At first glance, a vCISO may seem out of budget, but SMBs can miss out on some great benefits.
While a Chief Information Security Officer (CISO) may be invaluable to a company in terms of security and cyber security, some small enterprises may want to see a virtual CISO (vCISO) to help reduce costs. Michael Gray, Chief Technology Officer ProsperityCompares positions and outlines the differences between companies seeking to invest in such roles.
A virtual CISO is an independent or contracted employee who fulfills the role of a CISO but is not employed full time. This person decides which CISO will normally manage, but their role is not inherently involved with the company.
“I think to begin with, perhaps in the face of this, [a vCISO] It looks a lot like CISO, but when you peel off the pieces, there’s a really big difference, “said Gray. “Over time, we find that once companies have a good security program built on a solid foundation, many of them only need a fraction of vCISO. So, they don’t need a full-time person once they get through an initial practice. This is not a full-time job, depending on the size of your organization. “
The advantage of hiring a vCISO
For small-to-medium sized businesses, hiring a vCISO can be a way to save revenue. Full-time CISOs order fairly hefty salaries that up and upcoming operations may not be able to carry services they may not need. Earn a full-time CISO in the United States Average $ 230,223Which, of course, made the video an overnight sensation.
“[For businesses] Up to 500, even for 1,000 employees, you probably don’t need a full-time CISO and you can use a virtual CISO and get all the benefits you need without significant costs, ”Gray said. “The salary of a full-time CISO is very high at the moment, and there aren’t many good candidates. You can find a candidate, but they may have no idea about your vertical, or the industry you are in. ”
To balance it from both financial and operational perspectives, a virtual, independent CISO analyzes the existing and ongoing processes of a business and determines based on the existing business infrastructure. Gray says this allows a VCISO to make difficult decisions as needed, because their success is not limited to the company for which they are contracted to work. This allows people in the vCISO role to be more objective in making decisions.
“An independent stay [virtual] CISO may say, ‘I see this thing all the time. You have this security monitoring service, it is not doing the strategy and you are not getting your money’s worth from it ‘, he said. “But it can be hard to see for a full-time CISO, especially in a small company. The other thing is, a virtual CISO, at least as we see it, they will help you get a lot more value for your existing investment. They invest in a part of the technology, and they’re personally engaged in it, they spend a lot of time and at the end of the day it’s not the right fit. “
Views: Password Violation: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechiePublic)
How businesses can help accommodate a vCISO
For SMBs looking to hire a vCISO, having an employee with the right infrastructure can hit the ground running from the moment they arrive on board. By taking stock of the company’s cyber security stance, virtual CISOs can start working now.
“The company has already done the first thing, highlighting the need to have a security program, not just a piece of technology,” Gray said. “I used to ask, do you have anything today? What is your security program today? Do you have any paperwork? Make a general list of where you stand, because this is the first thing anyone will ask, do you have a place where we can start? Most don’t, and that’s fine, but it’s really good to be able to answer that question. “
From there, Gray says, the company’s risk assessment is a major consideration, with compliance-related questions arising.
“The question I’m going to ask is, ‘Mr. Customer, is there a compliance framework that you need to adhere to that I need to know from day one?’ If they tell you, ‘Well, there might be, we’re not sure,’ that’s a tough thing to do, ‘”he said. “The third part is really a risky conversation. Think about where your organization is comfortable from a risk perspective. We want to be 100% locked down, and we want it to be a very strict employee environment, or we want our employees to be free to do things like that from their phones or things like that. These are all business questions that you can ask yourself before you start. “
Following this advice, small to medium-sized companies seeking to hire someone for a virtual CISO role can learn what to look for, as well as how quickly a candidate can fully secure an organization’s system.