To hire, or not to hire a CISO? That is the question. Or is it though?
Today’s cybersecurity threat landscape continuously evolves and intensifies. At the same time, businesses of all sizes are adopting increasingly complex technology architectures, increasing cyber risk even more.
In an environment like this, there are several strategic and tactical steps you can take to improve your security hygiene. However, the overarching question we constantly get asked is: do we need to hire a Chief Information Security Officer (CISO)? If so, do we need someone full-time at the CISO level? If not, what are our other options? And, if not full-time, then perhaps on a fractional basis?
These questions have been, and continue to be, points of debate for many organizations – especially unregulated, privately held businesses in the small to mid-sized (SMB) category that are nowhere near the revenue size of the “large enterprise” businesses.
While the CISO role has become more prominent in larger enterprises across corporate America, many small to midsize businesses are now conflicted with the decision of whether they should hire one.
According to Verizon’s 2019 Data Breach Investigations Report, 43% of cyberattacks target small businesses, and according to Navisite’s 2020 The State of Cybersecurity Leadership and Readiness report, 73% of small businesses did not have a dedicated CISO. So whether you hire a full-time or fractional CISO, the role has undeniable value to the business.
How hard is it to hire (and retain) a great full-time CISO?
In reality, not every business needs a full-time CISO. Recruiting a CISO is a significant investment of time, effort, and money. Finding one that is well aligned with your culture, short-term business needs, and long-term business goals is incredibly challenging, to say the least. Security leaders often command a high salary and can be incredibly hard to recruit.
Even after you’ve hired a CISO, tenures can be short. Research produced by ESG & ISSA in a 2017 report shows that the average tenure of a CISO is approximately 24 to 48 months. The reasons for this vary from a shortage of talent to meet the market demands – which drives up compensation expectations and new opportunities for cyber executives – to a lack of alignment to the business goals, to a toxic culture that does not value the CISO’s mission.
Introducing a CISO introduces a lot of change, so if company leaders (C-Suite, Board of Directors, etc.) are unwilling to buy in and support these changes, it’s only a matter of time before those CISOs get frustrated and decide to move on. The list goes on and on.
So, do we need a full-time CISO?
Well, to answer this question adequately, there are several factors you must consider:
- Revenue size and/or employee size of the company
- Privately held firm or publicly traded firm
- Highly regulated business with compliance standards
- History of security breaches or infringements
- Unknown operational risks in the business
- Complex threat environment
- The business has a focused change management and digital modernization strategy
- Current IT capabilities and lack of expertise dedicated to cybersecurity
If your business meets at least 65%-75% of the above criteria, you have a strong business case to consider bringing on a full-time CISO to establish and maintain the enterprise vision, strategy, and program to manage risk by making sure that information assets and technologies are adequately protected.
If we’re not prepared to hire a full-time CISO, what are our other options?
If your business does not meet the above criteria and chooses not to bring on a full-time CISO, you should strongly consider engaging a Virtual Chief Information Security Officer (vCISO).
A virtual or fractional CISO can help mature your cyber strategy and lead your mitigation efforts. As a trusted cyber advisor, a vCISO will provide your organization with expert on-demand cybersecurity expertise and advice, help you tackle your key cybersecurity initiatives, and set you up for long-term meaningful success.
Outcomes you can expect from this partnership are:
Cyber Strategy and Cyber Program Management: Strategic and tactical support for your cybersecurity program at your fingertips when you need it.
Cyber Compliance Support: Assistance navigating the technology compliance landscape (e.g.; NCUA, FFIEC, GDPR, SOC 2, SOX, CMMC, NIST, ISO, PCI DSS, etc.).
Conducting Cybersecurity Assessments: A comprehensive cybersecurity assessment can identify potential vulnerabilities and risks unique to your business and industry. The assessment should include a review of existing policies, procedures, and technologies and an evaluation of your security culture.
IT Audit & Risk Management: Helping you assess and build risk mitigation strategies for high-risk areas.
Third Party Risk Management: Strengthening your third-party risk posture through strategic maturity assessments, vendor risk analysis, or tool enablement.
Cybersecurity Tools and Technology Recommendations: Finding software solutions that help you close gaps in your security posture with value added advice and oversight.
Penetration Testing: Cyber-attack simulations using real-world and modern tactics, techniques, and procedures (TTPs).
Incident Response Planning & Security Awareness Training: Raise awareness, test decision making and improve organizational resilience to cyber-attacks by building muscle memory and preparation for the inevitable.
The Bottom Line
Cyber risks and complexity are growing and businesses of all sizes are at risk. Those without a full-time CISO can take steps to improve their cybersecurity posture by bringing in a vCISO to conduct a cybersecurity assessment, develop a cybersecurity strategy, implement appropriate cybersecurity technologies, provide employee training, and more.