vCISO – the Cost-Effective Solution

Resolution IT’s Senior Information Security Consultant, James Ogier, provides some insight into what a vCISO can offer to organisations.

As cyber-crime rises to an all-time high and more and more businesses are being targeted, it’s rare to see an organisation that isn’t giving real consideration to its information security.

Technological research firm, Gartner, found that 88% of boards now regard cyber security as a business risk, not just a technical problem. It has also been predicted that by 2025, 60% of organisations will use cyber security risk as a significant determinant in conducting third-party business transactions. This means that failing to have a solid information security program in place not only puts your business at risk, but can also impact prospects, clients and partnerships. As the cyber climate continues to evolve at such a rapid rate, it’s important that businesses consider the impact of being left behind.

Trying to keep on top of the ever-changing cyber landscape can be daunting, overwhelming, and time-consuming. A lot of small to medium sized businesses simply don’t have the budget nor capacity to give the subject any real thought – in fact, only 38% of global organisations feel they are adequately equipped to deal with a complex cyber attack (source: IBM). Of course, the ideal solution would be to appoint a full-time Chief Information Security Officer (CISO) to manage and monitor an organisation’s security, but for many SMEs, this is out of the question due to budgetary constraints.

There is also a real skills shortage in this area of expertise. Software firm, Trellix, found that 41% of UK respondents said a lack of staff resources was the biggest barrier to implementing new cyber solutions. This means it’s difficult and time-consuming trying to source the right employee for a CISO role. As well as contending with a small talent pool and monetary considerations, lots of businesses simply don’t have the need for a full-time member of security staff. Perhaps they just need to ensure their policies and governance are up to date and threats are monitored and kept at bay.

A Virtual Chief Information Security Officer is a cost-effective solution that gives businesses access to an industry-certified Information Security professional for a set monthly retainer. The vCISO uses the culmination of their years of cyber security and industry experience, as well as the advantage of being entirely unbiased and working across various industries, to help organisations with developing and managing the implementation of its information security program.

At a high level, vCISOs help to architect and implement the company’s security strategy. The company may still employ their own internal Security staff, who work with the vCISO to execute a strategic security program and oversee larger security projects. Additionally, the vCISO is often expected to present the organisation’s state of information security to its board, executive team, auditors, or regulators. As well as being a payroll-free option, the service is flexible, scalable and easily adaptable as the business continues to grow.

Implementing a vCISO means businesses can rest assured that their security is being taken care of across all bases, including security awareness training for their staff, insights into emerging threats, consultancy, certification to industry security standards, asset management, the creation and maintenance of governance and policies and more – all for a fraction of what it would cost to bring in a full-time staff member. In a similar way to how you might outsource your IT, vCISO is essentially an outsourced managed security service.

But how do you know whether your business needs a vCISO? Almost every single organisation today houses a certain amount of sensitive data. Whether that data is related to its clients, stakeholders, marketing prospects or the company itself, it’s vital that it’s kept safe and confidential data remains protected. If you have valuable and sensitive information within your organisation’s environment, you need some form of information security program in place and someone at the helm driving the program forward.

If you’re unsure what step is right for your business, I’d suggest starting with a virtual CISO to get the groundwork started, policies and governance assessed and updated, and a roadmap created to see what needs to be done. With the scalable nature of the service, from that point, you can work out whether there’s scope or need to extend the service and to work with your virtual CISO to further develop the program.