Is the vCISO Model Right for Your Organization?

11 months ago 48
News Banner

Looking for an Interim or Fractional CTO to support your business?

Read more

An executive talking to a team over video conferencing

Source: KaterynaOnyshchuk via Alamy Stock Photo

Over the past few years, the job of protecting businesses from hacker and compliance-related security issues has become unwieldy, to say the least. While larger companies typically have chief information security officers to handle these issues, smaller companies often don’t. Sometimes it’s because smaller businesses haven’t felt the need to have one, and sometimes it’s purely a budget decision.

It’s getting harder to justify not having a CISO, so many businesses that have never had a CISO are filling the gap with a virtual CISO (vCISO). A vCISO, sometimes referred to as a fractional CISO or CISO-as-a-Service, is typically a part-time outsourced security expert who helps businesses protect their infrastructure, data, personnel and customers. Depending on the needs of the company, vCISOs can be onsite or remote, long-term or short-term.

There are plenty of reasons why companies are going the vCISO route. Sometimes it’s an internal crisis where a company’s CISO has unexpectedly resigned and the board needs time to find a permanent new one. Other times, it revolves around new regulatory or business requirements or a cybersecurity framework the company needs to adhere to, like NIST’s Cybersecurity Framework 2.0 (expected in 2024). Sometimes a board member used to getting a briefing from the CISO may request a vCISO.

"A smaller company might need a CISO but just a few days a week, and that type of delivery model is perfect for a vCISO," says Russell Eubanks, a vCISO who is also on the faculty of IANS Research and an instructor with SANS Institute. The key is flexibility, he added. If the company needs the vCISO for 40 hours a week for some period of time, that’s also okay.

In addition to smaller businesses, organizations in the SaaS, manufacturing, industrial and healthcare industries are also good candidates for the vCISO model. While some believe the financial arena can also be a good fit for vCISOs, others say the area is so heavily regulated that financial institutions should have their own full-time CISOs.

What vCISOs Do

The most common duties vCISOs perform for companies includes Governance, Risk and Compliance (GRC), developing and executing strategic plans and evaluating and enhancing security maturity, according to a Hitch Partners report. Experienced vCISOs will understand cyber risk, technology and enough about the business to orchestrate an effective security strategy.

vCISOs also spend time advising permanent vCISOs. Nick Shevelyov, who spent years as a CIO and then CISO at a San Francisco area bank, says he routinely called in vCISOs to pick their brains and learn from them. Today, Shevelyov is an executive cybersecurity advisor and vCISO operating his own boutique consultancy.

"CEOs, CFOs, CIOs, CTOs or even CISOs can engage a vCISO to help them quickly understand what they need to prioritize and assess whether their tech is correct configured, installed and architected, which can cause cybersecurity vulnerabilities," Shevelyov says. "As a CISO, I wanted to learn whatever I could."

Sometimes, companies even engage a vCISO to define the role within the company so the vCISO can eventually prepare the next, permanent CISO to take over.

"More often than not, I’ve seen highly qualified fractional CISOs work themselves out of a job because they are grooming someone," says Nick Puetz, managing director of the security and privacy practice at Protoviti, a technology consultancy that provide vCISO services.

Companies interested in finding a vCISO have plenty of options. In addition to asking industry experts they know, they can find plenty of candidates from large consulting firms, boutique firms specializing in vCISO services and managed services provider. The key, Eubanks says, is that candidates have experience working as a CISO, preferably in the same industry as the company seeking the vCISO.

Finding the Right vCISO Fit

A few years ago, when a mid-sized credit union unexpectedly lost its cyber leader to one offering more money, it found itself at a crossroads. With about only 600 employees and no prepared succession plan, the credit union didn’t have anybody on staff who could step into CISO role. So while the executive team prepared for a months-long search for a new CISO, it turned to global consulting firm Protiviti to provide a part-time temporary CISO.

Finding the right vCISO for that mid-sized credit union took some work on Protiviti’s part.

"It’s about sitting down with them and understanding what they need to accomplish and where we would start the journey," says Puetz. "With that information, we can suggest packages we offer that might make sense or tailor something specifically to their needs."

Know what you need. Before even diving into potential candidates, it’s important to know what you’re looking for and nail down your requirements, says Deron Grzetich, national cybersecurity lead at West Monroe, a digital consulting firm.

"Sometimes you need someone who is more like a cruise ship captain, not there to make a lot of changes but to keep the train moving. Then there are field CISOs, who are more like evangelists who help solve relevant cyber issues and is more a face of the company," Grzetich says. "It depends what you’re looking for and where you are in your cyber maturity journey."

With that in mind, define the scope and outcome expectations of the vCISO role clearly. Having these factors defined will help ensure that the person is aligned with the role, he added.

Find appropriate candidates. There are plenty of places to look, but finding the right person—someone who understands your company’s dynamics and has the right experience—can be frustrating. First off, make sure they have experience as a CISO. That might seem like obvious advice, but it’s important. "There are plenty of senior consultants out there who can’t find a good job, so they put out a shingle advertising their services as a vCISO. But if you dig in, you’ll find they have never been in charge of the security at an organization," warns Ira Winkler, long-time president of the Internet Security Advisor’s Group and field CISO at CYE, a global consultancy.

Vet candidates carefully based on your priorities. Familiarity with the industry can be important, because it reduces the learning curve and helps ensure that the potential vCISO understands your company’s issues. For example, if your company is a highly regulated financial organization, experience in that realm would be key. If your company has a heavy customer focus and is sales-driven, experience in that realm would be helpful. It’s also useful for the candidates to have experience in companies of a similar size.

But while compatibility is important, the right vCISO can override some of it. "The size of the company and vertical are important, but they aren’t deal-breakers," says Eubanks. "For example, I’ve done work in healthcare, financial and communications industries, and I can see many similarities in other industries like manufacturing. Many similar requirements permeate multiple industries."

Don’t rush the process, and be realistic. "I’ve seen many situations organizations don't take the time to find the right type of person, or they're unwilling to get the right, get the type of counsel they need to find the right type of person," Puetz says. "If they rush to bring someone in, sometimes they will find that it’s not a fit."

Read Entire Article