7 key benefits of using a virtual CISO (Chief Information Security Officer)

Niall Heaton

The role of a CISO actually dates back to the mid-1990s. Citicorp hired Steve Katz as their Chief Information Security Officer when they suffered a cybersecurity breach in 1995 – a breach that would cost them a devastating $10 million loss.


Many companies today struggle to find a suitable individual to fulfil the CISO role. This is why, in recent years, the role of a virtual CISO has become a very important one.


What does a CISO do?


The Chief Information Security Officer in an organisation is responsible for laying the groundwork for the greater cyber security strategy. He/she must make sure that all the right security measures are in place, cybersecurity awareness is always at its peak, and contingency plans are ready should disaster strike: a cybersecurity breach.


Over the last decade, many businesses, both large and small, have shifted to a virtual CISO – an outsourced cybersecurity expert or organisation/group that offers the appropriate individuals to a company to fulfil their CISO requirements.


What are the benefits of using a Virtual CISO?


There are many benefits of choosing a virtual CISO over an on-premises one. Some of these include:


1. A Virtual CISO is a lower-cost solution

With an in-house CISO, there are many costs to account for, such as recruitment, salary (almost always six figures), benefits and bonuses, ongoing training, insurance, etc. If companies try to underbid any of these during the hiring process, they will generally have a tough time attracting and retaining the right CISO candidate.


Outsourcing this function to a virtual CISO is, therefore, a lower-cost solution – in fact, on average, a virtual CISO may cost up to 30-40% less than an on-premises one, as companies do not need to extend the same full-time staff benefits.


2. Much faster than recruiting an in-house cybersecurity specialist


A qualified and experienced CISO candidate is generally very hard to find. In fact, many businesses end up bypassing the leadership benefits of an expert CISO candidate as they have to make decisions with a certain timeline and often use the process of elimination to find a CISO that best meets their requirement. This inevitably leads to gaps in their cybersecurity strategy. Attackers and hackers are definitely not going to wait around until you find the right CISO and then take advantage of your vulnerabilities.


A virtual CISO gives you almost immediate access to all the expertise and knowledge you need to cut down cyber-risks as much as possible, and mitigate the effects of a breach. A virtual CISO represents an entire group of organisation that specialises in detecting the latest threats and eliminating them using cutting-edge tools and solutions. By working with a virtual CISO, you can better develop your cybersecurity programme, conduct penetration tests, review your current security measures and procedures – and develop the right incident response plans to keep yourself secure from ongoing and emerging threats.


3. More specialised knowledge compared to a traditional CISO


Working with a virtual CISO means you have instant access to expertise on a variety of subjects, including network, security and compliance, which can help you both in terms of tactile implementation and strategic direction.


It lets you reap all the major benefits of the knowledge a security company has amassed while working within multiple environments (both physical and virtual) across a broad range of sectors and industries. This collective experience virtual CISOs have is a huge benefit that simply cannot be had with a traditional one-man on-premises CISO.


4. Unmatched flexibility


One of the greatest benefits of working with a virtual CISO is the level of flexibility you get. You can easily set up a retainer for the number of hours you require their services for (and pay accordingly) – or you can hire them on a project-to-project basis for your tactical needs in the short term or even on a long-term contractual basis.


It’s very scalable and it lets you take advantage of the CISO role as and when you need it.


5. Free up your internal teams


Your internal teams are already bogged down with a lot of day-to-day tasks. Worrying about compliance, governance and other security-related issues is not only something that may fall outside their regular job descriptions but also hamper their productivity and focus.
With a virtual CISO on your team, you can free up your on-premises team to focus on all other areas of the business, while the CISO takes care of all your cyber security needs.


6. Top-notch compliance


Compliance and governance is a major issue for most businesses – even with on-premises CISOs, businesses sometimes cannot keep up with compliance and end up paying a heavy price.


A virtual CISO provides immediate peace of mind in the fact that your regulatory compliance requirements are being taken care of on the fly – the same process with an in-house CISO may be very costly and time-consuming.


Even if you have an existing traditional CISO on your team, a virtual one can save your entire cybersecurity team a lot of time, effort and energy which may otherwise be spent responding to security questionnaires or dealing with agencies or bodies responsible for regulatory compliance and enforcement.


7. Virtual CISOs are better aware of the latest security threats


Hackers are always getting more sophisticated with their attacks and for every measure companies put in place to protect against these attacks, hackers usually have two or more methods to exploit or overcome those measures quite expertly.


