Chief information security officers (CISOs) are highly sought after, to the point where good ones are expensive and hard to come by. So this is a challenge when more and more organizations, reeling in the wake of CISO-less breaches like Target and the UK’s TalkTalk, recognize the value in having one in place.
Could an on-demand virtual CISO (vCISO) be the answer to your prayers? A vCISO is an outsourced security practitioner or provider who offers their time and insight to an organization on an ongoing basis, usually part-time and remotely.
Do you need a vCISO?
So far, so good, but cynics will likely point to that big question: Why would you need a vCISO when you could simply hire a real one on a permanent contract? The answer is varied and not necessarily the same for everyone. For starters, well-rated, full-time CISOs can be hard to come by, often stay in their job for two years or less, and critically, especially for smaller businesses, can command six-figure salaries.
In contrast, vCISOs are estimated to cost between 30 percent and 40 percent of a full-time CISO and are available on-demand. The benefits go well beyond cost. Virtual CISOs usually require no training, can hit the ground running, and don’t feel obliged to play nice with office politics. In this model, it’s purely about results, and vCISOs worth their salt will provide reasonable KPIs and reporting.
While different vCISOs offer different skillsets, many should be able to cover myriad tasks, from the tactical to strategic. They could help pull together security policies, guidelines and standards. That could entail anything from coming to grips with HIPAA or PCI compliance, to staying on top of vendor risk assessment. They could also help recruit, set security strategies, procure solutions, remediate incidents, and put foundations in place for ISO 27001 and 9001 compliance. They might also assist with bring-your-own-device (BYOD) policy and enforcement, coaching newly established CISOs, or even managing the board relationship while full-time CISOs “keep the lights on.”
Naturally, this lends itself well to start-ups and growing businesses. Frankland says that vCISOs are the best fit for larger small- to medium-sized businesses (SMBs), for supplementing the existing management team or simply as an interim solution.
vCISO Ben De La Salle agrees that SMBs are usually the biggest benefactors. “Startups and growing businesses are great candidates for the virtual resourcing model,” says De La Salle, who launched ICA Consultancy after leaving as CISO of investment business Old Mutual Wealth last October. “Many of these businesses will have highly capable people with regards to their core business. Where they will require support though, is around understanding their threat landscape, their regulatory requirements, and defining an appropriate strategy and roadmap.”
What makes a good vCISO?
Brian Honan is founder of Dublin, Ireland-based BH Consulting and his business offers a vCISO service to clients. He says that the best vCISOs must be good communicators to the board, first and foremost. “You will end up working with client companies from various backgrounds and industries so you need to be able to communicate clearly the business risks that face their businesses in relation to infosec.
“A good vCISO also needs to be able to adapt and learn quickly, as you will need to quickly grasp the unique business environment the client organization operates in and what the key strategic goals are for that business. Once the vCISO understands these, they need to have the skills and ability to develop and align the infosec strategy to the business strategy for the client organization,” says Honan.
Nic Miller made a switch from full-time to virtual CISO last year, moving on from being the CISO at European hedge fund management company Brevan Howard to become virtual CISO at Aedile Consulting. Though he joins De La Salle in saying the role is not wholly dissimilar from a full-time gig, he adds that successful vCISOs do a few effective things.
“They key part of a vCISO role is to identify and explain how much risk an organization has around infosec and develop strategies to reduce this risk level as appropriate. It's the responsibility of the business to agree what level of risk they think is appropriate to carry,” Miller says. “I think the experience should map to the size of organization you are advising. For example, if you are advising small clients, then coming from a bank or large company isn't going to map to their needs and vice versa.”
What to look for when hiring a vCISO
Arguably one of the dangers around hiring vCISOs is that it is a nascent, slightly unknown field. As Miller says, job definitions vary, and a glance at Google will show you a plethora of vendors you’ve never heard of. Are these the latest fear-mongering GDPR consultants? How do you know, without extensive auditing, what quality you are getting? How do you guarantee they deliver what they say they will?
Honan says you need to nail down a clear definition of what the vCISO will do, then engage with those that fit the skills and knowledge required. He also suggests asking around the industry for recommendations. “Look for someone with the relevant skills and experience to your business sector and your type of business,” says Honan, who is also head of Ireland's CSIRT and an advisor to Europol.
De La Salle says firms should be looking for wider industry experience and need to consider the type of virtual resource they require (do they want one resource or many). “Whilst understanding the subject matter is important, understanding the application against a risk appetite is critical. Organizations often have conflicting priorities that means finding a balance between what is best for the business and what is ideal for security. However, industry experience alone is not enough, virtual resources work with multiple clients at once, and they must be experienced in being able to shift between risk appetites and cultures quickly and seamlessly,” he says.
Miller, formerly in a senior infosec role within the UK Government, also recommends firms “have the appropriate people lined up to own and drive the projects forward. One of the biggest issues I encounter is that I can look at what resources a company has to fix any issues, identify the highest priority remediations, but find that they struggle to gain traction without a champion inside the business,” he says.
How vCISOs should work with your team
As Honan mentions, how a vCISO works with your team depends on the engagement and your existing resources, but all agree that the integration must be seamless and pain-free. “It’s all about complementing existing capability,” says De La Salle. “The virtual CISO needs to integrate, utilize, develop and rely upon existing capability to perform the role.”
Long-time vCISO Phil Cracknell says how vCISOs work with their teams is utterly dependent on the role, citing occasions in the past where he has been put in place where the current CISO is not strong on board communications. (He lists CISO coaching as something he regularly does with clients.) “It depends -- based on the terms of the assignment -- but [you can be] as a leader of the function, as a conduit to the board where the existing CISO is not strong on communications at that level, or as a mentor and senior team member.”
Miller adds: “The relationship with existing IT teams is often very good, since you can explain you are there to champion them and ensure they are given sufficient time and resources to do their job properly. The teams can then share more openly the challenges they face, knowing you are not there to criticize or penalize them.” He does, however, cite challenges with IT management when unearthing process weaknesses as well as with outsourced IT teams as they can “see themselves as under review more than in-house.”
Success stories and challenges
Honan has seen his fair share of successes with vCISOs, from helping firms build out their infosec capabilities to augmenting existing security teams and even helping organizations continue their security program in the event of prolonged sick or maternity leave. Yet he admits there are challenges too, with these usually “due to the expectations of the organizations not being clear or managed properly.”
“Some failures have been due to organizations expecting a vCISO to solve all problems in unrealistic short periods of time, or due to engaging a vCISO without buy-in from other key business areas such as IT, or simply hiring a vCISO to fulfil an audit requirement and not provide the vCISO with the necessary budget, autonomy, or authority to complete their role,” says Honan.
He adds: “A vCISO by their nature are not there for the long term, so if you are looking to build a team around the role of the CISO or to develop a long term strategy around that person, then a vCISO may not be the answer to those problems.”
Both Miller and Frankland, though, see issues insofar as the vCISO is providing advice, but not auditing the client or implementing changes. “I am basing my recommendations on what the client says they have implemented,” says Miller.
“As vCISOs operate without a budget and typically without the responsibility for implementation, they should be viewed as advisors,” stresses Frankland. “Security is a people business and CISOs really need to win the hearts and minds of the organization if they’re to make progress. vCISOs aren’t able to do this, as they’re not visible and they may not be there for the long-term, either."