Do You Need a Virtual CISO?

With a current total cash compensation ranging from $208K to $337K, hiring a chief information security officer (CISO) may not be in the budget for small or midsize organisations, especially those that aren’t heavily regulated. 

At the same time, these organisations recognize the growing importance of being more strategic and the necessity of having a leader responsible for program creation and guidance. 

“The good news for such organisations is that Gartner has seen an uptick in what we are calling ‘virtual CISO’ offerings,” says Jeffrey Wheatman, VP Advisor. “For organisations that need to fill the need for leadership but are not in a position to bring in a full-time and often very costly qualified CISO, the virtual CISO — a combination of staff augmentation, consultant, advisor and strategist — might be an option.”

At the most basic level, virtual CISO offerings are a hybrid of:

1. Traditional staff augmentation, involving an on-site or virtual presence in meetings, events, operations and strategy planning
2. Consultative engagement and management to drive creation and implementation of security and risk programme artifacts, such as strategic and tactical roadmaps, architecture and policy, and to run risk management and risk assessment processes
3. Project management of architecting and deploying security and risk solutions
4. Coaching or advisory services to train full-time staff on how to leverage created artifacts, develop communicating plans and train the next generation of security and risk leaders

That’s not to say there aren’t organisations that seek to defend their lack of a leader with some shortsighted rationalisations. It’s useful to take a look at four of the most common rationalisations to help show the reasons why smaller enterprises should seriously consider bringing in a virtual CISO role.

“We are not regulated, so we don't need a CISO.”  

Yes, but you’re not immune. Not being regulated may not obligate an organisation to staff a CISO position; however, that doesn't mean it doesn't have risks to manage as part of achieving its business goals. Having a programme leader, and the associated governance and strategic vision, also provides defensibility. 

“We are small, we are not a target.”

Maybe, but you’re not an island either. The dramatic increase in broad ransomware attacks such as WannaCry and Petya/NotPetya mean that nobody is immune from attack. Also, the increasing connectedness of digital business ecosystems expands and extends enterprise risks, so while your organisation may not be a target, your partners may be.

"We don't have anything anybody would want."

Are you sure — absolutely sure? This outlook may be accurate if you have no customers, no employees, no intellectual property, no business processes, and no shareholders or stakeholders — but that would also mean that you don't have a business.

"We can’t afford to hire a CISO, so we’ll put the engineer (or architect or administrator or system administrator) in charge of security."

Beware — this is at best a band-aid fix. In theory, this tactical approach might work in the short term, but as a long-term approach, there will be an overemphasis on tools and tactics and not enough on people and process.

Engineers, architects and administrators have specific skill sets and responsibilities for managing technical outcomes. In practice, you need a dedicated, focused role to guide the programme and ensure, over time, a shift to a more strategic approach that can be communicated to business leadership with the appropriate level of business context.

“A virtual CISO can help by sitting outside the tactical day-to-day activities,” says Wheatman. “From there, they can provide vision and guidance to drive a more programmatic approach, which clarifies the scope of the program. This then begins the shift toward a more proactive approach to security and risk management.”