The enterprise is facing a dangerous combination of mounting cybersecurity threats of increasing subtlety and a widening gap in the skills required to identify and combat them. Knowing how to lead the charge in identifying and analyzing threats, creating strategic security plans, and ensuring compliance, requires the right level of expertise. Many businesses, especially small and medium businesses, simply don’t have it.
Last October the Information Systems Security Association spoke of a “missing generation” in information security, pointing to an estimated 300,000 to one million vacant cybersecurity jobs.
Clearly it’s going to take time to fill that gap, but if the talent isn’t available right now, what are companies supposed to do?
The Right Person for the Job
According to Cisco’s 2015 Annual Security Report, 91% of companies have an executive with direct responsibility for security, but only 29% of them have a chief information security officer. Businesses with a CISO in place recorded the highest levels of confidence in their security stance, both in terms of optimization and clarity.
Many organizations are asking other executives to step into the gap and they often lack the expertise required to outline a solid information security policy and drive it forward. There may be areas of your business where you can afford to have employees feeling their way and learning through trial and error, but security is not one of them.
“For small to mid-sized businesses it may be difficult to justify the expense of a full-time CISO,” says Candy Alexander, CISSP, CISM and Boston GRC consultant. “Recruitment can also be a real challenge. How do you find the right fit for your business within your budget when you lack the internal experience to properly evaluate a candidate?”
Enter the Virtual CISO…