Should you consider a virtual CISO program?
When it comes to security, there's so much to take into account. There's a lot of information and things change on a daily basis. It can feel almost impossible to keep up with everything.
According to recent research, Security Operations Center (SOC) analysts are overwhelmed by the number of daily alerts to investigate. The vast majority of respondents of a Sophos survey (86%) said they need more skills to combat security threats, while 80% report struggling to recruit the right people.
Many of our clients talk to us about these kinds of concerns. In some cases, they know they need help with email security, identity and access management, vulnerability management or even developing a SOC. Contacting a provider that offers a vCISO program is the first step toward a solution for all the concerns mentioned above. At Insight, we developed a virtual Chief Information Security Officer (vCISO) program to help organizations address modern challenges, bridge gaps, and develop and execute security strategies that work.
A vCISO is an individual with commensurate, executive-level experience that works on behalf of your organization to accomplish a wide range of security-related objectives, from strategic to tactical. The vCISO is backed up and supported by our team of security and information technology experts, whether the vCISO is working remotely or on-site. vCISO services are accessible to businesses of any size operating within any industry.
Use cases for the vCISO program
When might the vCISO program be appropriate to leverage? There are numerous instances where it can be a valuable component.
If there are issues with just keeping up with security-related needs and tasks
- Maybe you don't feel like you’ve got a handle on security throughout your organization. It’s quite common for an organization to have an adequately staffed security team that simply gets bogged down with alerts and day-to-day needs, leaving them too swamped to focus on cross-organizational initiatives, or to develop new skills or strategies that could really benefit the organization in the long run.
If a company has a CISO, but this person may not have expertise in specific areas that need to be addressed
- Many individuals who serve as CISO within their organization have a hard time getting up to speed on all the various aspects of what’s required. As a security professional myself, I fully understand the challenges. CISOs are typically individuals with many years of experience and plenty of credentials — but the nature of the security playing field is that priorities can shift quickly, new tactics emerge daily, and specific business or industry requirements can arise that may not be familiar based on previous experience. It can be hard to stay on top of everything in order to lead to your fullest capacity.
- In some cases, an existing CISO may have a very good background in strategic initiatives and governance, risk and compliance, but may not have the experience in the specific solutions areas and technologies that are available, or vice versa. A virtual CISO can come in and help augment and reinforce efforts to help drive a balanced message that’s needed to secure buy-in from executive leadership or board members. For those we work with, it brings peace of mind to know that the vCISO isn’t trying to take away anyone’s job, but rather help in whatever ways needed to make the CISO and security environment ultimately more effective.
If a security program is out of date, but internal resources are unsure how to modernize it
- Perhaps an organization simply needs a pulse check — is our security program sufficient based on the current threat landscape, changing business requirements, or other technical and regulatory requirements? In other cases, an organization may know that existing policies, processes, or tools are no longer relevant or adequate. A vCISO can be a part of the solution in helping to re-evaluate security strategies and tactics — and formulate an actionable plan.
If a security strategy has been confidently developed, but the CISO and/or other IT teams are unsure how to execute on it
- The value of a vCISO can be realized after a security strategy has been developed as well. If you have some sort of framework in place, or an idea of where you want security to go within the organization — you have a business objectives and business goals — a vCISO can quickly align to that and accelerate the path to actualizing your vision. They may do this by recommending specific toolsets or services that could support you. Or, they may suggest ways to better leverage existing resources.
If a company doesn’t have an acting CISO, is anticipating a gap in coverage that needs to be filled or needs to support a changeover
- Turnover is common within the security field. More than 80% of SOC professionals reported a 50% churn at their facility, in the CriticalStart survey. If staff have been let go, have left for other opportunities or are planning a leave, a vCISO can help provide some level of consistency and continuity within your security environment and management. We've even helped businesses place permanent CISOs, ensuring newly placed CISOs get acclimated quickly.
If a security program needs to be augmented or made to be more proactive and sustainable, but internal resources don’t have the time or knowledge to do this
- We’ve seen organizations that have backlogs of security to-dos. These can include important tasks, for instance, to ensure fewer audit failures or fines related to compliance issues. There are many potential reasons behind this type of situation, and all of them are valid. But it’s important to balance the operational with the transformational needs. What could be done to enhance the security program going forward? How could new implementations or strategies help us get out of the fire-drill cycle and capable of performing regular threat hunting or other proactive activities? A vCISO can be instrumental in shifting from a defensive stance to an offensive one that sees beyond point solutions and daily emergencies.
If a specific security project needs to be taken on by an executive-level resource
- There are instances where new aspects of a security program need to be developed or executed, yet existing teams don’t have the tools or knowledge necessary to do so. For example, an organization may need to implement cloud governance or conditional access and multifactor authentication policies. These are specialized areas that not every security professional, no matter how resourced, certified or experienced, will have insight into. Or, if existing resources need to be refocused on immediate projects, a vCISO can ensure business continuity by leading and managing day-to-day security activities.
If a company is debating working with an MSSP for security but needs a resource throughout the transition/cutover
- Sometimes you’re not sure whether your organization should focus on staffing long-term security personnel or pivoting to a managed service model. In other cases, working with a Managed Security Services Provider (MSSP) may be the agreed goal, but the roadmap for getting there is less clear. A vCISO can support or help answer these types of questions based on their experience with a wide array or industries and businesses.
How does a vCISO work?
The first thing a virtual CISO will want to do when they engage with an organization is understand, "What is the business trying to do? Where does the business want to go? And what are the objectives and desired outcomes?"
Next, they’ll want to know, "Who are the key stakeholders and decision-makers? And what investments have been made thus far?” It will always be advantageous to leverage existing investments wherever possible, followed by appropriate adjustments to fill in gaps or alleviate problem areas.
The CISO of an organization should never be viewed as simply the person who says no to everything, or is working to try and stifle business. The role’s primary goal is to make operations secure without hindering that which makes the business productive. This is something we're trying to change within the industry, as are many of our technology partners who are developing solutions that support this perspective. Our team can help navigate decisions to optimize this combination of safety and seamlessness.
Do you need a vCISO?
You might be confident in answering this question on your own, but if you aren’t, a good starting point is gauging your initial reaction to the following?
- How comfortable do you feel about your organization's ability to handle an incident (from a messaging, customer, regulatory and technical standpoint)? In other words, if you knew that you were going to be in the news tomorrow (all lights on you, camera crews, the works), are you confident in your company’s ability to handle it?
- How confident are you in your team to manage the aftermath of a security incident?
If your answer is “not very” or “a little unsure,” then you’re in the majority of companies we speak with daily. We don't know what we don't know, but understanding there are likely gaps in the practical response from your security program and team is a start.
Our vCISO service follows a defined Cybersecurity Reference Framework based on the NIST CSF (Identify, Protect, Detect, Respond, Recover). At the foundational level, we help businesses focus on “zero-trust” key principles such as controlling identity, maintaining visibility and assumed breach. If you think you need help or support is any of these areas, a vCISO may be a crucial resource for your business.