vCISO, or Chief Information Security Officer (CISO)-as-a-Service, is a concept whose time has come CISOs are hard to come by and good ones even more so. InfoSec professionals in general are tough to find and especially ones that can fulfill all the duties of a traditional CISO or InfoSec team: understanding business requirements, legal requirements, regulatory and compliance regimes, administrative controls, technical controls, education needs…the list goes on. It’s hard enough for a well-resourced enterprise with a solid Information Security team and an effective CISO to stay on top of the constantly changing threat landscape. Small-to-Medium Enterprises are finding this feat impossible and therefore choose to either play ostrich, ignoring the dangers, or rely on under-qualified individuals to assume this role without guidance. Both of these strategies introduce unacceptable risk to the health and future profits of any business.
There is currently an astounding shortage of Cyber Security professionals worldwide.The Bureau of Labor Statistics estimates that there will be a 37% increase in demand for information security analysts alone. This is a chronic gap that cannot be filled. The advantage of outsourcing via the CaaS or vCISO model is that you get the advantage of a team of InfoSec professionals across a wide range of disciplines with a fixed cost, which is usually much less than hiring even a low-cost CISO, not to mention the necessary InfoSec team. As growth occurs you can easily transition into a full-time CISO. On the other hand, if performance of your vCISO becomes an issue you can much more easily get rid of them and find a replacement. Some auditors may disagree with having a contractor provide part-time Virtual CISO services, but the reality is that many small enterprises do not need a full-time CISO. If there is an effective IT or DevOps team and C-level exec who owns IT, the CISO can provide instructions and guidance and the ops team can deliver. Currently, a large range of security services can be outsourced (pen testing, monitoring, etc) and many security solutions are moving to the “cloud” model. These outsourced services, along with an effective ops team handling daily alerts, constitute the vCISO’s “team”, and he or she may coordinate them to achieve the strategic plan for an organization’s security strategy.
The InfoSec industry is at the same point that the Managed IT industry was at in the early aught’s, and cloud services were in the early part of this decade. Most companies are cautious or not even considering Information Security outsourcing as a solution. As a matter of fact, most companies are just now wondering if they should devote a bit more than .001% of their revenue to looking after security (For reference, that figure should be at least 1 to 3% of revenue). The reality is that the supply of even entry-level cyber security professionals will not make up for the projected demand without a huge increase in defensive capabilities (read: AI). The only real solution to this issue is outsourcing to the professionals who can handle multiple engagements and therefore fill this gap, providing a one-for-many approach. In today’s connected world, operating without an effective strategy or the right people to protect your company’s (and customer’s) data and intellectual property is akin to putting everything on red at the roulette table. It may work for a while but eventually you will lose.