What’s a vCISO and why do I need one?
SHANE MULLER explains why you need a chief information security officer (and what to do if you think you can’t afford it).
You may think your business is too small, too boring or too unimportant to interest cyber criminals but think again — chances are they’re already worming their way through your systems stealing valuable intellectual property. You just don’t know it, yet.
Enterprises have the advantage — they know what it costs to mitigate risks. An enterprise like an airline or healthcare provider has data on what it costs every hour they can’t operate and the penalty in human, legal and reputational costs for failure that justifies investment.
A common misconception of small to mid-sized business (SMB) owners is hackers only target such enterprises or government. But criminals snare SMBs in huge internet driftnets along with big businesses and public sector agencies.
SMBs are also disadvantaged because they can’t afford a full-time chief information security officer (CISO) to patrol, safeguard and—when things go wrong—recover the business.
In response, many SMBs assign cybersecurity to an executive who may be unprepared and under-resourced.
According to an Oracle NetSuite study, organisations often force their CFOs to be “security savvy”. The cloud accounting platform found 71 per cent of CFOs ranked data security as their top concern while 33 per cent experienced a cyber attack — and 23 per cent of them have experienced more than six cyber attacks. In 14 per cent of cases, the cost for each attack was $US10,000–$US50,000 ($A15,000–$A75,000).
But the hidden costs may not be worth it. Fighting cybercriminals distracts the CFO from their core responsibilities of managing cash, reporting to stakeholders and ensuring the business sticks within its budget and is legally compliant.
So great is the pressure that Oracle NetSuite found nearly half of respondents either have a full-time CISO or will soon hire one: “And this appears to be working, as 59% of those companies … have yet to experience an attack”.
Although having a CISO is a huge leap forward for a business’s cybersecurity, there is no ‘silver bullet’ because hiring a specialist is only the start.
An alternative for worried but cash-strapped SMBs and even mid-market businesses is a ‘virtual CISO’ or vCISO.
So how do you know you need a vCISO and what should they do?
The answer will vary for each business but, in general, they have identified the threats against them and already have a cybersecurity budget. So a vCISO often delivers better outcomes than spending on the next thing that might help. A good vCISO would assess and work the low-hanging fruit and move up the levels of maturity for an organization.
The vCISO will also evaluate the budget to ensure money is spent wisely, and may rationalise high-cost but low-value services while recommending emerging solutions that deliver high impact.
Starting with an initial senior management consultation, the vCISO establishes a base line for what ‘good’ cybersecurity should look like within the business.
The vCISO will achieve senior management buy-in and phase in improvements of cybersecurity capacity and capability to roll out as budget, threats and corporate strategy dictate, actively engaging stakeholders and listening to users as they get up to speed.
And as the organisation’s cybersecurity maturity improves, the vCISO actively monitors the organisation’s posture ensuring its people, policies and procedures track industry best practice. This way, the vCISO delivers maximum value without the payroll overhead while the other executives who might have had the role part-time get back to doing what they do best.
And even for those organisations that have a CISO, a vCISO still delivers tangible benefits.
The vCISO is a collaborative peer and mentor who reflects what they see in the threat landscape among other businesses.
The nature of internally fulfilled roles often mean many organisations don’t share their experiences; a vCISO ensures lessons learned elsewhere are transmitted to its client with absolute discretion and trust.
A vCISO also adds value because they see the good, bad and ugly every day — disasters a (good) CISO may see rarely in their career.
And with the rate of change accelerating so quickly and new threats emerging on a daily basis, it’s advantages like these that could make all the difference in levelling up your own cybersecurity quickly.
* Unsure whether you need a vCISO to protect your valuable customer data and critical information systems? Feel free to leave me a message or send me an email and confidentially, let’s evaluate your risk profile and discover how a vCISO can improve your business performance.