Do you need a CISO? It depends! However, you almost certainly need a cybersecurity leader.
From hockey to cybersecurity, no team is complete without a leader.
Several years ago, I was the broadcast tech director for a United States Hockey League (USHL) hockey team, the Chicago Steel. In 2017, that team won the junior hockey league’s championship – the Clark Cup.
Our head coach for the year, Dan Muse, was almost immediately picked up by the NHL’s Nashville Predators to be their assistant coach.
Coaches have a high level of ownership for a team’s performance and their success is tied to the team’s success. They are often held accountable for failure and are well-rewarded for their successes. Having a great owner in charge of the team’s performance, helps them perform better.
The same is true in cybersecurity. The person who owns the program can be held responsible for its success or failure, so they’re pretty likely to put in the work needed to make it work.
The most commonly known security leader position is the Chief Information Security Officer, or CISO. This is a C-level senior executive who is in-charge of all things cybersecurity at your organization.
There are other titles a security owner could have and they may be more appropriate depending on the size of the organization. The title is not as important as having a security owner in the first place is.
Do you have to have a CISO?
Your organization may or may not need a CISO, depending on its size. Large enterprises do need CISOs, while most small and midsize businesses can have someone else run their cybersecurity program.
This person may be an existing leader, such as a CTO, or outside help, such as a Virtual CISO. There are positives and negatives to each approach, which will be covered later in this article.
Whether or not your organization has a CISO, it does need someone who can lead the program.
A cybersecurity owner will help you meet your goals.
Many small and midsize organizations have some people working on cybersecurity (often IT) who are using some cybersecurity controls (such as Multi-factor Authentication). However, these cybersecurity practices are often scattered, or ad hoc.
There is no program being managed by a leader, who could prioritize tasks, line up resources, and guide implementation. While the organization will benefit from the security improvements being made in this fashion, resources aren’t being spent efficiently and large gaps are likely being left overlooked. After all, it’s nobody’s job to look at security holistically in this situation.
By putting someone in charge of cybersecurity, they will be incentivized to set goals, plan to meet them, and spend resources efficiently to get the work done. They will be in charge of looking for gaps (or having someone else do it).
Having a security owner is becoming so important that vendor management teams are starting to ask about it, like they’ve been asking about SOC 2 and ISO 27001.
Compliance without an owner might not be enough.
The vendor management team of a large enterprise prospect receives and reads your SOC 2 report. They come back to you a few days later only to ask “Who is responsible for cybersecurity at your company?” They’re looking for a specific name and title.
After responding to these same types of people by spending a considerable amount of time and resources to earn your SOC 2, this is a frustrating turn of events.
More frustrating is the fact that you don’t have a cybersecurity leader. You assembled a project team to help you earn and maintain your SOC 2, but nobody owns the cybersecurity program itself.
But these companies are asking for good reason – they believe that having someone who is properly responsible for the cybersecurity program leads to better security outcomes for them.
It would be wise to heed their demands, and put someone in charge.
How do I get a cybersecurity owner?
There are several different ways you can give someone ownership of cybersecurity at your organization. Which option you pick will likely depend on the size of your company and cybersecurity program. There is no one-size-fits-all solution in cybersecurity!
Hire a new owner, such as a CISO or Director of Security
The most obvious answer is to hire a full-time cybersecurity leader who can take ownership of the cybersecurity program, such as a CISO or Director of Security.
This ensures that there is someone who is wholly dedicated to and responsible for the success of the organization’s cybersecurity program. However, it is not without drawbacks.
Hiring a full-time cybersecurity leader can take months. Their salaries are very expensive, and the average tenure of a CISO is only about 2 years.
For small to midsize organizations, the high cost to hire and retain a CISO for what will likely be a short-term is off putting. Sometimes, the cybersecurity program doesn’t necessitate full-time leadership either.
If a full-time CISO is not needed or prohibitively expensive, consider looking inward for a suitable leader.
Select an existing employee.
Since small-to-midsize companies may not need full-time cybersecurity leadership, the tasks could potentially be passed on to someone already at the company.
There may be an existing leader at your organization, such as a CTO, Director of IT, or IT Manager, who has the technical, leadership, and communication skills needed to take ownership of the cybersecurity program. They are often strong candidates for the role, who will do an excellent job of running the program.
The downside with this approach is that these people already have important full-time jobs. Running cybersecurity for a small or midsize organization might not be a full-time job, but these individuals don’t always have the bandwidth to take on the additional workload!
A similar approach that circumvents this particular problem is to promote from within. If you have a strong employee who is ready for a leadership role and interested in cybersecurity, you could give them ownership of the program. They will be able to grow with the program.
An alternative approach to meet part-time cybersecurity needs at a reduced cost is a Virtual CISO.
Hire a Virtual CISO
A Virtual CISO, or vCISO, can be added to the organization to provide cybersecurity leadership as-needed. A vCISO is a top-tier cybersecurity expert, someone who was likely a full-time CISO in the past, who can do all the same work a full-time CISO would but in a more flexible and efficient manner. Sometimes, this offering is referred to as CISO-as-a-Service.
There are many types of vCISO providers out there. Sometimes they are lone contractors or consultants, many Managed Service Providers (MSPs) offer a vCISO with their services, and there are even dedicated vCISO companies who solely provide these cybersecurity leadership services.
The cost to hire a vCISO provider can range from $20,000 to more than $200,000. The price will largely depend on the type of service you need from the vCISO and the size of your organization.
A vCISO is a good choice for organizations who don’t have the bandwidth, cash, or need for a full-time cybersecurity leader. They are great at relieving the part-time security workload from busy individuals who already have a full-time job, such as the CTO.
For organizations who have full-time cybersecurity needs, the full-time CISO is going to be a better fit.
No Championship Team is Complete without Its Coach
It’s impossible to imagine a hockey team taking the Stanley Cup or an NFL team winning the Superbowl without having an excellent coach.
No top-tier cybersecurity team or program is complete without its own great coach.
That coach may come in many forms and titles, but as long as they are dedicated to owning the cybersecurity program, they can lead the team to success!
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.