March 01, 2021
March 01, 2021
Contributor: Robert Snow
Organizations who recognize the value of a security leader, but can’t afford a traditional CISO should consider virtual options.
With a current total cash compensation ranging from $208K to $337K, hiring a chief information security officer (CISO) may not be in the budget for small or midsize organizations, especially those that aren’t heavily regulated.
At the same time, these organizations recognize the growing importance of being more strategic and the necessity of having a leader responsible for program creation and guidance.
“The good news for such organizations is that Gartner has seen an uptick in what we are calling ‘virtual CISO’ offerings,” says Jeffrey Wheatman, VP Advisor . “For organizations that need to fill the need for leadership but are not in a position to bring in a full-time and often very costly qualified CISO, the virtual CISO — a combination of staff augmentation, consultant, advisor and strategist — might be an option.”
Read more: Gartner Top 10 Security Projects for 2020-2021
That’s not to say there aren’t organizations that seek to defend their lack of a leader with some shortsighted rationalizations. It’s useful to take a look at four of the most common rationalizations to help show the reasons why smaller enterprises should seriously consider bringing in a virtual CISO role.
Yes, but you’re not immune. Not being regulated may not obligate an organization to staff a CISO position; however, that doesn't mean it doesn't have risks to manage as part of achieving its business goals. Having a program leader, and the associated governance and strategic vision, also provides defensibility.
Maybe, but you’re not an island either. The dramatic increase in broad ransomware attacks such as WannaCry and Petya/NotPetya mean that nobody is immune from attack. Also, the increasing connectedness of digital business ecosystems expands and extends enterprise risks, so while your organization may not be a target, your partners may be.
Are you sure — absolutely sure? This outlook may be accurate if you have no customers, no employees, no intellectual property, no business processes, and no shareholders or stakeholders — but that would also mean that you don't have a business.
Beware — this is at best a band-aid fix. In theory, this tactical approach might work in the short term, but as a long-term approach, there will be an overemphasis on tools and tactics and not enough on people and process.
Engineers, architects and administrators have specific skill sets and responsibilities for managing technical outcomes. In practice, you need a dedicated, focused role to guide the program and ensure, over time, a shift to a more strategic approach that can be communicated to business leadership with the appropriate level of business context.
“A virtual CISO can help by sitting outside the tactical day-to-day activities,” says Wheatman. “From there, they can provide vision and guidance to drive a more programmatic approach, which clarifies the scope of the program. This then begins the shift toward a more proactive approach to security and risk management.”
Connect with the world’s leading security and risk management leaders with Gartner experts to establish an agile security program and deliver business value.
Recommended resources for Gartner clients*:
Can You, and Should You, Bring in a Virtual CISO? by Jeffrey Wheatman, et al.
*Note that some documents may not be available to all Gartner clients.