to be alarmed at what leaders (on the business side and technology side) think a CISO does.

Though I have clear, distinct thoughts on what makes a good Outsourced CISO, below are the top seven mistakes C-level leaders make, and technology leaders believe, when hiring an Outsourced, or Virtual, CISO. For the sake of this discussion, I will define an Outsourced or Virtual CISO as a non-full-time employee. The actual hours may vary based on the needs of the business (size, business growth, industry, and regularly requirements the business adheres to). The word virtual also indicates the CISO may not actually spend much time, or any time, in the office and may work remotely. Even if that is the case, that would not negate the ultimate responsibilities an Outsourced/Virtual CISO has.

1. It can cost $500 a month for a Virtual CISO service. It’s important to understand every business does not need a CISO. If there is a CISO service offered for $500 per month it is a service being offered to a business that may not need a CISO service and/or they are simply not executing on the role of CISO, but more supporting as a virtual security manager. This role can be important for very small businesses depending on the industry, projected growth and target base of clients. However, an Outsourced CISO would not be hired for $500 a month, and certainly not for a regulated company compliant to key cybersecurity and data privacy regulations.
2. Outsourced CISOs only need to spend a few hours a month on your business. Perhaps this is true, if you are small company in a non-regulated industry. This can be the case with a small consulting company, or a few small retail stores and restaurants. Again, these businesses may need a security manager, not a CISO. In my experience, this also would not suffice for a regulated company in financial services. I have had security leadership roles in very large companies and in very small companies. Without a doubt, more of my actual time in hours has been with smaller companies because of the limited resources. As a CISO, with a regulated entity more than a few hours a month will need to be spent in the business.
3. An Outsourced or Virtual CISO is like Outside Counsel; they are on retainer and you just call when you need them and they respond. I am not in a position to comment on the role of Outside Counsel, however, an Outsourced CISO is providing key deliverables to the business on an ongoing basis, not just when the business asks for something. If you have a CISO and they just “respond” when you need them, or just send you a monthly report, that is a red flag.
4. Why hire a CISO when the IT team “has got it?” I have worked with really great IT partners, some of whom have taught me a lot, but it is not the role of IT to fully manage security. Everyone in the organization is responsible for security, including IT, but having IT fully own security, inevitably, can surface inherent conflicts of interest and a false sense that security is fully adhered to. The IT team already has a really important job and we need them to do it really well! Simply, if security was solely IT’s job, in the United States we would not be in need of over 300,000 people to fill cybersecurity roles currently, according to CyberSeek. Why would the CISO role even exist? Additionally, there would not be a mandatory cybersecurity requirement for the role of the CISO to be implemented or serviced to covered entities regulated by the Department of Financial Services. The only exemptions include organizations with less than 10 employees, organizations that produce $5M or less gross revenue from NY operations in each of the last three years, or businesses that have less than $10M in total assets. The CISO would also not be required to report to the board, as stated in the NY DFS cybersecurity regulatory requirements. Regulators would be fine with just having the Director of IT, Head of Infrastructure or the Chief Information Officer (CIO) do it. It continues to alarm me how may IT leaders and companies say they offer a full suite of cybersecurity services. I have spoken to numerous IT leaders, but only three IT leaders have come to me to tell me they needed my help in my role as a CISO to support their businesses because, as an IT leader, they knew their business was not providing everything that was needed from a security standpoint. To me, these are the best IT leaders in understanding the breadth of work it takes in implementing security (having willingness to ask for help). IT plays an absolutely critical and necessary role in security. What is needed is for IT and security leaders to work better together in implementing security. Additionally, to put the sole responsibly of security on IT leaders, especially in small and middle market companies, where many IT teams are increasingly overworked, is not a good decision and does not set the team, or the company, up for success. Ultimately, someone like me will be called in to handle a serious security concern that could have been prevented with the right security partnership and oversight up front.
5. All the CISO does is write policies. A CISO does not write polices. Someone, or multiple people, on their team does, unless it’s a smaller company. In short, the CISO, along with several other partners help to validate (and enforce) that the policies accurately reflect the business and IT environment and culture, address regulatory concerns, and address current and future business and security objectives.
6. The CISO, especially in a $100M - $500M company, is just a project manager. No. In these smaller companies, a CISO is executing on core priority objectives at a much higher percentage of the time than CISOs in larger multi-billion companies because the team is much smaller. All CISOs are interpreting key technical information from a variety of sources and presenting that information to the board and influencing the decisions of board members, CEOs and C-level executives, and influencing the behaviors of ALL employees. They are also making the priority decisions on how the cybersecurity budget is spent and providing input on how the IT budget can (better) support security. The CISO is a strategic advisor, not a functional leader, to the business. Though project manager skills can be helpful, a CISO, as a leader in the business, influences the security of the products and services a company offers, which impacts the clients and other stakeholders, and impacts the profitability and reputation of the business. These are just a few reasons why this position is required to report to the board for companies regulated by the Department of Financial Services in the state of New York.
7. CISOs don’t really need to be a security leader; another leader in the organization can take on the responsibility. Each business may have a unique complexity or reporting structure that includes security. However, this approach, inevitably, can surface inherent conflicts of interest that exist within roles of responsibility (CIO, Chief Financial Officer (CFO), etc). It is easy for security to be added behind the priorities of other executives.

