Outsourcing something simply because you don’t understand it is rarely a good start.
Faced by constant reports of cyber-attacks in the media, most small and medium-size organisations have woken up to the reality of cyber threats over the past few years.
Many still don’t really know what to do to protect themselves and turn to “virtual CISO” services for assistance.
While this is better than doing nothing or relying blindly on the security of cloud providers, those externalised, part-time services – often delivered remotely – are rarely the magic bullet they pretend to be…
And let’s eliminate upfront any language ambiguity: The idea of a “virtual” solution to a concrete problem created by real threats is dangerous, and the “virtual CISO” shortcut is definitely one the security industry should try to eliminate: Beyond marketing and hype, either you need a CISO or you don’t, but their role – and their actions – cannot be “virtual” to counteract real threats.
Moving on from those considerations, the concept of an externalised, part-time and partly remote CISO role is generally attractive to small and medium-size organisations for numerous reasons:
First, rightly or wrongly, they often see cyber security as a complex technical matter and feel that they do not have the right skills in-house; at the same time, they also think they do not need a full-time security role given their size. Of course, both aspects of that statement are disputable: It is not rare to find IT analysts with cyber security as their hobby who could make perfectly suitable CISOs in small firms; and the scale of the role depends of the level of maturity of each firm, its regulatory obligations and its security ambitions.
Second, an externalised role is seen by many as a cheaper and more flexible, task-driven stepping stone for them to understand what the CISO job really entails and the value it can bring, before committing further.
Finally, for some, externalising the position is also a way of ensuring a degree of independence with regards to internal politics.
Those last two aspects are defendable and may lead to positioning the role at a level where it really adds value. But organisations must also consider the following points to avoid taking a wrong direction:
“We can’t afford a full-time role” is an excuse often heard around the appointment of a so-called “virtual CISO”
But this is not just about what one organisation can “afford”: Anybody who has spent enough time in the security industry would know that money appears out of nowhere at the first sight of an incident – or of an audit point in some firms…
And how can you determine how much to spend on security until you really understand what you need to do to protect yourself and meet your regulatory obligations?
Outsourcing something simply because you don’t understand it is rarely a good start.
The decision around right-sizing and externalising – or not – the role of the CISO must primarily be about what one organisation wants and needs to achieve around cyber security, and the message it wants to send to its ecosystem on that matter.
Having a CISO of some sort will always be better than not having one when it comes to demonstrating adherence to security values but relying on an externalised part-time service could send a weak confidence signal to customers, partners or potential investors.
Then it is worth considering the real nature of the role itself, even in small to medium-size organisations: It cannot be reduced to tasks and projects; “Security by Design” and “Privacy by Design” principles are becoming the norm, and to work well, the role of the CISO must be embedded within operational processes.
In small and medium firms, those processes are simpler than in larger structures and rely on people who simply know each other and work together.
Developing an inner knowledge of the organisation and its culture is always going to be key for the CISO in small firms, and it will definitely be harder to establish if the role is externalised and delivered on a part-time basis or remotely. At best, it could take a long time to deliver value; at worse, it could simply become useless.
Finally, organisations deciding to take that route must also consider the portfolio of other clients their externalised CISO would be supporting. This is absolutely essential to avoid conflicts of interests – for example up and down the supply chain – and the risk of confidentiality breaches – for example towards competitors.
Overall, beyond any cynical “box-checking” and before jumping to ready-made conclusions, small and medium firms should consider the following questions to determine the type of CISO they need:
- What’s their initial level of cybersecurity maturity?
- What’s their ambition in terms of maturity development?
- In which regulatory framework do they operate? And how is it likely to evolve over the short to mid-term?
- What is the level of cybersecurity maturity of the supply chain or the ecosystem around them?
- What are the levels of cybersecurity expectations of their customers, partners or investors?
It’s only by looking at their own cybersecurity context in that way that they will be able to right-size and position a CISO role which will work for them.
JC Gaillard