The case for a virtual Chief Information Security Officer
By Bob Nicolson, Head of Consultancy at Nicolson Bray – Organisations today are facing a dangerous combination of mounting cybersecurity threat and a lack of in-house expertise to meet the challenge. Smaller firms have typically allocated responsibility for information security to a member of the operations or financial team and given IT the responsibility for technical cyber security. In most cases these responsibilities are secondary to the allotted individuals main role, resulting in issues around prioritisation and conflicts of interests.
As such, it is now commonly understood that having a person, or team, solely accountable for cyber security has become a necessity if a firm is to adequately protect itself from cyber security threat. Without this, organisations often struggle with the complexity of interconnected technical, physical and personnel controls that make up a complete cyber security framework.
Going beyond this, there is also a requirement for someone to create strategic security plans, lead on cyber security risk reduction activities and provide meaningful reporting at board level: this is the role of the Chief Information Security Officer (CISO)
Recruiting a CISO
In common with many cyber security roles, whilst the demand for CISOs is growing daily, there is a very limited supply of adequately experienced and qualified individuals. It has been many years since the Information Systems Security Association spoke of a “missing generation” in information security, pointing to an estimated 300,000 to 1 million vacant cyber security jobs.
In addition, retaining an experienced CISO can be extremely challenging - according to one Ponemon study, senior security executives leave on average after just thirty months on the job.
This all creates some serious issues when it comes to finding a CISO for your firm. And of course, there is the challenge of determining whether someone is the right fit for your business when you don’t have the security experience needed to properly evaluate a CISO…
Enter the virtual CISO
“Renting” a CISO could be the answer. In fact, contracting a virtual CISO can be far more effective than hiring a full-timer. With a virtual CISO, there's no need to worry about benefits or monthly overhead.
For smaller Firms, it simply doesn't make sense to invest in a full-time CISO when you can hire a virtual one and get all of the skills you need to draw up a strategic overview and deliver the big picture.
Larger organisations also often need someone to step in on an interim basis. Perhaps to provide supervision and advice for your in-house security team, or simply to ensure that you only pay for what you need.
A qualified virtual CISO is going to be fully up to speed on the latest best practices, they have experience dealing with a wide variety of scenarios and they are well-positioned to train your internal staff.
They can fill in where you need it the most, helping your CIO to create or review your security policies, guidelines and standards. That could entail anything from coming to grips with Security Standards or FCA compliance, to staying on top of Portfolio Assets’ cyber security risk assessments.
A virtual CISO can be invaluable, don't wait until a breach occurs - prevention is always better than cure.