Many companies struggle to fill the CISO role—opting instead to run without a dedicated C-level cybersecurity expert in their org chart. What is a CISO? Why do organizations struggle to source people to fill this vital role? How can this role be filled more easily?
What is a CISO?
A Chief Information Security Officer, or CISO, is an individual in an organization that is charged with formulating the overall cybersecurity strategy—making sure that all of the necessary security measures have been taken, improving cybersecurity awareness, and creating contingency plans for when a disaster strikes.
While similar to a CISSP (certified information systems security professional), there are some key differences. For example, CISO responsibilities typically involve determining the cybersecurity strategy of the organization as a whole because they are, by definition, a C-level executive. Meanwhile, CISSPs might provide recommendations or execute on said strategies, but are not usually responsible for creating the strategy. While a CISO will most likely hold a CISSP certification, not all CISSPs are CISOs (just like a CFO might be a certified accountant, while an accountant isn’t necessarily a CFO).
Challenges of Finding a CISO
In larger companies with plentiful resources to dedicate to the task of finding, recruiting, and training, the CISO role is usually filled by a senior-level executive in the organization. However, many businesses just don’t have the kind of resources needed to acquire someone with enough expertise in both information security and business operations to reliably fill the CISO role.
Some of the major challenges of hiring a CISO internally include:
Paying a High CISO Salary
There is a general shortage of qualified cybersecurity specialists at all levels. Because of this, organizations can expect to pay a premium for the services of an in-house CISO. In fact, according to data from PayScale, in the month of July 2018, the median annual CISO salary was around $155,680, but the base pay for the role could be as high as $218,420 (not including bonuses and profit sharing earnings).
Depending on the area where your company is based, the average pay of a CISO might spike even higher than the data indicated by PayScale. One Forbes article notes that CISO salaries in some cities can range “from $154,000 up to $380,000.”
Qualified CISOs Are VERY Difficult to Find
Even when offering ultra-lucrative salaries, many CISO positions in companies go unfilled. Part of the reason is that, as noted by CIO.com, “CISOs are hard to hire because there are far too few business executives with the right mix of business and technical chops.” Basically, in-house CISOs are often expected to perform a dual role—optimizing both business processes and cybersecurity at the same time, and not many people have training in both fields.
There is, thankfully, a way to circumvent the challenges of hiring an internal CISO: acquiring virtual CISO services (also known as VCISO) from an experienced and trusted cybersecurity team. What are the benefits of having a virtual information security officer?
What Are the Benefits of Using a Virtual CISO?
1) Virtual CISO Services Provide Access to a Team of Experts
Even the best CISOs are still just one person—there’s only so much that they can know and keep track of in your company. Virtual CISO services give you access to a whole team of experts with different specializations. This means that your “CISO” will have a broad range of experiences to draw on that makes them better at handling your company’s cybersecurity needs and responding to potential security incidents.
Considering how expensive and difficult it is to find qualified and reliable cybersecurity experts, this can be a life-saver for companies with limited resources for recruiting talent.
2) Using VCISO Services is Faster than Recruiting an In-House Expert
Because CISOs are so hard to find, many businesses go without the benefit of such leadership for their cybersecurity efforts—even though they have the resources needed to fill the role otherwise. This can lead to gaps in the company’s cybersecurity strategy. Attackers won’t wait for you to find the right CISO for your company before trying to take advantage of these cybersecurity vulnerabilities.
Hiring a virtual CISO service for your enterprise gives you near-immediate access to the expertise you need to minimize your cybersecurity risks and mitigate the impacts of a breach. These services can help you develop your cybersecurity program, run penetration tests, review your cybersecurity policies and procedures, develop incident response plans, and provide critical feedback to help make your company more secure from cyber threats.
3) Closer Monitoring of Your Company’s Cybersecurity Needs
Because VCISO programs involve a team of people, they can spend more time monitoring your organization than any individual information security officer could. Also, if one person takes a vacation or a sick day, you still have the rest of the team there to provide information security services. This gives you a much closer and more detailed inspection of your company’s cybersecurity needs—as well as a greater likelihood of spotting information security breaches.
Also, having more eyes on a project with a broader range of expertise can be invaluable for catching issues that would otherwise go undetected.
4) It’s Easier for Virtual CISOs to Stay “Up-to-Date” about Information Security Threats
Cybersecurity threats are constantly evolving. In fact, according to information in an article by Kaspersky Labs, “the number of new malicious files processed by Kaspersky Lab’s in-lab detection technologies reached 360,000 a day in 2017.” That is an insane number of threats to expect any one person to keep track of and prepare for.
Worse yet, the methods of delivering these malicious files are continually evolving as attackers find new ways to exploit both system vulnerabilities and the vulnerabilities of the people managing those systems.
Having a team of virtual information security officers at your beck and call makes it more likely that you will have someone with the right expertise to recognize and counter a specific threat type.
5) A Virtual CISO Costs Less Than Hiring Internally
When you hire an in-house CISO, you have to pay for:
- Recruitment efforts
- Salary (typically six figures)
- Bonuses/profit sharing earnings
- Ongoing Training
The thing is, if you try to underbid on any of these when hiring for an internal information security officer position, you’ll have a hard time attracting and retaining quality CISO candidates. These experts are in high demand, and they know their value.
Outsourcing the CISO function using virtual CISO services helps you manage your costs by paying the security service provider a set fee for a whole team of people. Because this team usually handles several clients, the costs for their salaries and benefits is split between you and several other companies—keeping your costs low while still getting a broader range of experienced personnel.
Even better, lessons learned from other clients can be applied to protect your business, enhancing your overall cybersecurity profile.