VCISO - Virtual CISO ,

VCISO: A Pragmatic Path To Cybersecurity In Pandemic Times And Beyond

By Michelle Drolet
20 Sep 2020

Covid-19 has disrupted our lives and caused a lot of stress and panic globally. Even though lockdowns may be relaxing, cyber-attacks are showing no signs of slowing down. The pandemic has created the perfect environment for hacktivists to strike with a high degree of success.

Let’s understand the top five reasons for this:

1. Expanding Attack Surface

Millions of workers globally suddenly woke up to the new work-from-home normal. While IT departments scrambled to get their infrastructure ready for a 100% remote workforce — many of them also sacrificed cybersecurity for the sake of business continuity. As employees started to connect to the corporate network from home, they introduced a number of potential security vulnerabilities. Unsecured devices, unsecured Wi-Fi and unpatched systems — suddenly the attack surface expanded exponentially.

 

2. Evolving Scamming Techniques

As if the confusion and distraction surrounding the pandemic weren’t enough, an infodemic of misinformation and phishing scams are on the rise. Insurance and financial service providers have reported that fraudsters are using the full suite of scamming tools — phishing emails, fraud identities, robocalls, etc. — and are watching the headlines closely and adapting their messages to scam targets. The Federal Trade Commission (FTC) is estimating that coronavirus scammers may have already made $100 million off stolen stimulus checks, mortgage scams and more.

 

 3. Shifting Priorities, Budgets And Resources

Amidst high risk and increased reliance on technology platforms, business continuity takes precedence over cybersecurity. Experts warn of even further budget cuts and cybersecurity will be no exception even though the environment demands that the controls be more robust. Since resources are increasingly spread thin, 50% of cybersecurity teams are getting reassigned to general IT tasks.

 

 4. Increasing Skills Shortage Of Cybersecurity Professionals

Gartner reported a 65% increase in demand for cybersecurity professionals worldwide. Another study estimates 3.5 million cybersecurity jobs to remain unfilled by 2021. Organizations lack expertise in areas including cloud security, incident response, threat intelligence, security operations and more. Credible cybersecurity leadership is also hard to find as such professionals are extremely high in demand.

 

5. SMBs As Vulnerable (If Not More) As Large Enterprises

New research suggests that if an organization “feels” it’s too small to get attacked, chances are they will limit their cybersecurity spending. On the flip side, analysts are increasingly seeing lesser-known, smaller companies being targeted by hackers, especially those that are linked to larger, influential companies. Not only do SMBs have desirable data, but they are also easier to attack because they lack the resources. And when SMBs are hacked, high-profile companies that are linked to the SMB also get hacked. This demonstrates that cybersecurity is a major problem for all size businesses.

 

Why Hiring A Virtual CISO Makes Business Sense

Times are challenging, and it’s time to get creative. Organizations must find a way to respond to modern cyber-threats without stretching their financial resources or investing in inadequate security expertise. A virtual chief information security officer (vCISO) could deliver more bang for your buck. Here’s why:

  • Vast Experience And Proven Leadership: Most vCISOs carry decades of experience and have a superior track record of reducing cyber risk and improving cyber resilience for well-known companies. They are usually industry veterans having vast amounts of domain knowledge and hands-on expertise and are well-positioned to train your internal security staff.
  • No Training Needed: vCISOs are well-versed with day-to-day responsibilities and are extremely familiar with current trends, regulations, standards and expectations from management. A vCISO is also the ideal candidate for businesses that do not have the time, resources or motivation to train someone for the role. Another aspect that works in favor of vCISOs is that they are experienced in operating and leading from a remote location, which is the need of the hour in times of pandemic.
  • Reduced Overhead: vCISOs can be recruited on-demand and come without the overhead of a full-time employee, such as health insurance, worker’s comp, payroll, benefits and related HR costs.
  • Flexibility: vCISOs can be set up on a retainer basis for a set block of hours, hired on a project basis or allocated for tech support hours. A vCISO can free up valuable time for the C-suite so that management can focus on other important aspects of the business.
  • Faster Onboarding: Sourcing, building and retaining the right security leadership might take a lot of time, especially when there is a short supply of cybersecurity talent. When organizations are suffering from attrition or a security incident, a vCISO can immediately step in and fill the void of a leadership position.

 

The Pros Of Hiring A Full-time CISO

What are the benefits of hiring a full-time CISO? Truth is, it depends on the requirements of the business and the resources at hand. Here are some reasons why a full-time CISO might be your preference instead of bringing in a virtual CISO — if an interim role isn’t required:

  • You need someone full-time in the office to be the face of security.
  • You need a dedicated resource that is available 365 days a year, 24/7 — in case of emergencies.
  • You see the resource as critical for business continuity and day-to-day operations.
  • You think this is good for team building and supporting the corporate culture.

Cyber attackers are continuously evolving their tactics and techniques to get to your company’s crown jewels. Businesses need cybersecurity leadership that can take out the guesswork, boost defenses and bolster cyber resilience. In times of the pandemic and beyond, a vCISO becomes an extremely pragmatic and compelling value proposition, but only if it works for your unique business needs.

 

This article was originally posted on Forbes Technology Council >