Why a virtual CISO for your medium-sized business makes sense

Published on 9th November 2016 Author: Ed Dante

Virtual CISOs protecting companies

You know you need better security for your organization. The security consultants you hired ran a penetration test on your website but did they look comprehensively at your organization’s security posture? Did they talk with your executive management about their business goals and risk tolerance for the organization?

Often in the security space there is a big gap between what businesses need and what security consultants can provide. So many medium-sized businesses look into hiring a Chief Information Security Officer or CISO. Unfortunately when the see the price tag they think about a new strategy. Here in the Boston, Massachusetts area, full-time CISOs median salary plus bonus for is over $200,000 a year. Then when you factor in benefits, a staff for your CISO and training / personnel development costs the price tag can be well outside of your organization’s budget.

That is where a virtual CISO can help to solve your security needs. A virtual CISO can quickly get up to speed on your business and the requirements to improve your organization’s security posture. Virtual CISOs can leverage the experience and training from the other organizations they protect.

There are a variety of ways a virtual CISO can plug into your organization. If you are hesitant to inject another voice into an already opinionated management team then you can start with a security assessment and evaluation. The virtual CISO will meet with the management team to learn the organization’s corporate objectives, security objectives, risk tolerance and goals. The virtual CISO will then work with the rest of the organization to understand the organization’s security posture and perform a comprehensive risk assessment and mitigation plan. The virtual CISO will then deliver a presentation to management focusing on the top security risks for your organization and recommended course of action for mitigating those risks. If approved the virtual CISO can work with your organization to implement the changes. Of if you prefer can step aside.

For those organizations who need a CISO to be present and driving change throughout the organization, a virtual CISO can be ideal. The virtual CISO can not only perform the assessment but manage your employees, vendors, create internal processes and essentially act as an employee. Additional the virtual CISO can represent your organization to the outside world meeting with customers and presenting on behalf of your organization. The choice is up to you and your organization’s needs.

The funny thing about a virtual CISO is that he/she doesn’t need to be virtual. Here at Fractional CISO the start of every engagement begins with in-person meetings with the management team and key security personnel. For those customers in the greater Boston area we meet regularly in-person. In some cases the virtual CISO might spend one or more days a week physically in the office with the rest of your organization. Of course with a video camera and high speed connection the virtual CISO can work effectively while being hundreds or thousands of miles away.

While you may be sold on hiring a virtual CISO, how do you know that they are in fact security experts? Here is where credentials can help. Having a CISSP or CISM doesn’t guarantee that someone is a good security expert but these certifications are hard to earn and require a significant amount of security knowledge. While there are many highly qualified security experts without a CISSP, here at Fractional CISO we insist that all Fractional CISOs have the CISSP certification. Additionally just like with any other role you are hiring checking references is an important aspect to ensuring you are getting a high quality service.

Interested in learning more about virtual CISOs? Give us a call at Fractional CISO.