For most of the 2000s, companies without an IT department seemed doomed to fail. Amazon is a prime example of what is possible with the internet and innovative leadership (pun intended). Times have changed. It now it seems like organizations are doomed for humiliation without a proper cybersecurity program and consequently a Chief Information Security Officer (CISO) for cybersecurity direction.
Organizations without a CISO overlook cybersecurity intricacies
CISOs are C-level executives who oversee an organization's cybersecurity planning. CISOs are by no means magicians who can stop all cyber-attacks but professionals with an extensive background in IT, Cybersecurity, and Business leadership. They are fundamental to any organization heavily reliant on IT as their purpose lies in ensuring all IT assets and critical data are adequately protected in a way that supports the company’s mission. There is tremendous value in having a CISO as organizations with a CISO are more likely to maintain physical, logical, and administrative controls to reduce their cyber risk.
Several high-profile breaches have made it apparent that organizations must step up their cybersecurity game. Yet, here was are in 2021 and cybersecurity still remains an enormous challenge for most organizations. It is estimated by the Electronic Council of Electronic Commerce Consultants that less than 50% of organizations have a CISO. Moreover, it takes almost 200 days to detect a breach and in severe cases like the Marriott breach- four years! Lurking behind the Marriott breach was really the acquisition of Starwood hotels, an organization that was lacking some fundamental cybersecurity controls. Marriott, unfortunately, took the backlash from privacy litigations, regulatory inquiries, shareholder wrath, and countless other consequences. This is all because they did not have any design plan for the unification of their IT with Starwood’s. Which, I suppose the thrill of expanding company assets could easily cloud the need to examine the cyber intricacies.
This brings up the issue that Marriott was the perfect storm of cybersecurity, organization merger, and business operation issues all batched into one. A quick CISO meeting would have unquestionably brought up conducting a thorough M&A risk assessment with Starwood before merging and thus, prevented the mass consumer data loss that also contained personally identifying records. It is estimated by Dark Reading, an industry recognized cybersecurity news source, that the average cost of a lost record during a breach is $171. Needless to say, CISOs are crucial to an organization's cybersecurity posture as well as risk management program and in many mature organizations their salary simply pays for itself as a CISO salary is much cheaper than paying for the reprimands after a breach.
vCISO/CISO as a Service/CISO on Demand --- Pros & Cons
Alright so if a CISO is key to an organization’s cyber posture, how can emerging organizations afford to have one on the payroll? Well, we present to you a Virtual CISO (vCISO). The role of a vCISO offers the typical high-level strategic consulting you would get with a CISO but at a fraction of the cost. Think of it as a CISO on-demand or CISO as a Service. vCISO services offer many of the standard cybersecurity planning a CISO would, but without the high price tag of an in-house professional.
Pros:
- Analyzes IT to identify current security posture and advises leadership on the cybersecurity weaknesses
- Drives Cybersecurity Roadmap and strategic oversight (establish governance, risk, and compliance programs)
- Can help you keep up with the pace of emerging technology and threats
- Can oversee cyber incident management from initial detection to resolution
- Demonstrates to prospective customers and investors that cybersecurity is taken seriously by your organization
- Often the only option for mid-market and emerging companies due to budget and other factors
Cons:
- Nothing truly replaces an in-house, fully dedicated cybersecurity professional
- vCISOs generally focus on high-level strategic tasks but lack the deep technical know-how for hands-on support
- May not have the experience required to meet expectations if not properly evaluated
- Pushback from in-house IT if CISO exposes great levels of risk and prioritizes efforts
- Still require additional 3rd parties to provide attestations and more technical services
- Sometimes known to rely on templates and a “one size fits all” approach for clients
Value of vCISO or CISO for Your Business
While a vCISO can be tremendously beneficial, it is important not to forget about the other functions required to build a truly effective, formalized cybersecurity program. Specifically, consider the Security Architect, Security Engineer, Security Analyst, and Security Program Manager roles. All bring strengths and capabilities required for an organization to have a truly proactive cybersecurity program but are not part of a traditional vCISO service.
Silent Sector recognized the benefits and shortcomings of the traditional virtual CISO model and developed a much-improved approach to better support mid-market and emerging organizations. We utilize a true defense-in-depth methodology, working seamlessly with your in-house IT professionals, empowering the organization from within. Not only does our team provide the benefits of a vCISO, we also bring the technical level hands-on support to alleviate the need for multiple 3rd party hires and accomplish finer tasks such as deploying endpoint solutions, building hardening images, configuring monitoring solutions, performing penetration testing, and other specific needs. This takes a tremendous burden off your internal IT professionals, allowing them to focus on core functions and advancing various initiatives.
At Silent Sector we believe cybersecurity does not have to be as difficult or confusing as it’s often made out to be. The security challenges companies face today are largely due to a lack of strategic AND technical-level professionals who can help an organization implement a formalized cybersecurity program. Interested in hearing how Silent Sector’s industry leading approach surpasses traditional vCISO services to better protect your organization? Contact us today!