Would you build a house without having a land developer, an architect, or a builder that is experienced in home building? You probably would not. However, many organizations still try to tackle security without a “developer/architect or builder”.
The results vary, ranging from organizations not investing in security and hoping for the best, to lots of money being invested and breaches still happening. A Chief Information Security Officer (CISO) might be what these organizations are missing. The title CISO has been around for many years but about 10 years ago, it was someone very technical reporting to the Chief Information Officer (CIO). All too often conflicts arose with the agenda of the CIO, the CISO’s boss. A study in 2017 by the School of Business of the North Carolina Central University is one of the first studies that predicted that the CISO role is changing, concluding that “hiring for CISO positions is on the rise, mostly from outside the firm, and that the trend for new CISO positions is to report to the CEO (rather than to the CIO, or lower in the IT organization).” As a result, “modern” CISOs are no longer technical experts in securing IT systems and networks but can put Cyber Risks into perspective for board members and the CEO, making them understand the business risks related to the cyber risks the organization is facing. This elevation in reporting is desperately needed. Looking at the numbers in IBM’s 2022 Cost of Data Breach Report, which paints a dark picture of the current state of organizations handling their cyber risks and their impacts on the business, an elevation of the CISO was desperately needed. According to IBM,
83% of organizations studied have had more than one data breach.
60% of organizations' breaches led to increases in prices passed on to customers.
Those two numbers just reflect what Cyber Risk Insurers have noticed for the last three years, the resiliency of many organizations to withstand cyber-attacks are not sufficient. The Cyber Defense Magazine states in an article that “…cyber insurance loss ratio spiked from around 43% in 2020 to 72% in 2021. The frequency and value of customer claims skyrocketed. Suddenly, insurers began losing money with cyber insurance – while cybercrime continued to surge.”
These developments seem to be supported by a study conducted by Bitglass, now part of Forcepoint. The CISO role in 2019 was, even with many Fortune 500 companies, still not considered a leadership role (see Figure 1), with some (38%) not even having a CISO.
Such numbers might be an indicator that the existing approach, of not having a dedicated leader for cybersecurity, is not working. It is like a construction crew trying to build a house without a foreman or an architect. They certainly have the skills, but they do not comprehend the big picture and might not work well with each other or even side-by-side.
The investment into hiring an experienced CISO is well justified. Behind a good team is always a good coach and Cybersecurity is for sure a team sport. However, sometimes it is financially difficult for an organization to pay for a full-time CISO. The right individuals that have the experience and held roles with a CISO title will ask (justifiably) for a six-figure salary. This is where a part-time CISO, a virtual CISO (vCISO) can be an option. vCISOs can help build, re-shape and/or achieve cost savings with a security program. As with CISOs, there are differences in experiences and skill sets. There are many professionals who call themselves vCISOs. Not all of them are truly qualified to be a CISO or a vCISO. However, the more important question is, at what maturity level is your organization? A vCISO that has been reporting to the board of directors and other business leaders might not be a good fit for a highly technical organization that has no board and/or has highly technical business executives. Reviewing the resume of a potential vCISO and having the vCISO candidate talk with key peers, who they would be working with is a good idea.
How many hours should a vCISO put in each week? 40h per week is certainly too high on a regular basis and 4 hours might not make a dent in the number of things that need to be addressed. Please keep in mind that the vCISO is usually a full-time employee, who has to put in 40 hours each week with his employer. Each client environment is different and having to keep track of all the environments can be a challenge. With four (4) hours per client, this would mean that a vCISO has to keep track of ten (10) client environments. Something that most people would struggle with, not even looking at the vCISO being able to do meaningful work. A more realistic number of hours is 10h/week. This gives an average of 2h per workday. Enough to accomplish tasks and still be affordable.
Modern vCISOs are not security architects. If you need someone highly technical, a vArchitect might be the better approach. The vArchitect is a relatively new way to address the shortage of security architects in the job market. A successful vArchitect must have a good technical understanding of various technologies and be able to define a holistic approach to how to secure IT systems with technology.
vCISOs can help to define a strategic approach to addressing cyber security risks, align the cyber security program with business objectives and identify cost savings. This is what experienced vCISOs can bring to the table.
Polito prides itself in providing vCISOs and vArchitect services with qualified consultants. Each of them has worked in a CISO or Security Architect capacity for a number of years. Please gives us a call or email us at firstname.lastname@example.org.
Polito Inc. offers a wide range of security consulting services including threat hunting, penetration testing, vulnerability assessments, red teaming engagements, incident response, digital forensics, and more. If your business or your clients have any cyber security needs, contact our experts and experience what Masterful Cyber Security is all about.