16th August 2018
The increasing frequency and severity of cyber attack is now on the agenda of the boardroom of every major global organisation. The appointment of a Chief Information Security Officer (CISO) is essential to ensure the alignment of security measures with enterprise and business objectives.
What is a CISO?
A Chief Information Security Officer directs staff in developing and maintaining processes across the enterprise to reduce information and cyber security risks. They establish appropriate standards and controls, manage security technologies, and ensure the creation of policies and procedures. A key role of a CISO is to work closely with other C-level executives and to provide clear guidance to all directors at board level. They are also usually responsible for the compliance to data security standards and laws that include ISO 27001, PCI DSS and GDPR.
Rare and expensive
Recruiting individuals with the experience required to be a CISO is very expensive and time consuming. Existing senior managers or board directors rarely possess the specialist knowledge to combat today’s highly skilled and persistent cyber criminals. Experienced CISO’s are a scarce commodity and often command six figure salaries.
vCISO delivers at lower cost
A virtual Chief Information Security Officer (vCISO) is an outsourced security practitioner who delivers a CISO management service on an ongoing but usually part-time basis. This may involve face-to-face contact but is increasingly provided on a remote basis (hence the word virtual in the title). This service can also be provided by a commercial cyber security suppler with the advantage that they have a greater range and depth of skills are available.
The vCISO service model offers immediate availability at a significantly reduced cost. This is estimated to be 30-40% of the salary of employing a full-time executive. The vCISO usually requires no training, can hit the ground running and is best judged by their reporting and success in achieving realistic KPI’s. The role can be combined with that of a Chief Information Officer (CIO) or maybe IT Manager. However, it essential to ensure that the vCISO maintains a strategic involvement with all decisions related to the management and implementation of information security.
Entrepreneur Jane Frankland, explained in a recent comment to CSO magazine, “A virtual CISO is someone who has spent years in the industry, has a wealth of experience having dealt with a wide variety of scenarios, and consults on the management of an organisation’s information security. They’re usually engaged to design the organisation’s security strategy, and some may manage the implementation. Many also present to the board, key stakeholders and regulators.”
Who needs a vCISO?
The flexibility and cost-benefit are a huge advantage to smaller companies particularly for early-stage firms who have core management competencies but lack strategic cyber security experience. The vCISO is just as valuable for professional services firms in the financial services, private equity, legal and accountancy sectors. Often structured as limited partnerships, it is essential for this type of company to protect itself from the risks associated with cyber attack and to demonstrate to its stakeholders (customers, investors, staff) that it takes cyber security seriously.
The Wizard Cyber VIRTUAL CISO service has been designed to provide a dedicated outsourced board-level resource who can ‘virtually sit inside your company’ and manage your security strategy, budget, review of risks and regulatory programmes.