An entire team of virtual CISOs gives you access to the latest expertise, experience and knowledge to help detect specific types of threats early and put measures in place to counter all known threats before they can become serious business issues.


Closing thoughts


Outsourcing your CISO role can be one of the best business decisions you can ever make. It’s cost-effective and can arm you quickly to fight against the latest cyber threats.

Cyber shortage – why the cyber security employment shortage is becoming critical

By Niall Heaton September 16, 2019
It appears the cyber security employment crisis has taken a turn for the worse. Companies are making some very basic mistakes during the recruitment process, overworked cybersecurity professionals are struggling to keep up with the daily demands of the job, and employers are struggling to retain them. What’s causing the cyber security employment shortage to reach critical levels? The cybersecurity skills gap is putting businesses at a lot of risk, as one might image. Worse still, there are no signs of abatement. But how did it come to this? Well, we’re go discuss some of the main reasons in just a moment although there is still hope that employers may be able to do something to mitigate this growing problem. Let’s first set our focus on the employment shortage. A Cyberseek report revealed that approximately 1.1 million people in the US are currently employed in cybersecurity, even though more than 700,000 positions haven’t been filled as yet. A Cybersecurity Ventures report suggests that the global cyber workforce shortfall is currently at, on average, 3.5 million people. Research done by the ISSA (Information Systems Security Association) suggests that 95% of cyber professionals believe the skills gap hasn’t improved in the last few years while 44% believe that it has gotten much worse. And, unfortunately, broadcasting this skills gap has not done much to help bridge the employment shortage. Why has this shortage reached a critical level and what are some of the underlying causes? The current cybersecurity talent pool does not have enough diversity The ISC did a recent workforce survey in which they reported that just 25% of the global cybersecurity workforce is female; another survey done in the US reported that even though 19% of the US population is Hispanic, only 4% of the cyber workforce comprises Hispanic professionals. Black Americans and Native Americans are also notably underrepresented in the cyber security sector. Employers are not keeping pace with their skills Employers in the cybersecurity sector must face new challenges with time moving forward – some of these include combating evolving threats against their data and systems, and increasing resilience on cloud security. Unfortunately, most employers are either so busy or so overworked that they do not have the time to undergo new training or pick up new skills in order to keep up with the ever-changing cybersecurity landscape – particularly the different threat mechanisms which are getting more and more sophisticated. While pursuing certifications, attending trainings and learning new technical skills are needed, picking up essential soft skills such as communication are especially important – but all continue to be overlooked. Employers have set unrealistic expectations Cybersecurity job requirements revolve around not just college degrees from reputable universities but also multiple certifications, along with many years of experience across multiple security disciplines. Many candidates who would potentially be a ‘perfect match’ for an organisation do not bother applying for cybersecurity jobs because they believe their talents, skills and experiences may not be fully utilised or that they may be underpaid. And, the ones that do apply are not contacted by the prospective employer because either they don’t have the right degree (or none at all), or they lack the right level of hands-on experience. Cybersecurity specialists are parting with the profession A recent Trellix report said that more than one-third of cybersecurity professionals are planning to switch careers. There’s also a major employee retention issue mostly due to the incredible pressure involved in performing a cybersecurity job role effectively and ongoing staffing shortages. In another report published by ISACA , the top reasons for cybersecurity personnel for leaving their jobs was limited promotion and development opportunities, very high levels of stress, lack of management support, and poor financial incentives. Cybersecurity positions are growing faster than companies can hire The demand of cybersecurity and IT job roles are growing a lot fasters than companies can keep up with. Massive staffing shortages are plaguing the industry, which are made worse due to the rapidly changing qualifications and requirements set out by businesses, especially those who have a more pressing need for ultra-secure systems and processes. As mentioned at the start of the article, there are 769,736 job openings , to be precise, in the cybersecurity sector, and yet companies are having a hard time finding the right candidate for the job. Rise in remote working The ISSA conducted a global study along with industry analyst ESG, warning that a lack of investment, combined with the challenges of huge workloads, has led to a skills shortage which in turn, has led to unfilled job positions and high burnout among information security professionals. The study involved 500 cybersecurity professionals, where 57% said that a shortage of cybersecurity skills impacted their organisation, while 10% said it significantly impacted their organisation. This has resulted in an increased workload for information security personnel – that’s what 62% of the participants claimed; 38% of the 62% said they experienced burnout due to increasing work pressures during what was a difficult year. The sudden rise of remote working has translated to more stress for cybersecurity staff because it has made certain aspects of managing enterprise network security more challenging and generally more complex – many cybersecurity personnel have never worked from home before and seem to be having trouble adjusting to the new ‘normal’. Naturally, more remote working means cloud applications will be used a lot more too – more cybersecurity professionals are now needed to manage cloud computing security. Many organisations are struggling to find the right personnel to fill these gaps. Conclusion: How can these staff shortages be fixed? In addition to directly addressing some of the issues above, there are three key ways businesses can reduce the cybersecurity labour shortage: 1. Invite overseas applicants to meet the demand The national average salary for cybersecurity professionals begins with six figures in most countries, so understandably, it’s a lucrative industry to be in. Employers should turn the bright minds of young cybersecurity professionals into their team members – encouraging them to work against hackers and not with them. One of the ways of doing this is to encourage more overseas applicants by offering them generous incentives and giving them the right level of training early on. This brings us to a very critical point. 2. Additional training to help employees acquire the right skills and certifications Businesses ought to research into the latest, most sought-after certifications, according to their respective sector, business type and place/region of business. Giving employees access to the right certifications and upskilling programmes will help businesses create the ideal talent pool and better retain them too. 3. Work with academic institutions to recruit more young professionals at an early stage Internships, student hires and mentorship programmes are just some of the ways the industry can be fed with eager new talent that’s ready to learn and meet challenging tasks head on. The US Department of Labor actually announced a 120-day apprenticeship programme to provide professionals with better guidance in cyber jobs. Companies in other regions can do something similar to attract more talent and effectively retain it.

