The enterprise is facing a dangerous combination of mounting cybersecurity threats of increasing subtlety, and a widening gap in the skills required to identify and combat them. Having someone that knows how to lead the charge in identifying and analyzing threats, creating strategic security plans and ensuring compliance, requires the right level of expertise. Many businesses, especially small and medium businesses, simply don’t have it.
Last October the Information Systems Security Association spoke of a “missing generation” in information security, pointing to an estimated 300,000 to 1 million vacant cybersecurity jobs. Clearly, it’s going to take time to fill that gap, but if the talent isn’t available right now, what are companies supposed to do?
Do You Have the Right Person for the Job?
According to Cisco’s 2015 Annual Security Report, 91 percent of companies have an executive with direct responsibility for security, but only 29 percent of them have a Chief Information Security Officer.
Businesses with a CISO in place recorded the highest levels of confidence in their security stance, both in terms of optimization and clarity.
Many organizations are asking other executives to step into the gap and they often lack the expertise required to outline a solid information security policy and drive it forward.
There may be areas of your business where you can afford to have employees feeling their way and learning through trial and error, but security is not one of them. “For small to mid-sized businesses it may be difficult to justify the expense of a full-time CISO,” says Candy Alexander, CISSP, CISM and Boston GRC Consultant. “Recruitment can also be a real challenge. How do you find the right fit for your business within your budget when you lack the internal experience to properly evaluate a candidate?”
Enter the Virtual CISO
Perhaps it’s time to consider a less traditional approach. There are lots of reasons to consider a virtual CISO. If you’re suffering from attrition and need someone to step in on an interim basis, if you want some supervision and advice for a relatively green InfoSec manager, or if you want to ensure that you only pay for what you actually need, then a vCISO could be the answer.
For smaller businesses, it simply doesn’t make sense to invest in a full-time CISO when you can hire a virtual one and get the specialty skills you need to draw up a strategic overview and deliver the big picture. No need to worry about benefits or monthly overhead. It’s a flexible solution. You can set up a retainer for a certain number of hours, you can hire someone on a project basis, and/or you can even buy a chunk of support hours and use them when you need them. It’s a way of getting the cream of security talent for a fraction of the cost. And it’s totally scalable. If you decide you need a full time CISO then you can even have the vCISO help you create a tailored job spec and then screen and interview candidates.
Contracting a virtual CISO can be far most cost-effective than hiring a full-timer. They can fill in where you need it the most, helping your CIO pull together your security policies, guidelines, and standards. That could entail anything from getting to grips with HIPAA or PCI compliance, to staying on top of vendor risk assessments.
A qualified vCISO is going to be fully up to speed on the latest best practices, they have experience dealing with a wide variety of scenarios, and they are well-placed to train your internal security staff.
Planning for a Brighter Future
Many companies are being forced to spend an ever increasing proportion of their budget on cleaning up after incidents. A vCISO can be invaluable as a firefighter, but don’t wait until the worst happens: prevention is always better than cure.
A deeper dive into potential vulnerabilities, and support with a remediation plan now, could save your organization a great deal of time and money in the long run. Whether you’re looking to fill a temporary gap, get a snapshot of your security health, or you need some leadership to roll out a comprehensive security policy, the vCISO is a compelling value proposition. Until the new generation of security graduates matures, the vCISO may be your best shot at reducing security risks.
This article was recently published in Dark Matters.
Image courtesy of Dark Matters.