Chief Information Security Officers are a relatively rare breed. Information security is, after all, a relatively recent addition or subset to IT, and while most large organizations now do profess to having a CISO, CSO or head of information security, many still don’t. Indeed, it’s often the case that a company appoints its first CISO in the aftermath of a data breach - like Target did in 2014 or Sony in 2011.
However, landing yourself a CISO, and a good one at that, isn’t straightforward.
It’s well documented that the InfoSec landscape has a huge skills gap, with Cisco, training body ISC2 and other authorities putting the shortage around 1.5 to 2 million personnel, and ISACA speaking of a “missing generation” of security staff.
This shortage - though disputed by some, including the Department of Homeland Security, is most keenly felt with network analysts and - increasingly - data scientists, but it also impacts firms at CISO level too.
For starters, there are limited pickings; the best CISOs are pricey, picked off by competitors or constantly chased by commission-hungry recruiters, while the bad ones bounce from job to job with no shortage of ‘glad to get rid of you’ recommendations.
All of this leaves a landscape that is perhaps more bereft of top CISO talent that the media pays attention to. Indeed, according to Cisco's 2015 Annual Security Report, while 91 percent of companies have an executive who is directly responsible for security, only 29 percent of them have a CISO. Unsurprisingly, businesses with a CISO in place recorded the highest levels of confidence in their security stance.
So, what do you do if you don’t have a CISO? Well, this is where virtual CISOs can come in. These experienced security staff, usually operating remotely, are affordable, available and highly-skilled - meaning they can hit the ground running.
“A virtual CISO is an outsourced board advisory function, much like a non-executive director,” says Tim Holman, president of ISSA-UK and CEO of 2Sec, which offers virtual CISO services to clients. “You can pretty much get a virtual "anything" nowadays, from a Virtual Personal Assistant through to Virtual Financial Director. The term virtual tends to mean a resource that is not physically present, or employed by your company directly.”
“The cyber-security skills shortage has helped the Virtual CISO industry to grow, where a skilled advisory expert can help a number of companies all at once. However, they are often called in at the last minute where companies are driven by legal or regulatory demand. Or a security breach.”
Jane Frankland, a serial cyber-security entrepreneur and CISO adviser, adds that a virtual CISO “is someone who’s spent years in the industry, has a wealth of experience having dealt with a wide variety of scenarios, and consults on the management of an organization’s information security.
“They’re usually engaged to design the organization’s security strategy, and some may manage the implementation. Many also present to the board, key stakeholders and regulators. They work part-time from a few hours a month, and typically remotely.”
Brian Honan is CEO at BH Consulting, whose own vCISO service provides clients “with access to our experienced cyber-security consultants to provide ongoing advisory services on how the client should be implementing their cyber-security framework to protect their data and systems.
“Typically, this would involve us agreeing to a program of action whereby key initiatives are identified and we then manage the implementation. We also are available to the senior management team...to provide ongoing advice and guidance on how the business should be managing the threats to its systems and managing its cyber-risks.”
The benefits go beyond cost
Virtual CISOs do actually make some sense. How? Well, consider this for starters; full-time CISOs can earn $100,000 and beyond, making a part-time, when-you-need-it CISO considerably cheaper (around 30 percent of the annual costs, if industry guesstimates are to be believed).
You can set up a retainer for a certain number of hours, or hire someone on a project-by-project basis. You can even buy a chunk of support hours and use them when you need them. In short, it’s a way of getting the best security talent when you need them, and at a fraction of the cost.
They can dive into your most pressing issues straight away, from liaising with security and compliance teams on standards, guidelines and security policies to conducting vendor risk assessments and ensuring compliance with the likes of PCI and HIPAA. The vCISO is also able to train internal security staff, drive security awareness within the firm and create a strategic security road map for their organization.
There are other, less visible benefits. For example, the vCISO has no loyalty to the company so they have no particular desire to sugar-coat bad news, they don’t necessarily fear for their job safety (which can impact performance), and the ‘virtual’ nature means there is less collusion between IT and management, and no need to play office politics.
“A skilled Virtual CISO can bring a wealth of multi-sector experience to your company, and help you take a practical approach to security and build a long-term plan to mitigate risk,” says Holman.
“They can help with a variety of challenges,” says Frankland. “Often these include communicating the issues to the leadership team, the regulators, and other business stakeholders; designing the security strategy; advising on technologies, processes and best practices; recruiting suppliers and new team members; training; and dealing with incidents.”
“Speed is the currency of new business and a virtual CISO can help an organization mitigate their risks, increase their security expertise, and enable business fast.”
Nik Wells is head of IT security and compliance at financial services firm Elevate and he agrees with Holman and Frankland that vCISOs have their place, especially for small-to-midsize enterprises (SME).
“Most SMEs may not have the budget to employ a full-time security professional at that level and need short-term guidance to help them deal with tactical issues and strategic plans for the mid to long term. With the impending [European] GDPR requirements, SMEs will need assistance with meeting these regulations.”
Frankland and Honan disagree on the speed of adoption, however, with Frankland suggesting SME adoption is slow, and Honan claiming otherwise.
“We are seeing a sharp uptake in these services as many organizations, both at the SME and at the enterprise levels, struggle to find suitably qualified and experienced staff to cover this role,” said Honan.
“We either provide our service to augment the existing management team within a company, or to cover a role while the company recruits a permanent person for the role.
But are there disadvantages?
This is not to say virtual CISOs are a silver bullet. After all, if that were the case perhaps we would talk about on-premise CISOs with a little less familiarity.
We shouldn’t forget that vCISOs are first and foremost the same CISOs who make mistakes, nor too that these hired guns have little loyalty or affiliation to the brand they are working for. They are still relatively expensive and finding the right one is as difficult as recruiting a full-time CISO. A dependency on them can leave you “locked-in”.
There is also a larger issue at hand here, as expertly pointed out by one CISO on LinkedIn on the subject of vCISOs.
“...The CISO structure is failing at big companies. It is failing because few firms see security as a strategic level problem,” said Frederick Carlson, CISO at Bureau of Economic Analysis, US Department of Commerce.
“Is this idea to duplicate the same failed structure, but push it out to an outsourced model for small firms?” he asked.
He is not alone in thinking vCISOs are a mixed bag. Darren Argyle, recently appointed group CISO at Australian airline Qantas, added in an email to CSO Online: “You miss the accountability with virtual CISOs,” he said. “You can't write into the charter a virtual person or service is accountable.”
Holman agrees: “A Virtual CISO does not maintain any accountability should things go wrong. This still falls into the shoes of the board. They are rarely given any budget, and should not be seen as offering anything but advice.
“Much like a solicitor or tax specialist, it's up to the company as to whether or not to take such advice. If your company is taking security seriously, a Virtual CISO will definitely help set you in the right direction, but shouldn't be seen as a 100% outsourced security risk mitigation function.”
“Companies and their boards need to remember that ultimately they are responsible for their own security,” agrees Honan. “A CISO, whether….full-time or virtual, cannot shoulder that responsibility alone. If there is not a culture of security within the organization, or the willingness to introduce one, then the CISO role could be doomed to failure.”
“Virtual CISOs don’t help with the implementation,” adds Frankland. “CISOs advise, coordinate and manage. They’re accountable. If an organization wants someone to write their policies, assess and monitor their systems, applications and infrastructure, install software (firewalls, antivirus, password managers, encryption etc.), then this service won’t be adequate.”
So while Virtual CISOs do bring numerous benefits, especially for SMEs, they are no panacea to solving your security problems.
This article was originally published one CSOOnline