Cyber board – why cyber security should be a monthly board discussion

By Niall Heaton September 16, 2019
Ever think about how much havoc cyber criminals are capable of wreaking within your business? Stolen intellectual property, compromised employee details, exportation of customer data or your supply chain falling apart – really ‘bad things’ can happen if your IT infrastructure suffers a security breach. Why board members need to have monthly discussions on cyber security If you’re a C-suite executive or board member, then you are likely very well aware of the cyber risk which increases as your company’s digital footprint expands. By one estimate, the average cost of a data breach is around $4 million per incident, and this was reported back in 2019. The average cost of a data breach in 2022 was $4.35 million, which is a 2.6% rise from 2021. Suffice it to say, they can cripple organisations and even render them completely bankrupt in some cases. This begs the question: why isn’t cybersecurity brought up in meeting agendas between board members more often? Deloitte conducted a survey in 2019 , reporting that just 4% of executive respondents included cybersecurity in board meetings agendas each month; only 49% of organisations put cybersecurity on the board’s agenda each quarter. Isn’t that a little crazy, with the amount of cyber risks that are constantly popping up and how clever hackers keep getting each year? Luckily, not every company’s board members share this perspective. One board leadership fellow member at CrowdStrike®, for example, reported an upward trend in senior executives and board members getting involved in cybersecurity meetings – according to whom there’s an increased sense of urgency – a desire to be more proactive in addressing risks and the need to improve awareness, education and participation across not just one’s own organisation but also across entire industries and business units. However, we are nowhere near where we need to be. There’s still a lack of clarity and guidance in the air among C-suite executives in regards to how they can add value and oversight without rolling up their sleeves and getting their hands dirty – that’s for the CISOs and security experts in their respective companies, after all. But this is precisely the kind of mindset that needs to change! We believe most board members have been shy or hesitant to pursue cybersecurity as a monthly agenda because the technologies involved in combating such threats and mitigating them are probably not as well understood by them as they are by the actual cybersecurity experts using them. We also believe that senior leadership has yet to find the perfect balance between security and business efficiency as it is indeed a very complex and challenging balancing act, even for the most sophisticated and successful of companies. With that said, board members do not need to be cybersecurity experts themselves in order to help the entire organisation prepare better to deal with cyber threats and attacks – but they do need to sit down and educate themselves on the most pressing issues, at least. Closing thoughts Owing to the growing legal, financial and brand damage concerns that come with security breaches, it’s high-time that C-suite executives revisit the frequency with which they debate on and discuss cybersecurity issues at board meetings. Plus, better communication and communication frequency at the board level is one of the keys to reducing cyber risk as it sheds light on relevant facts for those who are responsible for governance – and gives them the ability to process the information they acquire in a way which can be productively discussed with the CISO to better formulate strategies for the future. Irregular board meetings on cybersecurity are definitely not the smart way forward and consistent board oversight are now more of a must-have than a ‘nice to have’.