Companies today must contend with stringent cybersecurity mandates and regulations. At the same time, the labor market for security professionals is getting tighter and requirements for senior security and risk leaders are becoming more complex. Because the search for a Chief Information Security Officer (CISO) is hard and very expensive, Gartner reports that many organizations could find an affordable, effective option by investing in a virtual CISO (vCISO).
However, in the same report, Gartner found that 30 percent of organizations will end up dissatisfied with the work and performance of their vCISO within a few years, due to lack of appropriate due diligence pre-engagement. Bryant G. Tow, Managing Partner of CyberRisk Solutions LLC, offers advice for what an organization should expect from a vCISO, an outsourced security practitioner or provider who offers time and insight to an organization.
“Part of the pre-engagement due diligence should include asking your candidate about how they will metric and measure the risk and communicate it to the executive level, as well as how the organization should outline the first 100 days of the engagement,” Tow said. “Clearly setting expectations for deliverables is imperative to success.
“At the end of the first 100 days, an organization should gain visibility into specific measurements of all potential risks, and how they measure against their industry peers,” Tow explained. “The organization should also have a definition of maturity and a roadmap that includes the costs, hardware/software and human capital resources required, as well as timelines defined to get there. If that’s not the answer you get when you are interviewing for a vCISO, then you should probably be talking to someone else.”
One of the first steps an organization must take is to determine if its risk profile, compliance targets and attack surface is enough to warrant the salary and experience level of an expert CISO. As Tow and Gartner share, that is where the potential for a vCISO comes into the picture. Unfortunately, according to Tow, many still base their risk level only on the type of data they gather and store.
“An organization could be small, but heavily regulated. Broker dealers or capital market companies required to be compliant with NYDFS are required to have a chief security officer, but that can be very expensive,” Tow explained. “Even a 40-employee company could be heavily regulated, for example. They need a CISO, but may not be able to justify a $225,000-a-year salary person, especially in New York where an experienced person could demand even more than that.”
On the other side of the spectrum is the non-digital business model Gartner mentions in the report.
“A company may have more than a billion in revenue, but if they’re in the manufacturing business, their technology footprint is fairly minimal,” Tow explained. “Eighty percent of their employees are not using network-connected devices. They’re on the production lines. They’re building things. Though the footprint is small, the criticality to the business for the technology to keep those lines moving is a very high-value target, and outages could cost millions per day. Cyber criminals will take over those systems and hold them for hundreds of thousands of dollars.
“By contrast, in an accounting firm, everyone is likely to have at least three tech touchpoints – a smartphone, a tablet-type device, and, of course, a laptop or a desktop machine. A 200-person accounting firm could have three times the touchpoints that a 3,000-employee manufacturing company will have.”
As Tow explained, many companies think that because they don’t process credit card numbers or don’t collect protected health data or other personal identification information, they aren’t at risk. However, Tow points out that the true measure is how much it would cost if the organization wasn’t able to get to the systems needed to conduct day-to-day operations, because manufacturing lines are shut down and being held hostage. What would that cost per minute, per hour, and even potentially per day?
“There is nothing in any analyst report or book that will tell you what it is like walking into a 7,000-employee healthcare company with an empty parking lot on a Wednesday at 10 a.m., after they’ve sent everybody home because entire systems are being held for ransom. A vCISO would have a plan in place and shorten the recovery time if not eliminate the threat altogether,” Tow shared.
When considering a vCISO vendor, much consideration should be given beyond just the ‘staffing’ or the individual resource, Tow explained.
“Staffing companies will find great talent, but most will lack the backing of a support team and many will lack the methodologies required,” Tow said. “There are expert vendors out there, but you need to look for them and ask the right questions, such as ‘How soon can we see a roadmap that will outline a set of maturity requirements for my organization and define what acceptable risk looks like?’
“If you don’t get answers to those and other questions discussed above, when you are interviewing for a vCISO, then you should keep looking until you the right fit.”