This year, virtual CISOs have to step up to make a difference in the cybersecurity industry.
For the longest time, small and medium businesses (SMBs) have been abandoned by the cybersecurity industry. But, SMBs need security leaders to guide them through the maze of cyber risk and craft practical strategies that align with their unique ever-evolving business objectives.
Sadly, SMBs cannot afford an experienced full-time CISO. They often either ignore the risks or get lured into purchasing shiny tools that do not meet their overall needs. Before spending money on security solutions, it's crucial to understand the risks and develop clear objectives that support the overall business goals.
This is the role of a CISO: to set the direction and establish cybersecurity program foundations that will meet the expectations of the Board and C-suite.
However, there are not enough CISOs to go around which creates a high premium on their time. Hiring a CISO can cost hundreds of thousands of dollars, which is far beyond what most SMBs are willing to commit. But they don’t actually need a full-time CISO. An hour or two may be perfect for guidance, leadership, and strategy development. This is where the fractional/virtual CISOs (vCISO) community can play a role!
Experienced CISOs often have a few hours extra per week and yearn to take on new challenges, as long as it does not impact their day job. Many retiring CISOs still have the itch to contribute, but don’t want to commit the long hours of managing all the operations and details. They would rather leverage their experience to provide guidance and help organizations avoid costly pitfalls.
It becomes a perfect fit.
Experienced leaders offer guidance at a fraction of the cost, with short-term contracts keeping commitments flexible. Everyone wins.
vCISOs can provide leadership without being tied to the demanding operational aspects. By dedicating a few hours a week, vCISOs help SMBs benefit from experienced cyber risk leadership with direction, focus, and an understanding of the evolving risks. SMBs can then make informed business decisions that properly account for cybersecurity factors. The practical benefits include effective prioritization and efficient allocation of resources for an optimized cybersecurity posture, based upon their unique needs.
There are risks in the vCISO market. Two things to watch out for:
First, beware of vCISO services offered by security vendors masquerading as impartial advisors. In many cases, this is just a ploy to get customers to buy the parent company’s products or services. These people are effectively used as a sales channel and incentivized to convince SMBs to purchase their wares. They aren’t necessarily looking out for their clients’ best interests. Instead, seek out vendor-agnostic vCISOs that will work with what you have and align recommendations to your actual needs.
Second, many will assert themselves as seasoned cybersecurity leaders, but in actuality, lack the practical experience needed to be a successful vCISO. Let’s be clear, a vCISO is NOT an entry-level job. Rather it is the opposite.
An experienced cybersecurity leader can quickly understand the major risks and business needs, develop a customized set of strategic plans for a specific organization, and communicate effectively to executives so they may rapidly understand and make well-informed decisions. vCISOs must be vetted properly to make sure they can deliver quality results in very limited timeframes. Otherwise, it will be money wasted!