Companies large and small are facing overwhelming combination of increasing cyber security threats and an ever increasing need to comply with a long list of laws, regulations and security standards. This problem is only compounded by a widening gap in the skills required to assess and manage the issues. Understanding how to lead the way in identifying and analysing security risks, creating strategic security plans, and ensuring compliance, requires a certain level of expertise. Many businesses, especially small and medium businesses, simply do not have access to the right skills.
Horses for Courses
As reported in Cisco’s 2015 Annual Security Report 2015, 91% of companies have an executive with direct responsibility for security. However, only 29% of them have a chief information security officer (CISO). Organisations with a CISO in place reported the highest levels of confidence in their security posture, in terms of optimisation and clarity.
Many companies are asking other executives to step in to fill the gap but they often lack the expertise required to implement an effective information security policy and drive it forward. There may be areas in your business where you can afford to have managers in positions where they are learning through trial and error, but security is certainly not one of them.
“Small and medium sized enterprises may find it difficult to justify the cost of a full-time ISM or CISO,” says Simon Hunt, CISSP, Director of Security Consulting at SHC “and finding the right person can also be a serious challenge.”
Enter the Virtual CISO
There are a number of reasons to consider engaging a Virtual CISO. You may be suffering from staff retention issues and need someone to hold the fort in on an interim basis. You may need to implement an external standard such as ISO 27001 and need an experienced hand on the tiller. You may need someone to lead responses to information security audits or security questionnaires from larger customer. You may simply need someone to oversee your information security management system on a part-time basis and if want to ensure that you only pay for what you actually need, then a Virtual CISO could be the answer.
Engaging a Virtual CISO can be much more cost effective than hiring a full-time employee. They can fill in where you need it the most, helping you to organise your security policies, procedures and standards and deal with anything from PCI compliance, to staying on top of vendor risk assessments. They will be up to date on best practice and will have experience dealing with a wide variety of scenarios.
For most smaller businesses it doesn’t make sense to invest in a full-time CISO when there is the option of engaging a virtual CISO. It’s a flexible solution with a number of options. You could set up a retainer for a certain number of days per week/month/year, you can hire someone on a project basis, or even buy a pot of support days and call them off as you need them. And it’s totally scalable. If you later decide you do need a full-time CISO then you can even ask the Virtual CISO help you create a tailored job spec and help interview candidates.
For more information about a Virtual CISO Service for your business, please call 0161 710 1007 or request a call back>>