
The Virtual Chief Information Security Officer, or vCISO, has gained in popularity over the past several years with small and midsize businesses (SMBs).
Why? Because a vCISO provides business value to an organization without the cost or expense of a dedicated, full-time employee.
An average Chief Information Security Officer’s annual compensation is north of $200,000. This cost of adding a full-time Chief Information Security Officer (CISO) can far exceed the budgets of many small and midsize businesses (SMBs).
That said, many SMBs don't require a full-time security leadership position, really just part-time experienced guidance is all that is needed. That's where a virtual CISO (vCISO) can add value.
In order to realize why, we first must understand what a Chief Information Security Officer (CISO) is. A CISO is the senior executive for information security in an organization in most cases. A CISO is a security practitioner who uses their years of both cybersecurity and industry experience to help organizations with developing and managing the implementation of the organization’s information security program. At a high level, CISOs lead the architecture of the organization’s security strategy and assist managing its’ implementation.
For SMBs, the CISO works with staff across the organization to execute an impactful security program. Additionally, the CISO is responsible for presenting the organization’s state of information security to its executive management team, the Board of Directors, external auditors and regulators.
A recent development in security management has been the adoption of vCISOs by small and mid sized companies to develop the security program. vCISOs provide value to organizations by helping with a number of aspects of the overall information security program, including:
Information security governance, including planning and management activities
Organizational and management structure
Initiatives affecting information practices
Security risk management activities
Evaluation of third parties with access to organizational data
Coordination of audits by regulators or customers
vCISOs typically come from industry where they have developed and managed information security programs and have deep experience in navigating the adoption of an effective security management system. It can be said that the ever increasing number of cyber security breaches over the past several years poses serious risk to an organization which can cause a negative effect on any business’ bottom line and reputation ,and thus the need for this expertise in the SMB space has grown. Since many SMB organizations face the problem of paying for this expertise, the use of a vCISO is an attractive alternative as the organization typically buys blocks of time on a monthly basis for the expertise and guidance.
So, if you are an SMB and have concerns about safeguarding your organization's information assets or worry about compliance to a myriad of cybersecurity regulations, then chances are a vCISO might be a right fit for you. Bottom line, if you have valuable and sensitive information within your environment, you need some form of information security program in place. And that means you need someone at the helm driving the program forward and steering the vision, strategy, and implementation to meet the organization’s information security objectives.
Many SMB’s have embraced the vCISO model to set the groundwork of a formal information security management program. Once fully established and up and running, the organization can reevaluate whether they continue with this model or see if there is support internally from the executive team or the board for hiring a full-time CISO to continue the oversight and management of the security program.
One final comment in closing is the true value a vCISO brings to an SMB is exactly that experience. SMBs need to tap into the minds of those vCISOs who have served in and understand the role of CISO and should have a resume that shines in that light.
Comments