The Value of the Chief Information Security OfficerRecruiting a CISO necessitates an investment of both time and money and it should have full company-wide support to ensure the role a success. Often the CISO can lead a transformation of company culture such that all staff are cyber aware and those at the "front-end", the programmers, developers and IT support roles all have the "security-by-default" attitude.
Enduring security comes about when culture is created where information and systems are protected not just by technology but by changing how people interact with them. Of course, technology and automation should be used to reduce security events, but ultimately, it's about changing behaviour, and that's what a good CISO can do.
Just as important, when there is a breach, the CISO will have ensured that incident response and business continuity work together to smooth out what would otherwise be a very expensive event. Interestingly, research conducted by the Ponemon Institute found that those companies with a CISO saw a reduction in the cost of a data breach by $7 (£5) for each record. Many breaches are hundreds of thousands or millions of records.
Another benefit is Brand Differentiation. When appointing a CISO it is worthwhile announcing it because it shows your clients and your suppliers that you take cyber security seriously. Appointing a CISO is a business differentiator that gives your business on edge.
Cyber criminals themselves recognise the value of the CISO as they are now focusing their criminal activities on small and mid-sized businesses (SMBs). They realise that SMBs are less likely to employ a CISO and be able to develop a robust information security programs in way that larger organizations have put in place.
The ChallengeUnsurprisingly, these kind of high calibre CISOs are in very short supply and recruiting them is a real challenge both in the UK and across the globe. As a result, those with the expertise and experience are in high demand and command some of the highest salaries. In addition, the average tenure of a CISO is only 18 to 24 months which not only causes programme continuity difficulties but requires that the whole recruitment process with all its attendant costs repeats with an alarming frequency. What are the solutions to this?
The Practical Alternative: The Rise of the Virtual CISOA good alternative is to hire a fully qualified and experienced CISO on a shared-basis. The CISO will use his or her expertise while helping several clients. This is sometimes called a fractional CISO or more often now, a Virtual CISO. This term reflects that much of the work, after the initial getting-to-know period can be performed remotely. This is a little different from an Interim CISO who is expected to work full-time in a temporary assignment. The Virtual CISO, on the other hand, can be the best long term solution.
Rather than an hourly rate, work is usually specified and an appropriate monthly amount is agreed to complete the work. The vCISO concentrates on making all the stated improvements, whether working on site or remotely, including keeping the management and Board of Directors up-to-date on progress.
Having a professional CISO working for the company is a business differentiator which the client company should capitalize on by letting their customers and suppliers know.
A Virtual CISO (vCISO) helps organizations to protect their infrastructure, data, people and customers. The vCISO will work closely with the existing management and technical teams to build the client organisation’s cyber security programme.
The vCISO can really help when a company is struggling to comply with regulations and implement security by providing sound guidance and direction that makes measurable impact the results of the client’s cyber security programme.
Benefits of Using a Virtual CISOThere are, in fact, many benefits of hiring a vCISO over the traditional full-time in house CISO. Firstly, of course, it’s the cost. A Virtual CISO will typically cost between 30 percent and 40 percent of a full-time CISO. In addition you will not normally pay for any training costs.
The benefits go much further than just cost. Virtual CISOs, because they are fully trained and up-to-date, can hit the ground running. They are very much use to adapting to new situations and can apply the many lessons they have learned from multiple engagements. A full-time hired CISO may have only seen one or two large corporate situations and will take much longer to “settle-in”.
Virtual CISO will usually operate more efficiently because he/she is not hampered by office politics, the job is to get results. Finally, if the vCISO works in a team then the client company has the expertise of the whole team, not just the single CISO appointed to them.
The UK National Cyber Security Association service:The UKNCSA Virtual CISO Services are available and we pride ourselves on:
- Expert knowledgeable and qualified consultants
- Cost-effective services tailored to your business needs
- Building long term relationships with our member-clients
Typical Working MethodsWhen we begin working with you, we want to quickly understand your business objectives, its culture and environment. It is vital to fully understand the business's methods and to build trust relationships with key personnel. This is central to ensuring a successful cyber security programme.
To accomplish this a typical engagement will involve being on-site during the first two to three weeks. Thereafter continue with a mixture of remote working and site visits depending on your preference and requirements.
We make use of the Unified Cyber Security Framework™ (UCSF) to ensure that all fundamental areas are properly protected. Following the UCSF enables us to methodically and efficiently apply controls to the major domains while building up information for the business impact analysis and cyber risk assessment. This is the most effective method to build your Cyber Security Defence Programme.
The efficient work flow includes:
- Ensure all fundamental security operations
- Prepare a BIA and cyber risk assessment based on your specific business assets
- Map out the optimum cyber security strategy with key stakeholders
- Establish the cyber security road map to accomplish the programme
- Build out the Governance, Risk and Compliance (GRC) programme
- Look to consolidate and get value from contractors and vendors
- Build a cyber awareness training strategy
- Incident Response Procedures
- Business Continuity Plan
- Third Party Management
Other Circumstances Appropriate to Using a vCISOAs well as the situation described above where a CISO is shared there other situations where a vCISO could provide valuable servcies.
1) Board Advisor
Your company may have a cyber security lead who has been with the organisation for many years and understands the business very well. However, there is often a communications gap between that role and the top executive. A vCISO can fill the gap by and provide understanding to the board members and communicate business objectives to the cyber lead. This helps build the cyber security culture of the organisation.
2) Coach and Mentor to a Newly Established CISO
If your company has selected an employee as the cyber lead, someone who is enthusiastic about securing the company, but who lacks the training and experience, then a Virtual CISO could be the ideal solution to provide the initial leadership that is lacking. This may be the case with a “Start-up” or “Scaling-up” company.
3) Part-time Deputy or Assistant to the CISO
Supporting an over-stretched CISO. There are times, when an additional experienced CISO needs to be added to the team. In this case a vCISO may be the best choice to provide that extra expertise. This may be as an interim arrangement or as a permanent “best solution”. The vCISO may take on a specific specific function such as third part contract management or business continuity planning. Or possibly the board relationship management while full-time CISO handles other duties.
ConclusionAs more and more companies realise the importance of having a CISO role, there will be an increasing requirement for fractional or Virtual CISO service providers. This is a practical solution to many circumstances that do not warrant a full-time CISO.
As well as a Certified Systems Security Professional (CISSP), David is also an Enterprise Architect (TOGAF practitioner), AWS solutions architect (professional) and PRINCE2 qualified project manager, these skills, along with his previous business background as a finance professional ensures that cyber security is aligned business strategy.
To arrange an exploratory conversation, please use the form below.
In order to get the Weekly Cyber Bulletin and news of the
new articles in your email ... Sign up for free membership.
GET BUSINESS MEMBERSHIP FREE TODAY !!! (worth £87)
UKNCSA™ is the National Cyber Security Association™ for the UK.
UKNCSA is administered by UKNCSA Ltd (a non-profit organisation).
Reg Office. 101 Avondale Road, London N153SR.