The Market Trend in Recruiting vCISO Firms
By Mehran Basiratmand, Chief Information Security, Consultant
In the past two years, technology adoption, innovation, and organizational transformation have accelerated to new levels. The main contributor to this ongoing phenomenon is the full adoption of the hybrid work schedule, and the substantial investment organizations have made to modernize their technology footprint. At the same time, given the growing number of cyber security incidents, the need to secure organizational assets, primarily data, has become an even more pressing priority, and new tools to achieve this are introduced in the marketplace daily.
Data continues to be the most valued asset of many organizations. As we get deep into the Fourth Industrial Revolution, a term coined by Klaus Schwab, founder, and executive chairman of the World Economic Forum, securing and protecting data will be crucial for the foreseeable future. What is significant is that data collection, access, consumption, and storage have grown organically, and they are gathered from a variety of sources in various formats. Therefore, this is only partially a technology problem. It requires human experts to build the framework and create plans to secure these assets better.
While there are various regulations and best practices that support building a protective structure around corporate data and resources, the cost of orchestrating these activities that are part of the Information Security Office team is continuously increasing. Furthermore, small to mid-size organizations with low profit margins cannot conceivably compete with recruiting or retaining a high-priced Information Security Officer. In addition, the need for a Chief Information Security Officer is limited in time and scope, which makes investing in a full-time CISO in this competitive market cost prohibitive and difficult at best.
Some organizations have opted to promote an internal candidate with additional responsibilities to serve as an Information Security Engineering and Information Security Officer. The challenge is two-fold. First, you risk overtaxing such individuals and losing them due to burnout, and second, these individuals generally do not have the interest in addressing policy issues, tackling incident response planning, developing a cyber security educational mandate, or dealing with cyber insurance underwriter questions. As a result, some of these issues will be assigned low priority or be ignored altogether, given time constraints.
A new business model is getting major traction lately and is anticipated to experience exponential growth. The idea is for small to mid-size companies to recruit a Virtual Chief Information Security Officer (vCISO). A vCISO is generally a part-time expert who is committed to the organization for 4 hours or more per week. These individuals bring expertise and experience, and they have access to other resources as deemed necessary. Their primary focus is addressing critical areas that are nonetheless generally given low priority due to a lack of resources.
vCISOs are estimated to cost 30–40 percent of full-time CISOs, and they are available on-demand with no training requirements. There are currently approximately 714,000 cyber security positions open, close to 40,000 of which are in the public sector. Given this competitive market, which will lead to continual job hopping by some individuals in this sector or a constant demand for higher wages, it is sensible to contract with a vCISO resource.
There are three primary benefits to utilizing vCISO services: (1) lower cost; (2) continuity of service delivery since the vCISO and the service provider are contractually committed to providing you with a qualified resource; and (3), most importantly, the wealth of expertise the vCISO brings, together with access to other cyber security resources.
Given their role as time-limited employees with a clear scope of their engagement, vCISOs will remain objective. They do not take sides in internal conflicts. Their main focus is on achieving satisfactory results to meet the pre-defined KPIs that were negotiated with the statement of work.
There are two areas of concern. The first is the role of the vCISO as it relates to supervising information security engineering. Some vCISO candidates require this as part of their engagement to build a cohesive plan with buy-in from the ground up. The second area of concern is the reporting structure. To be successful and make a difference, many of these individuals prefer to report directly to CIOs or CFOs. Their rationale stems from their prior experience with full access to decision-makers to deliver satisfactory results. These two areas could be negotiated, and there is ample room for negotiation. The key is ensuring that the organizational culture lends itself to someone from the outside making recommendations that sometimes could be uncomfortable. The main recommendation is to build a two-way trust relationship with your vCISO. Remember, at the end of the day, your vCISO provides services that support your mission. Your vCISO is on your side.
As you weigh the pros and cons of hiring a vCISO, you should consider including some of the deliverables listed below in the statement of work:
- The initial period of engagement, including the number of set weekly hours
- Support measures in the event of an incident
- Participation in the evaluation of corporate or agency security policies, as well as making recommendations
- Participation in an incident response plan (IRP) and risk mitigation activities
- Participation in cyber security insurance discussions and making recommendations
- Providing security gap analysis report and steps to improve the security posture
- Participation in strategic and tactical cyber security budgeting processes
- Assessing the effectiveness of information security training programs or developing a program
- Addressing and making technical recommendations on the practices involving cloud, end-point devices, servers, and applications access control
- Assessing compliance and regulatory requirements (if applicable) with critical participants (such as HIPAA, PCI DSS, GDPR, etc.)
You should address three other key questions:
- Is managing security staff required as part of the engagement?
- What is the reporting structure of your vCISO?
- How to limit their engagement liabilities since these individuals are viewed as time-limited employees?
The most common method to monitor that your vCISO meets your requirements is to build a simple matrix and grade each item outlined on the SOW (from 1 to 5 highest) monthly or quarterly. This will provide you with a solid baseline to measure your vCISO’s progress and to guarantee that he or she is meeting or exceeding your key performance indicators. There are strong indications that more and more organizations in various sectors are likely to use this service in between recruiting for a CISO as well. The gap a vCISO provides to maintain an organizational security posture is equally essential. Before you embark on recruiting a vCISO, you should seek a reputable vendor or one with whom you have had a prior relationship. This is a relatively new area, and there may be a few points of reference for you to explore at this juncture. But the evidence is great that this practice will continue to grow.
Dr. Mehran Basiratmand is a member of eGroup/Enabling Technologies Corp CIO Strategic Advisory team. He has well over 30 years of broad experience leading innovation in complex technology enterprises in higher education institutions as well other public entities such as healthcare, state government and more. Prior to joining Enabling Technologies Corp, he served on various C-level technology positions. Mehran has authored several publications addressing information technology modernization, cyber security, technology trends and innovation. eGroup/Enabling Technologies Corp has 30 years of extensive technology experience and expertise in delivering solutions to its customers.