With IT infrastructure becoming more complex and organizations requiring additional expertise to protect it from cyber risks, there has been an increase in demand for information security outsourcing services, among them virtual CISOs, or vCISOs.
This is especially true for companies going through digital transformation, for example the transition to automated processes in clouds.
These organizations need people with specific unique experience, but for a limited amount of time, to solve a specific global problem or create a completely new strategy in IT and IT security.
Raju Chekuri, CEO and Chairman at Netenrich, a digital IT and security operations company, explained that any organization just starting to build a security program could consider looking at a vCISO, as well as mid-market enterprises or SMBs that cannot afford an experienced CISO or may not have enough work to justify a full-time CISO.
“Having a vCISO is ideal for organizations that are small or cannot invest heavily in their own internal security staff,” he said. “Since security is a high-demand skill, vCISOs give organizations the ability to leverage expertise without having to pay the full-time salary.”
Andrey Evdokimov, head of information security at Kaspersky, said when a company launches a new strategic project, plans an IPO or significantly reorganizes IT infrastructure, it may need a person with special expertise and relevant experience that can ensure establishing of all security processes.
“A temporary vCISO is also helpful for the evaluation and improvement of business efficiency of operating CISO and IT security teams, or as a provisional replacement of the resigned CISO,” he said.
Nevertheless, this type of collaboration can work successfully only for companies with mature cybersecurity and information technology management levels with standard or formalized business processes.
“In other cases, it would be more time and cost efficient to implement a comprehensive IT security service, MSSP, or hire an in-house CISO, an employee who can review and understand poorly documented or nonstandard business processes, as well as develop and maintain information security processes that fit the specific company’s needs,” Evdokimov said.
However, Dirk Schrader, global vice president of security research at NNT, now part of Netwrix, warned using a vCISO can sometimes be a risky exercise, where success is determined by the “mindset” of the hiring organization.
“If the organization searching for a vCISO thinks of it as ‘ticking the box’, the selected vCISO will likely encounter friction in obtaining the consensus and tools to be successful,” he said. “Moreover, if the selected vCISO can’t bring along her or his own set of resources–think of 24/7 operations–to do the job, the hiring company may find its investment wasted.”
That is to say, if there is no mindset, no tools and no resources, disaster is a fait accompli. That mindset must be accompanied by the vCISO’s knowledge and access to resources to establish and implement security policies.
From Schrader’s perspective, only the right mindset and willingness to invest in tools and resources needed at the vCISO’s side will lead to satisfactory results.
“At the end, a successful exercise is a combination of people, including the rest of the board, processes and tools that need to be orchestrated by the vCISO, to create a resilient cybersecurity environment that covers infrastructure, identity and data,” he said.
Chekuri pointed out that some of the internal resistances to outsourced personnel in “sensitive” roles have broken down barriers and willingness of organizations to look for capable leadership they would have previously sought to hire.
“Additionally, there is a crop of experienced late-career cybersecurity leaders that are proven who are taking on work on a more flexible basis, so we are building a pool of available leaders willing to work non-traditional roles,” he added.
Evdokimov’s agreed the CISO’s job also requires constant communication with colleagues, noting an outsourced employee can face problems in building long-term trusted relationships with an in-house team.
“Another concern is that outsourced specialists may need more time to gain an adequate understanding of the company’s specific needs that in some cases may lead to mishandling of IT security processes,” he said.
Despite the risks, Chekuri said he thinks market demand for vCISOs will increase, likely at a higher rate that cybersecurity spending, generally.
“More organizations are in need of highly-experienced cybersecurity leadership, and the pipeline for new leaders is not growing as fast as the threats are,” he said.
That was a perspective shared by Rick Holland, CISO and vice president of strategy at Digital Shadows, a provider of digital risk protection solutions, who noted cybersecurity job shortage extends to security leaders as well.
“There aren’t enough qualified CISO candidates, and the competition to hire them is fierce,” he said. “The outlook for virtual CISOs is strong.”
Holland added hybrid and remote work have made consulting services like virtual CISOs more scalable, but noted in-person relationships still matter.
“A foundation built solely upon Zoom screens is less than ideal,” he said. “CISOs need to meet and engage with stakeholders and develop champions, and this is challenging to do virtually.”
Holland pointed out vCISOs could also support existing CISOs to act as their deputy delivering on specific projects, and vCISOs could also serve as interim CISOs while a company is recruiting their permanent CISO role.
Virtual CISOs can serve as strategic consultants to the organization’s executive leadership, helping them navigate their threat model and compliance and regulatory requirements.
“The fractional nature of a virtual CISO can be an excellent first step as organizations are maturing their cybersecurity program, and the flexible nature of the role can reduce costs,” he said. “Companies can dip their toe in the water without having to go all the way into the deep end right off the bat.”