According to Cisco's 2015 Annual Security Report, 91% of companies employ an executive with direct responsibility for security, but only 29% of them employ a chief information security officer (CISO). Businesses with CISOs on staff recorded the highest level of confidence in their overall security stance, especially in terms of optimization and clarity of policies, processes, and risk management strategy.
The report shows that sophisticated cybersecurity tools are only part of the equation: Enterprise Security is a complex area that requires management expertise across the wide range of systems and resources affected: companies cannot risk a trial and error approach to avoid breaches, manage incidents, or instill user and investor confidence.
The Big Decision
Many organizations, regardless of size, either cannot afford or have not adapted to the value of a CISO in the current cybersecurity landscape. Regardless of the reason, virtual CISO (vCISO) resources are available through Managed Security Services vendors to fill the gap and satisfy risk management requirements.
Typically, more than one factor enters into any organization's decision to employ a CISO on staff or contract vCISO services to cover their cybersecurity needs. But the approach to making this decision can be simplified by considering the purchase of a timeshare property as analogous to employing a staff CISO, and comparing its pros and cons alongside vCISO services.
Purchasing a timeshare is a way to own a vacation property that you can use but that you must share with others. Your usage is generally only once a year but also depends on the number and timing of other owners. The decision to purchase a timeshare is often an emotional and impulsive one, made without considering whether you will be able to use it when you need (or want) it most, and the potential impacts on other owners.
Whether to contract vCISO services is a decision based on your long-term (strategic) and short-term (tactical) needs. Once you have consulted with a Managed Security Services expert, who can help you identify risks, vulnerabilities, and regulatory requirements, as well as develop a proactive and well-planned cybersecurity program, this decision becomes far less intimidating and much easier to make. Plus, you will have brought continuity to your cybersecurity concerns by considering the needs of all systems and resources across your organization, each of which must all follow the same plan year to year.
You have the use of a very expensive property and you don't need to worry about year-round maintenance. The property has all the amenities and maintenance expertise you could ever need.
Since it can be quite difficult to find the right person in the current InfoSec job market, contract services relieve the pressure of recruiting the right person for your organization's needs. Additionally, such personnel can be prohibitively expensive. Using vCISO services spreads the cost, which is reviewed and controlled regularly during contract renewal, over time.
The cost of timeshare ownership includes annual fees, which provide more benefit to the property developers than to you personally. Additionally, you lack full control over rate increases, and once you purchase the property, you may not be able to unload it easily. And don't forget-you must consider insurance availability and cost.
Choosing a vCISO vendor carefully is paramount, since many may have limited availability, particularly on short notice. Getting used to working with a vCISO entails adjustments to internal processes, and the service will be less useful if onboarding is not well executed. Finally, insurance companies will generally not cover your organization if you don't implement basic cybersecurity measures; even if you have a CISO on staff, insurers will stipulate what needs to be implemented, and all measures must be documented.
The RedLegg vCISO Program
Acting as your trusted partner in security, RedLegg offers the vCISO Digital Strategic Security Program, which brings you more than a simple service or product: we help fulfill all of your cybersecurity needs, empowering you to grow your business and reach cybersecurity maturity as you strive to reach the next level.