Experts talking about how to hire a Chief Information Security Officer can make it sound like recruiting a unicorn. And HR training and fantasy literature make two things clear about unicorns: they come with a steep price tag and get a lot of calls from recruiters.
So if you’re considering a search for a legendary (or even just competent) CISO, plan on a hunt that will probably take months, cost more than you think and leave you constantly watching over your shoulder for unicorn poachers.
Instead of chasing that mythical beast (and potentially doing it again in a year or two when your prize gets a better offer), consider options other than hiring a single person. The best solution for your organization may be a Virtual Chief Information Security Officer (vCISO) service. That’s proving especially true in 2020, when new security threats and uncertain budgets make adding a full-time CISO tougher than ever.
What a vCISO Does
For a quick recap, let’s sum up typical CISO duties:
- Understand the ever-changing threat landscape.
- Continually monitor system activity and quickly respond to critical threats as escalated by the security analyst team.
- Regularly assess the organization’s security posture and coordinate third-party certifications such as SOC 2 or HIPAA.
- Evaluate the security implications of organizational changes (such as a switch to remote work or an acquisition) and implement appropriate adjustments.
- Create and carry out information security training for all employees.
- Oversee and ensure software and devices are properly configured and patched at all times.
- Plan for information security as part of the organization’s overall strategy.
- Communicate to top leadership about the organization’s security position and outlook.
Despite that long list, many organizations still tend to think the IT director or chief information officer (CIO) can manage all this along with their day job. But that’s usually a recipe for leaving yourself open to security problems. Even if your IT director or CIO has the full security skillset, few people have the bandwidth for this kind of double duty.
How a vCISO Can Help
So you almost certainly need someone focused solely on your organization’s information security. Here are six factors that might make a vCISO the right choice:
1. Cost savings –Plan on a solid vCISO earning about $185,000 annually. Pratum’s vCISO service, on the other hand, ranges from $24,000 to $120,000 per year. Because each organization can customize its vCISO plan, you pay only for time you use, not extraneous meetings, hallway chats, etc. These vCISO cost savings are especially attractive for growing organizations deciding whether they’re even ready a full-time CISO.
2.Easier/faster hiring and no retention worries –Most managers dread the time suck of the hiring process. Depending on your company’s location and brand recognition, recruiting can take even longer than industry averages. And once you’ve hired the right person, you face industry averages showing that the average tenure of a CISO is only 24-48 months.
3. Time to clarify your needs –The CISO revolving door isn’t all about employees seeking bigger paychecks. Many leave because companies with newly created CISO positions frustrate good hires with a marginal security commitment, unclear metrics and other growing pains. Using a vCISO service lets your team understand its approach before investing in a full-time employee.
4. Instant scalability –When a big project, security event or new business line comes along, you can ramp up your vCISO’s capacity overnight.
5. A team full of experts –A great CISO is a Renaissance person, with deep knowledge of compliance, vendors, policies, continuity plans, government standards, business management and more. That’s a lot of expertise to find in a single person. With a vCISO approach, you get a lead consultant with an entire advisory team sitting around them. Along with the technical expertise, you’ll benefit from the checks and balances of several opinions rather than a single person’s perspective.
6. An honest third-party perspective –Executives all say they value honesty—but employees know there’s a limit there. Inevitably, some CISOs sense that certain battles present a choice between protecting company security and protecting their career. A vCISO service obviously wants to retain you as a client, but you won’t be their only client, giving them more freedom to tell it like it is. Plus, an in-house CISO may factor office politics into decisions about whether to push departments getting tired of the CISO’s demands. A vCISO, on the other hand, doesn’t worry about who snubs them in the break room.
How vCISO Works
If you decide to start evaluating how to choose a vCISO, here’s what you need to know:
Pratum scopes each vCISO agreement as an exact fit for your organization. Our team sets up a monthly service plan, but whenever you determine you need more or less service, we can adjust the plan accordingly.
Because we work with companies on these plans every day, we can get your vCISO up and running as quickly as a couple of weeks after your initial call.
As you consider vCISO services, don’t assume it’s a temporary fix. The flexibility and affordability convince many companies to make it their permanent approach, especially in small- and medium-size businesses. Growing businesses also find advantages in how a vCISO lets them regularly redefine the role as their company changes. That provides insurance against hiring a leader who may find themselves out of their league as the organization grows bigger and more complex.
If you’re ready to learn more about your vCISO options, reach out to our vCISO team today!