Why are virtual CISOs becoming so popular? Because organizations need them [Q&A]
It's becoming common in the cybersecurity industry to encounter two situations that are equally untenable.
On the one hand, the job of a typical chief information security officer (CISO) has become overburdened with the high stress of constantly evolving risks, talent shortages, budget constraints, board disconnects and more, leading to burnout. On the other, many organizations, particularly small to midmarket ones, don't have the resources to afford a full-time security executive, despite facing the same cybersecurity and compliance challenges as everyone else.
However, we're increasingly seeing one approach that can help solve both problems -- the virtual CISO (vCISO). We spoke with the managing partner of Emagined, a Neovera Company, David Sockol about this fast-emerging trend.
BN: Why do you think the CISO role is becoming untenable today?
DS: Several factors are contributing to high stress and burnout. CISOs are responsible for protecting their organization's data and systems against an increasingly sophisticated, complex and active cyber threat landscape, in many cases without adequate resources and budgets for their security teams. Those teams are often understaffed and under-skilled, and CISOs find it difficult to recruit and retain qualified professionals when there’s already an industry-wide skills gap. They're also being asked to implement robust security measures and remediate vulnerabilities without sufficient support from senior leadership and stakeholders.
But they're often the scapegoat when things go wrong. CISOs can be unfairly blamed and held accountable for security breaches that are really a result of organizational failures. CISOs have been held criminally liable in cases like the breach of Uber and the SolarWinds supply-chain attack (though a federal judge eventually threw out most of the charges against SolarWinds' former CISO). There are systemic issues in many organizations' understanding of cybersecurity responsibilities and what it means to have an enterprise-wide security culture. But when a breach happens, security professionals are left holding the bag, while CEOs or other high-level executives escape responsibility.
The CISO's job keeps getting bigger. In addition to keeping up with new technologies like AI, the cloud and the Internet of Things, and the new, evolving risks that come with them, security professionals must address a growing list of industry regulations and data privacy laws that are becoming stricter. Complying with regulations like the Gramm-Leach-Bliley Act (GLBA), Federal Financial Institutions Examination Council (FFIEC), National Credit Union Administration (NCUA), Sarbanes-Oxley Act (SOX) takes a lot of time and resources, and failure to comply can result in severe financial penalties and reputational damage for the organization.
That's why security professionals struggle to keep up, and why the job is becoming untenable.
BN: What roles are CISO's seeking out when they depart from these executive level positions?
DS: Two words: Virtual CISO. More CISOs are looking to get into this field because it addresses a real need, especially for small and medium businesses (SMBs) and midmarket enterprises. They still have to protect their assets and meet compliance requirements, but may not be able to afford a full-time security chief. A vCISO, delivered as a service, can help change an organization’s cybersecurity culture, support existing staff and also sets teams up for continued cyber/compliance success.
MSPs and MSSPs that already provide vCISO services have found that they not only improve security for their customers, but many of those customers have also seen increased revenue, better engagement with clients and the ability to expand their customer base.
The trend toward vCISOs is catching on fast and will grow fivefold by next year. A survey done for Cynomi recently summed it up. Currently, 21 percent of managed service providers (MSPs) and managed security service providers (MSSPs) are offering vCISO services. That’s up from 19 percent last year. But in the near future, 98 percent that don't currently offer vCISO services now intend to, with 39 percent expecting to add services by the end of this year and 35 percent planning for 2025.
BN: How does a virtual vCISO solve today's CISO's challenges?
DS: It provides the kind of cybersecurity expertise and compliance management that a lot of organizations, like SMBs and midmarket enterprises, don't have the resources for on their own. A vCISO service gives organizations security leadership on a part-time or full-time basis, depending on what the organization’s needs are.
A service can help develop and implement security strategies, working directly with certified professionals with the skills, knowledge and experience to identify vulnerabilities and provide solutions. It can help in any number of areas, from access control and incident response, to securing cloud services and mobile devices.
Compliance is another area where vCISOs can make a big difference. Even small and medium businesses are governed by security and privacy regulations, whether it's HIPAA, the Payment Card Industry Data Security Standard (PCI DSS) or others. It can be a complex task, and a vCISO can help organizations meet regulatory, compliance and auditing requirements.
As a third party, a vCISO can work objectively, collaborating with people in the organization while remaining immune to the internal politics and pressures that can besiege an in-house security professional.
BN: When should an organization consider a vCISO?
DS: Organizations that don't have the resources to invest in a full-time CISO or lack the expertise to defend against today's threats should be thinking about it. A lot of organizations fall into that category, which is why the market for vCISO services is growing so quickly. If your current security posture is not where you want it to be, a vCISO service can help you get there.
BN: What types of vCISO offerings are available, and what are the benefits?
DS: Customers have a lot of flexibility. They can hire vCISO services full-time, but they don't have to. They can engage the equivalent of a fractional CISO working part-time, or a CISO on an interim basis.
In those capacities, a vCISO can provide strategic guidance and risk assessment, develop policies and procedures, and direct implementations. Services can also be tailored to the specific needs of the organization, focusing, for example, on GDDP or CCPA compliance, banking cybersecurity, incident response and recovery, vulnerability management, or combinations based on what the organization needs.
A vCISO service can also help an organization build its cybersecurity team by onboarding employees, establishing procedures, and ensuring that your security pros have the necessary knowledge and training.
And a key benefit, of course, is that it's a flexible, cost-effective way to acquire top-tier cybersecurity and compliance expertise. In today's cyber threat landscape, no organization is off the radar of attackers, even if it's a small or midsize operation. Risk assessment, compliance and effective security are a must for any organization.
Image credit: Josepalbert13/Dreamstime.com