Maximizing your cybersecurity ROI - Part 1
Hiring a full-time Chief Information Security Officer can be an arduous task. It can take a significant amount of time and money, both of which might be in short supply at your organization. This is why hiring a fractional CISO (virtual CISO), has become the go-to choice for small and medium-sized organizations. vCISOs are hired as consultants so you only pay for the time that you need. Some sources say that vCISOs typically cost 1/3 of what a traditional CISO does to hire and employ full-time. This financial model makes engagement with vCISOs feasible for even small organizations.
This is great news as cyber security is extremely important for companies of all sizes. Accenture’s Cybercrime study states that 43% of cyberattacks target small and mid-sized businesses and only 14% of these are adequately prepared to defend against these attacks. In addition, according to the US National Cyber Security Alliance, 60% of small businesses that are victims of data breaches go out of business within 6 months.
Another benefit to engaging with a vCISO is that they can provide a fresh perspective on your cybersecurity challenges and information security program planning. Furthermore, while it’s true that the vCISO must integrate well with the internal team, they are external consultants. This gives them the advantage of not having to participate in internal politics.
Optimizing your cyber security ROI - While the vCISO is technically an outsider, they must lead your information security team as if they were a part of your full-time staff. They need to be an integral part of your internal team and communicate well with both staff and the C-level. Ideally, the vCISO should have budgetary control and the authority to manage your team to implement and maintain your information security initiatives.
As you begin your search and interview process, here are some considerations that will help to ensure your vCISO hire will be successful. An effective hire will ensure that you reduce your organization’s cyber-risk in the shortest amount of time, while creating an information security program that is sustainable long after their engagement ends.
1. Communication skills – It is no accident that this is the first consideration when hiring a vCISO. Communication in this business is the lynchpin of a successful engagement. The vCISO needs to be able to effectively communicate with the internal team so that no information is ambiguous or open-ended. Success is a function of the internal team’s ability to execute the plan exactly as designed. It is especially important that they use the same vernacular that your organization does and that this “language” seems familiar and supportive to the rest of the internal team.
Equally important is effective communication with the C-Suite and Board. These people are very busy, so it is extremely important to have efficient and effective communication with
them. These company leaders need to understand the bigger picture implications of the pending security plans and how they will positively affect the company and reduce risk. They may not be fluent in the cyber lingo we use every day, so the vCISO needs to be able to speak and present plans, updates, and metrics in understandable terms and concise language.
2. Problem processing skills – When reviewing the websites of your candidate vCISOs and later during the interview process, try to get a feel for the types of problems that they have solved and the methods they followed to achieve these solutions. Being confident that the vCISO has solved complex, systemic problems in the past is a strong indication that they will be successful at solving the security challenges of your organization.
3. Relevant experience – A vCISO does not necessarily need to have worked for one of your competitors to be able to understand your business. However, it can help if they have had similar industry experiences or solved similar problems to the ones you have identified in your organization. It can help them get up to speed more quickly and ensure that the solutions they offer have been tested and proven in previous engagements.
4. Regulatory and technical tools knowledge – In this industry, there is no shortage of regulatory requirements and the need for compliance. ISO27001, HIPAA, CMS/MARS-E, and GDPR are just a few of the more prominent ones. An additional bonus that you will get by utilizing a vCISO is the breadth of knowledge they will have due to a history of engagements with a wide variety of companies and industries. They will also be current with the latest releases of each of these regulations and will have had experience with lesser-known requirements as well. Likewise, your vCISO should be fluent in the latest technical tools and software.
5. Personality - Finding the perfect vCISO can be like searching for a unicorn. How a person presents themselves and interacts with people can have a significant effect on establishing respect and building trust. Your vCISO needs to be approachable; their effectiveness depends on being viewed as part of the internal team. They also need to be a leader who builds confidence in the internal team. Your vCISO needs to be someone that your internal team wants to support because they believe in the vCISOs ability to guide them effectively. All things being equal, people want to work for people they like and respect!
6. A track record of success – During the search and interview process, look for evidence of successful engagements. You can often find testimonials on their websites. These quotes can provide insight about what process was followed and the outcomes delivered. They can also shed light on how this particular vCISO might have provided higher-level outcomes than the client might have expected at the onset of the engagement.
Also, take the time to have conversations with the candidate’s client references. Knowing that these references are “friendlies,” ask them tough questions, like how this vCISO handled tough situations. How did they behave in a crisis or how did they recover from a situation that was delivering less than ideal results? Also find out their tangible metrics of success for what was promised and how they knew that the vCISO delivered measurable results.
Moving Forward - At this point you have determined that you don’t have the time, financial resources, or bandwidth to hire a full-time CISO. For you, a vCISO can be an excellent choice to provide leadership and oversight. Someone who can lead the charge to:
Effectively assess cyber threats relative to company accepted risk levels
Collaboratively design a plan to resolve these threats
Implement your program while also training your internal staff to sustain the plan
Measure, evaluate, and update the plan on a regular basis
Provide communication and feedback at all levels throughout the process
Utilizing these six considerations will help ensure you have put your information security budget to good use and you have maximized your probability of success, resulting in the greatest return on your security investment.