Here’s why virtual CISOs meet a very real business need
10 April 2017 | 0
Good security people are hard to find, but without them, good security practices are increasingly hard to manage. There is a growing trend for boards to become more closely involved in security, being driven by developments such as the Central Bank of Ireland’s guidance last year urging organisations to become more aware of their cyberrisk.
The problem is, moving security from what used to be an IT-centric issue to being an agenda item for senior management calls for a very specific skillset. The chief information security officer (CISO) role calls for a good all-rounder who understands technology risk and who can also speak to the board in business language. Unfortunately, such people are not so easily recruited and retained—and those skills are not necessarily to be found in one individual.
To address this issue, some organisations are taking a virtual or outsourced approach to hiring a senior security leader. This is an experienced professional, working either remotely or on site or a combination of both, who is supported by an external third party provider that has the in-house experience and wider market reach to assemble a package that meets the client’s specific security needs.
This way, companies can have an industry specialist overseeing their security strategy, even where they don’t have the budget to recruit for a fulltime role.
“Some companies might only need a security professional for one or two days a month to help them through a certification process or supplier risk assessments. For others, it may be a more ongoing relationship as they choose to focus on what they’re good at”
Having seen this trend internationally, we recently launched a range of ‘CISO service’ options. These are designed to be flexible to suit a given organisation’s needs, risk profile, and budget. They might vary from one person on site for one day per week, or a couple of days per month, to being on site every working day for a set period during preparations for a regulatory audit, for example.
Their duties can vary from overseeing certification or conducting a supplier risk assessment, to providing security awareness programmes for staff or briefing the board and driving the business security strategy.
The ‘CISO’ might not even be the same individual for the duration of an engagement. It could be a specialist who starts by putting an appropriate security framework such as NIST or Cyber Essentials in place. After that, it might involve several subject matter experts who are made available for a set period, depending on the organisation’s specific requirements, such as meeting audit issues, or maintaining compliance with EU General Data Protection Regulation.
Apart from the flexibility, another advantage of the CISO as a service model is experience across a range of industry sectors. We see a lot of what’s happening in terms of the kinds of security processes and policies that are typically written among best-in-class organisations and we also see what constitutes some typical threat models there are for each industry. A retail company will have a different security profile than a financial services provider; an external provider like ours can absorb good practice from one arena and apply it, where appropriate, in another. It gives a degree of perspective that someone working exclusively in an internal operational role wouldn’t necessarily see.
Some companies might only need a security professional for one or two days a month to help them through a certification process or supplier risk assessments. For others, it may be a more ongoing relationship as they choose to focus on what they’re good at, while having subject matter expertise available to them. Either way, a vCISO helps to ensure security is being proactively addressed into the future, and not just a once-yearly box-ticking exercise of the past.
Sean Rooney, cyberrisk and assurance director, Integrity360