April 14, 2021
April 14, 2021
Contributor: Robert Snow
Organizations who recognize the value of a security leader, but can’t afford a traditional CISO should consider virtual options.
With a current total cash compensation ranging from $208K to $337K, hiring a chief information security officer (CISO) may not be in the budget for small or midsize organisations, especially those that aren’t heavily regulated.
At the same time, these organisations recognize the growing importance of being more strategic and the necessity of having a leader responsible for program creation and guidance.
“The good news for such organisations is that Gartner has seen an uptick in what we are calling ‘virtual CISO’ offerings,” says Jeffrey Wheatman, VP Advisor. “For organisations that need to fill the need for leadership but are not in a position to bring in a full-time and often very costly qualified CISO, the virtual CISO — a combination of staff augmentation, consultant, advisor and strategist — might be an option.”
That’s not to say there aren’t organisations that seek to defend their lack of a leader with some shortsighted rationalisations. It’s useful to take a look at four of the most common rationalisations to help show the reasons why smaller enterprises should seriously consider bringing in a virtual CISO role.
Yes, but you’re not immune. Not being regulated may not obligate an organisation to staff a CISO position; however, that doesn't mean it doesn't have risks to manage as part of achieving its business goals. Having a programme leader, and the associated governance and strategic vision, also provides defensibility.
Maybe, but you’re not an island either. The dramatic increase in broad ransomware attacks such as WannaCry and Petya/NotPetya mean that nobody is immune from attack. Also, the increasing connectedness of digital business ecosystems expands and extends enterprise risks, so while your organisation may not be a target, your partners may be.
Are you sure — absolutely sure? This outlook may be accurate if you have no customers, no employees, no intellectual property, no business processes, and no shareholders or stakeholders — but that would also mean that you don't have a business.
Beware — this is at best a band-aid fix. In theory, this tactical approach might work in the short term, but as a long-term approach, there will be an overemphasis on tools and tactics and not enough on people and process.
Engineers, architects and administrators have specific skill sets and responsibilities for managing technical outcomes. In practice, you need a dedicated, focused role to guide the programme and ensure, over time, a shift to a more strategic approach that can be communicated to business leadership with the appropriate level of business context.
“A virtual CISO can help by sitting outside the tactical day-to-day activities,” says Wheatman. “From there, they can provide vision and guidance to drive a more programmatic approach, which clarifies the scope of the program. This then begins the shift toward a more proactive approach to security and risk management.”
Join your peers for the unveiling of the latest insights at Gartner conferences.
Recommended resources for Gartner clients*:
Recommended Gartner client* reading: Can You, and Should You, Bring in a Virtual CISO? by Jeffrey Wheatman, et al.
*Note: Some documents may not be available to all Gartner clients.
*Note that some documents may not be available to all Gartner clients.