Despite the prevalence of chief information security officers (CISOs), some larger companies still choose to do business without having one in place. The traditional CISO fulfills a vital role in a company by directing protection of its information technology (IT) assets, and systems, but the individual doesn’t always have to be located on premises. As companies increase work from home arrangements for their employees during the COVID-19 pandemic, cybersecurity is top of mind again, and it begs the question, “is now the right time to hire a virtual CISO?”
Many companies are subject to cybersecurity compliance and contractual requirements, but can’t justify the cost of a full-time CISO. They may opt instead for a fractional virtual CISO (vCISO) to control costs, which gives them access to the expertise of a highly qualified individual and the collective experience of the information security solutions provider that employs the vCISO.
Benefits of a vCISO
The current generation of vCISOs has a lot to offer organizations, especially as we navigate this global pandemic. Although vCISOs have a direct impact on overhead and operational costs, they can aid in resource management, cybersecurity, and more. Some of the specific advantages of hiring a vCISO include:
Cost Effectiveness: The first thing to consider is the value of using a vCISO when compared with finding, recruiting, on-boarding, and hiring a full-time CISO. In most cases, a vCISO can be up and running within a matter of days. Moreover, smaller organizations can have access to an experienced CISO as needed, making vCISO services a cost-effective option. Finally, a vCISO provided by a security solutions firm can leverage their employer’s proven methodologies and technologies to further increase value.
Access to All of the Cybersecurity Company’s Resources: vCISOs are typically given access to all of their firm’s resources, including templates for policy creation, predefined cybersecurity measurements to aid in reporting and bench marking, and the specialized cybersecurity talent that is already part of the professional services team. The benefit here is that they have an access level that allows them to be extremely self-sufficient, allowing for less “hand-holding” and a greater amount of productivity across the board.
A proven Cybersecurity Leadership Track Record: Today’s vCISOs have an exceptional history of reducing cyber risk as well as minimizing the damage caused if a cyberattack does occur. Not only are they vetted by the security solutions firm before being deployed in the field, but many are semi-retired professionals with a deep knowledge of cybersecurity and extensive hands-on experience in the industry.
No Training Required: vCISOs are already well-trained in cyber risk management. They’re also familiar with current trends, standards, expectations, and regulations surrounding their day-to-day responsibilities. That makes them the ideal choice for companies that don’t have the time, money, or desire to train someone for the role.
No Employee Overhead: Professional vCISOs can be recruited without incurring the overhead costs typically associated with full-time employees, such as, health insurance, retirement savings, workers compensation insurance, FICA, and office space.
These are just a few of the advantages associated with the current generation of vCISOs. Although they have a lot to offer an organization, it’s important to also address that there are some potential drawbacks to consider.
Potential Disadvantages
A vCISO can enhance your workforce in a variety of ways, but they may also present a few challenges. Some of the primary potential drawbacks are:
- vCISOs Work Remotely: Because of their level of experience, vCISOs often prefer to perform their job remotely, which is not necessarily a bad thing. In fact, prior to the COVID-19 pandemic, about 68% of employees globally worked remotely at least once a month, with another 18% listed as full-time remote workers. In our current state, remote working is likely to become the new norm, which has proven to be a great format if the company is set up to accommodate remote employees. If not, a virtual CISO might not be the right fit for an organization.
- Scheduling Conflicts: You may run into some scheduling snafus, especially with those who are semi-retired or work with multiple customers. Additionally, vCISOs may not be available exactly when needed, which could result in service delays. To ensure vCISO availability, an organization should recruit one who can make their organization a top priority. Security services firms often have several vCISO assigned to different customers. As a result, they should be able to provide alternate resources when needed. Hiring a vCISO through an established cybersecurity service provider also offers the advantage of a contractual relationship vs. an employer/employee relationship. This minimizes the potential for scheduling conflicts and ensures vCISO availability whenever needed.
- Significant Investment: Although vCISOs are a proven way to reduce overhead costs, they certainly don’t work for free. In fact, a firm could still end up paying the equivalent of a full-time salary for a new vCISO. Furthermore, cybersecurity costs are only increasing as demand grows. To get the most value from a vCISO, it’s critical that a company choose an individual who is closely aligned with their budget and overall requirements.
Many organizations are taking a fresh look at their business in response to the current COVID-19 pandemic. While vCISOs are often touted as the next big thing in enterprise-level computing, their value is dependent on the role that they play in practice. Hiring a virtual CISO should be viewed as more of a long-term investment than a temporary expense, as they will implement policies and standards that will serve the company for years to come.
Find out how InfoDefense can help your organization address cybersecurity and compliance challenges. For more information on how you can get more value from your cybersecurity investment, contact us today.