5 Benefits of Retaining a Virtual CISO

Cybersecurity is finally gaining the attention it’s due. From whistleblowers to major data breaches, issues once kept strictly in the confines of board rooms and restricted government offices, are now plastered all over the news. Even the average layman is now aware of the sinister consequences of compromised non-public information.

As a result, new government regulations are being implemented left and right. Organizations of all sizes are expected by their stakeholders to protect their data at all costs. Demand for cybersecurity professionals are at an all time high, and yet the talent pool remains stagnant. When all are said and done, the pressure and responsibility to maintain the confidentiality, integrity, and accessibility of private data goes to the IT Security leaders in every organization.

According to Techopedia, the Chief Information Security Officer (CISO) “controls information security issues in an organization and is responsible for securing anything related to digital information”. CISOs are seasoned IT Security professionals who has the breadth and depth of experience to help organizations establish a strong cybersecurity program, adopt effective cybersecurity policies, and provide ongoing training of their IT Teams and review of existing programs and policies to correspond to the changing needs of their organization and the current security climate. Great CISOs help protect their organizations from breaches and help save it costly from events and legal problems in the long run.

This also means that finding a great CISO is challenging and may very well be cost-prohibitive for most organizations. Some organizations even forego hiring a CISO even though they have a legitimate need for one. Some only need a CISO for a short-term project with a set budget, while some find it incredibly difficult to hire and retain and CISO with the right combination of experience and skills. With varying needs and budgets for a CISO, the role of a Virtual CISO has emerged.

What is a Virtual CISO (vCISO)? A vCISO effectively fills the role of a CISO, without the constraints and prohibitive costs associated with a traditional CISO hire. A vCISO is a scalable and economical solution for many organizations.

So how can you tell if you should retain a vCISO instead of hiring a CISO full-time? Here are 5 benefits of hiring a vCISO and see for yourself:

1. Expertise – vCISOs Bring Years of Knowledge

vCISOs provide immediate value because of their skills and experience in both the business and security side, which is a critical combination for an effective vCISO. They also have an established network which can act as an extended resource for you and your team. Not to mention that they also act as mentors to your security team and are incredibly adaptable to your needs — as they’re not technically part of the organization, there are no agendas and the vCISO is free to skip the politics and just go straight to work.

2. Cost-Effective – In Many Cases, a Full Time CISO is Not Required

As of March 2017, the median salary of a CISO is $229,964, which is commensurate to the skills needed, the demand for this position, and the severe shortage of talent. That said, not all organizations have this budget nor do they need a CISO full-time, so a vCISO is the more logical choice. A vCISO does not require any benefits nor will there be an onboarding necessary (saves you time and resources). Not to mention that you will only pay for what you need — some vCISOs operate on a per hour retainer basis.

3. Flexibility – Work on the Projects as You Need Them

vCISOs are generally on-call, and are available to help whether on-site or off-site (depending on your needs and your agreement). They are also incredibly scalable; they have a vast network of professionals so they can expand if necessary, depending on the needs of your team. Retaining a vCISO is essentially a short term relationship with limited risk.

4. Improved Your In-House Team – Reallocate Time & Resources

With a vCISO shouldering the strategic responsibilities (and others you assign), you are now free to fully utilize your in-house team. The vCISO can train and mentor the junior members of the team, you have more time to harden your security (vs. spending all your time putting our fires), and you can allocate the budget savings to much-needed improvements.

5. Independence – No Politics, No Conflicting Agendas

As previously mentioned, your vCISO is essentially a contractor, which means they are free from the burden of office politics. They are there to help you and your team, and nothing else. They offer a fresh pair of eyes (and ideas!) especially for brainstorming sessions and performing evaluations. vCISOs are also vendor neutral so their tool recommendations are those you can trust, and they also have their own teams and resources, so they will not add any burden to yours.

These are just 5 benefits of retaining a vCISO. Organizations are now able to enjoy the benefits of having an experienced and skilled IT Security leader, within their scale and budget. However, here are five things (or “cons”) that you also need to keep in mind when considering hiring a vCISO:

  1. They’re not for full-time employment — they are most suitable for short-term or limited engagements.
  2. They’re mostly for strategy — though they have the experience, the vCISO will most likely refrain from doing “hands-on” work. The vCISO works on the strategy, and the in-house team takes care of the execution.
  3. They’ll provide guidance and oversight, but will not run the security team — this makes a lot of sense. Even with the title of “chief,” the vCISO is working for you, and listens to your needs, not the other way around.
  4. They’re usually not in the next office — vCISOs are incredibly flexible, usually there to answer your calls. That said, they are usually in different locations and will not be available to “come over” with short notice.
  5. They’re independent — which means they may be working for organizations similar to yours. So make sure you have NDAs and other appropriate agreements in place before you commence engagement.

So with that in mind, it’s time for you decide whether a vCISO right for you. Whether it’s for compliance (NY DFS Cybersecurity Regulations, for example, requires you to appoint a CISO), more project-oriented/strategic, or other needs your organization has, a vCISO may be the solution you’re looking for.

Here at NopSec, we offer a vCISO service for organizations of all sizes. If you’d like to know more, please call us at 646-502-7900, or email us at hello@nopsec.com.