What is a Virtual CISO and why you should run away from companies hiring a vCISO
A virtual chief information security officer (or vCISO) is a person with a vast amount of experience in cybersecurity, who can provide an organization with guidance on how to create, maintain and improve information security programs.
We usually meet companies who chose to hire a vCISO (mostly small or medium size companies), due to one of the following main reasons:
· Lack of budget to hire a full-time CISO
· Lack of knowledge in the field of cybersecurity among the company’s internal employees
· Lack of awareness of the importance of information security to the organization or to the potential hazards that can impact the organization due to a security incident
· Ability to “select a checkbox” to comply with regulation, shareholders, or customers’ demand
A vCISO is usually an external consultant, who works for the organization couple of times a week, and is supposed to provide oversight over the cybersecurity aspects of the organization.
The drawbacks of a vCISO
The fact that a vCISO is not a full-time employee has many drawbacks.
Some of the drawbacks of having a vCISO instead of a full-time CISO include:
· Budget — as a CISO, you are responsible for being the owner of information security in the organization. A vCISO who works several days a week will have low to zero ability to fund the budget from the management to operationalize information security in the organization.
· Security awareness — as a vCISO, you are responsible to raise awareness for information security in the organization. For small organizations, you will most likely be personally in charge of promoting awareness for the topic, while in medium to large organizations, you will probably have one of your team members conducting security awareness training.
· Information security program — as a vCISO you will be in charge of writing security policies, standards, and procedures for the organization.
· Compliance — as a vCISO you will be in charge of making sure the organization is compliant with laws, regulations, and standards across the organization.
· Incident response — as a vCISO you will be in charge of monitoring and managing all incident response processes across the organization.
Now, consider all the above responsibilities of a CISO, and try to look from an SMB organization’s point of view.
You are expected to play all the above roles, in the best case as a full-time employee, and in the worst case, as an external consultant, visiting the organization, only several days a week.
Sure, it is nice to dream that any organization can hire a superman, who can do a full team’s work, in a single person, while the organization saves money on security budget (from manpower, technology, and processes), but is it realistic?
CISO — The right way
Any organization, that stores or processes sensitive information (financial, healthcare, PII, intellectual property, etc.), must hire a full-time CISO, and support the CISO’s work with a team of professionals (from security administrators, SOC analysts, security/cloud security architect, etc.)
If the organization cannot afford to hire a full-time internal employee as their CISO, they should hire an outsourced full-time CISO.
No organization should expect to hire a single person to do the work of an entire team of professionals.
A CISO is the owner of the information security management aspects, while his team (whether internal or outsourced employees), takes care of operationalizing all aspects of the information security in the organization.
In case of a security incident, the vCISO will most likely not have full attention to organizational or customer data, while taking care of many other tasks (that a full security team should normally take care of).
Bottom line
Think about the data you are about to store or process with this sort of organization, and not about the organization’s size or lack of funding for a full-time CISO, with a dedicated information security team.
The next time you are about to do business or store your personal information with an organization that fails to hire a full-time CISO, and relies on a temporary outsourced vCISO — run away!
About the Author
Eyal Estrin is a cloud and information security architect, the owner of the blog Security & Cloud 24/7 and the author of the book Cloud Security Handbook, with more than 20 years in the IT industry.
You can connect with him on Twitter and LinkedIn.