Hiring a chief information security officer (CISO) may not be in the budget for small or midsize organizations as their total cash compensation can range between $208K to $337K. However, at the same time, these organizations recognize the growing importance of being more strategic and the necessity of having a leader responsible for program creation and guidance.
By Jeffrey Wheatman, Research VP, Gartner Research
The good news for such organizations is that Gartner has seen an uptick in what we are calling “virtual CISO” offerings. For organizations that need to fill the need for leadership but are not in a position to bring in a full-time, and often very costly qualified CISO, the virtual CISO (or vCISO) — a combination of staff augmentation, consultant, advisor, and strategist — might be an option.
Virtual CISO offerings are a hybrid of:
- Traditional staff augmentation, involving an on-site or virtual presence in meetings, events, operations, and strategy planning.
- Consultative engagement and management to drive creation and implementation of security and risk program artifacts, such as strategic and tactical roadmaps, architecture, and policy, and to run risk management and risk assessment processes.
- Project management of architecting and deploying security and risk solutions.
- Coaching or advisory services to train full-time staff on how to leverage created artifacts, develop communicating plans, and train the next generation of security and risk leaders.
That’s not to say there aren’t organizations that seek to defend their lack of a leader with some shortsighted rationalizations. It’s useful to take a look at four of the most common rationalizations to help show the reasons why smaller enterprises should seriously consider bringing in a virtual CISO role.
We are not regulated, so we don’t need a CISO.
Yes, but you’re not immune. Not being regulated may not obligate an organization to staff a CISO position; however, that doesn’t mean it doesn’t have risks to manage as part of achieving its business goals. Having a program leader, and the associated governance and strategic vision also provides defensibility.
Maybe, but you’re not an island either. The dramatic increase in broad ransomware attacks such as WannaCry and Petya/NotPetya means that nobody is immune from attack. Also, the increasing connectedness of digital business ecosystems expands and extends enterprise risks, so while your organization may not be a target, your partners may be.
We don’t have anything anybody would want.
Are you sure — absolutely sure? This outlook may be accurate if you have no customers, no employees, no intellectual property, no business processes, and no shareholders or stakeholders — but that would also mean that you don’t have a business.
We can’t afford to hire a CISO, so we’ll put the engineer (or architect or administrator or system administrator) in charge of security.
Beware — this is at best a band-aid fix. In theory, this tactical approach might work in the short term, but as a long-term approach, there will be an overemphasis on tools and tactics and not enough on people and process.
Engineers, architects, and administrators have specific skill sets and responsibilities for managing technical outcomes. In practice, you need a dedicated, focused role to guide the program and ensure, over time, a shift to a more strategic approach that can be communicated to business leaders with the appropriate level of business context.
A virtual CISO can help by sitting outside the tactical day-to-day activities. From there, they can provide vision and guidance to drive a more programmatic approach, which clarifies the scope of the program. This then begins the shift toward a more proactive approach to security and risk management.
WRITE FOR CISO MAG
Do you want to write for CISO MAG? Please read our guidelines here.
About the Author
Jeffrey Wheatman is a Research VP in Gartner Research. He regularly advises clients on a wide range of security and IT risk management issues, with a focus on strategy, team building, metrics, and reporting, communicating techniques, and risk management. As an experienced analyst within Gartner’s S&RM team, he works with senior security and risk management leaders to help them identify, assess and treat IT-related risks within their environments.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.