{"id":8920,"date":"2020-07-15T07:20:36","date_gmt":"2020-07-15T07:20:36","guid":{"rendered":"https:\/\/www.experfy.com\/blog\/?p=8920"},"modified":"2023-11-28T15:17:05","modified_gmt":"2023-11-28T15:17:05","slug":"does-the-role-of-the-virtual-ciso-make-any-sense","status":"publish","type":"post","link":"https:\/\/www.experfy.com\/blog\/bigdata-cloud\/does-the-role-of-the-virtual-ciso-make-any-sense\/","title":{"rendered":"Does the role of the \u201cVirtual CISO\u201c make any sense?"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

\n

Outsourcing something simply because you don\u2019t understand it is rarely a good start.<\/em><\/h3>\n<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\n

Faced by constant reports of cyber-attacks in the media, most small and medium-size organisations have woken up to the\u00a0reality<\/a>\u00a0of cyber threats over the past few years.<\/p>\n\n\n\n

Many still don\u2019t really know what to do to protect themselves and turn to \u201cvirtual CISO\u201d<\/a>\u00a0services for assistance.<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\n

While this is better than doing nothing or relying blindly on the security of cloud providers, those externalised, part-time services \u2013 often delivered remotely \u2013 are rarely the magic bullet they pretend to be\u2026<\/p>\n\n\n\n

And let\u2019s eliminate upfront any language ambiguity: The idea of a \u201cvirtual<\/em>\u201d solution to a\u00a0concrete<\/em>\u00a0problem created by\u00a0real<\/em>\u00a0threats is dangerous, and the \u201cvirtual CISO\u201d shortcut is definitely one the security industry should try to eliminate: Beyond marketing and hype, either you need a CISO or you don\u2019t, but their role \u2013 and their actions \u2013 cannot be \u201cvirtual\u201d to counteract real threats.<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\n

Moving on from those considerations, the concept of an externalised, part-time and partly remote CISO role is generally attractive to small and medium-size organisations for numerous reasons:<\/p>\n\n\n\n

First, rightly or wrongly, they often see cyber security as a complex technical matter and feel that they do not have the right skills in-house; at the same time, they also think they do not need a full-time security role given their size. Of course, both aspects of that statement are disputable: It is not rare to find IT analysts with cyber security as their hobby who could make perfectly suitable CISOs in small firms; and the scale of the role depends of the level of maturity of each firm, its regulatory obligations and its security ambitions.<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\n

Second, an externalised role is seen by many as a cheaper and more flexible, task-driven stepping stone for them to understand what the CISO job really entails and the value it can bring, before committing further.<\/p>\n\n\n\n

Finally, for some, externalising the position is also a way of ensuring a degree of independence with regards to internal politics.<\/p>\n\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\n

Those last two aspects are defendable and may lead to positioning the role at a level where it really adds value. But organisations must also consider the following points to avoid taking a wrong direction:<\/p>\n\n\n\n

\u201cWe can\u2019t afford a full-time role\u201d is an excuse often heard around the appointment of a so-called \u201cvirtual CISO\u201d<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\n

But this is not just about what one organisation can \u201cafford\u201d: Anybody who has spent enough time in the security industry would know that money appears out of\u00a0nowhere<\/a>\u00a0at the first sight of an incident \u2013 or of an audit point in some firms\u2026<\/p>\n\n\n\n

And how can you determine how much to spend on security until you really understand what you need to do to protect yourself and meet your regulatory obligations?<\/p>\n\n\n\n

Outsourcing something simply because you don\u2019t understand it is rarely a good start.<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\n

The decision around right-sizing and externalising \u2013 or not \u2013 the role of the CISO must primarily be about what one organisation wants and needs to achieve around cyber security, and the message it wants to send to its ecosystem on that matter.<\/p>\n\n\n\n

Having a CISO of some sort will always be better than not having one when it comes to demonstrating adherence to security values but relying on an externalised part-time service could send a weak confidence signal to customers, partners or potential investors.<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\n

Then it is worth considering the real nature of the role itself, even in small to medium-size organisations: It cannot be reduced to tasks and projects; \u201cSecurity by Design\u201d and \u201cPrivacy by Design\u201d principles are becoming the\u00a0norm<\/a>, and to work well, the role of the CISO must be embedded within operational processes.<\/p>\n\n\n\n

In small and medium firms, those processes are simpler than in larger structures and rely on people who simply know each other and work together.<\/p>\n\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\n

Developing an inner knowledge of the organisation and its culture is always going to be key for the CISO in small firms, and it will definitely be harder to establish if the role is externalised and delivered on a part-time basis or remotely. At best, it could take a long time to deliver value; at worse, it could simply become useless.<\/p>\n\n\n\n

Finally, organisations deciding to take that route must also consider the portfolio of other clients their externalised CISO would be supporting. This is absolutely essential to avoid conflicts of interests \u2013 for example up and down the supply chain \u2013 and the risk of confidentiality breaches \u2013 for example towards competitors.<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\n

Overall, beyond any cynical \u201cbox-checking\u201d and before jumping to ready-made conclusions, small and medium firms should consider the following questions to determine the type of CISO they need:<\/p>\n\n\n\n