By Justin Silbert, GCIH, GCFE, CISSP.
Just last week, the city of Atlanta became known as the latest victim of cyber crime, a ransomware attack crippling the city for 5 days. As admitted by the Atlanta Mayor, cyber security was not made a priority and they suffered greatly because of it. And Atlanta is not alone. Cyber attacks continue to rise week after week. Ransomware, by itself, accounted for $1 billion in 2016 and estimates suggest up to $5 billion for 2017 due to the WannaCry and NotPetya attacks.
Regulators are also getting worried about the consequences of a growing cyber crime industry. In February, the SEC issued new, more restrictive guidelines on cybersecurity disclosure. States are taking action as New York, South Dakota, Oregon, Colorado, and North Carolina have enacted or are considering legislation. And GDPR, promulgated by the EU, takes effect in May 2018 for any company that processes EU citizen data.
These new requirements are mandating accountable cyber security programs with a leader, such as a CISO. And they are also looking to Boards of Directors for accountability. But there are not enough qualified CISOs to meet the demand, which leaves a few options. Compete in a bidding war for the available and qualified CISOs, take a chance on an unqualified CISO, or hire an on-demand CISO (sometimes referred to as Virtual CISO, vCISO, CISO-on-Demand, or CISO-as-a-Service (technically, they have slightly different meanings, which we will discuss in a subsequent post)).
The advantages of a virtual CISO are numerous. For starters, most companies do not need a full-time CISO and would be wasting money paying the high salary. A virtual CISO can dedicate as many or as few hours as necessary to fulfill the requirements of the business. Second, a major limitation of a traditional CISO is the narrow experience that he/she has within a single organization. A virtual CISO has secured multiple organizations, working through many similar challenges. This variance of experience serves to greatly reduce the time and effort in attacking common concepts and maturing a program. Third, hiring a CISO requires a large commitment from the business in terms of salary, benefits, and trust. If they hire the wrong candidate or the CISO leaves for a better offer, it sets back the program and the business suffers. A vCISO decreases the commitment, offering the business greater flexibility. Last, and most important, hiring a virtual CISO provides the ability to add supporting security functions that would not be feasible otherwise. For example, fractional security architects, analysts, and policy specialists can also be procured on an ad-hoc basis. This ability to add capabilities instead of bodies serves to decrease risk while saving money.
Due to the threat landscape, regulations, and the rising attention of Boards of Directors to cyber security, there is no doubt that a security program and security leader are required. So the big question is, “what is the best option?”. While each organization must answer this for itself, the virtual CISO is quickly becoming the most viable and cost-effective path.
LEO is a leader in providing CISO-as-a-Service. Contact us to discuss a virtual CISO at your company.