Overall, to my constant surprise, I find many people still don’t understand the role of the CISO and it pains me to hear the constant challenges CISOs still face. Being a CISO is not for the faint of heart. In a Nominet survey, 32% of CISOs stated they were concerned they would lose their job if there was a breach. They are “on call” all the time to respond to incidents at night or even on vacation. As a C-level leader, you may have to stay late at work to finish an impromptu presentation for the next day. You can go home and work on it after the kids go to bed or go into work early to complete it. There are options. If there is an incident, the CISO is dealing with that incident right in the moment, without an option to put it off until later in the evening or the next morning.

Small and middle market business impact: The Ponemon Institute 2018 Cost of a Data Breach Study found that globally the average cost of a data breach was $3.86 million, a 6.4% increase over 2017. The average cost per record stolen was $148. The average cost of a data breach to a small business is $690k. CISOs are making quick decisions in a matter of seconds that can have true financial and reputational impacts to the business. This is especially significant in a small environment where there are less resources to pull from in making these critical decisions.

There is no stress like CISO stress. This was the title of a recent blog post by Accellion. It is well documented the stress levels that CISOs experience often lead to sleepless nights, anxiety and increased drinking of alcohol. It’s a role people don’t understand, and the value of the role is constantly being challenged. It is very isolating and only those that understand are other CISOs, but that can quickly dissipate when leading a smaller company. Even CISOs can have a hard time understanding the complexity of cybersecurity in smaller companies in this challenging regulatory environment. That is certainly increased as an Outsourced CISO, a non-employee of a company. The value provided does not change, but the way you deliver the value does. A CISO’s ability to do this has come from a combination of at least roughly 15 years of security knowledge and lived experience which allows them to both respond from what I would call “muscle memory” and the ability to make quick decisions in a short period of time.

Working with a Virtual CISO: Having the right Outsourced CISO is critical. In hiring a CISO, as a C-level leader, you are investing in a change to bring about desired business or regulatory outcomes, you are adjusting your schedule to make time for a topic you may not understand nor have a desire to discuss, you are making investments in your business positively (whether you see it that way or not), and you are creating true accountability on a topic where the ultimate responsibility lies with you. Even if you didn’t hire the CISO, the ultimate accountability would still be with you where you could lose your job as well. The difference is with a CISO there is more transparency and if you have the right CISO with open conversations, it can be incredibly relieving and satisfying to know that what needs to be accomplished is getting done.

You want an Outsourced CISO that is not thinking about how you are adding to their bottom-line sales goals, but how they are adding value to your top-line profits. You want someone who will support you when you need them most and create an environment where your employees and data are protected. You will want to ensure you have the right Outsourced CISO by your side whether you are a C-level leader, a new CISO in need of a mentor, a CISO in need of a deputy CISO, or a Dir of IT in need of a security leader to guide you. These are all ways a Virtual CISO can add value to an organization in this incredibly fast paced, highly regulated, complex world.

Jessica Robinson, is CEO of PurePoint International and works as a Virtual/Outsourced CISO to middle market businesses in financial services and insurance. Jessica and her team specialize in working with companies with $100M-$500M in revenues. You can reach her at [email protected].