Virtual CISO: Solving cybersecurity growing pains?

Stuart Jubb, Director of Consulting at Crossword Cybersecurity, looks at how managing security in a growing company is changing.

This is a contributed article by Stuart Jubb, Director of Consulting at Crossword Cybersecurity

There comes a time in every company's life when events force management to take a new look at how they handle IT. In some cases, it is simply that they realise the current situation is holding them back, risks are being taken and mistakes made. For others, it will be their success, where it becomes necessary to have greater and more dedicated resource allocated to IT.

One of the key drivers for hitting that crossroad is certainly IT security - and usually on the back of a series of near misses or a confirmed attack of some kind, whether a virus, hack or data breach.  The pain and reputational damage experienced after such an incident is lasting and something most companies want to move quickly to avoid happening again. A 2019 Ponemon Institute research report revealed that a data breach results in abnormal customer turnover of 3.9% on average. Indeed, the financial consequences of customer attrition comprise the majority (36%) of the total cost of a data breach. However, organisations with an incident response team minimise this cost by an average of $370,000. Organisations with a senior-level leader, such as a Chief Information Security Officer, directing initiatives that improve customer trust helps retain customers, consequently reducing the cost of a breach.

The outsourcing itch

The problem is that building an IT team, and specifically a cybersecurity team, takes time, money and dedication. Great people with extensive industry experience are in short supply, top Chief Information Security Officers (CISOs) are expensive, and even if they can join your company it might be six months before they can start. Even once they are through the door, the process of assessing the cybersecurity posture of the company, planning and implementing changes, or indeed hiring and training staff, can take months.

For some, deciding to outsource all IT operations has helped overcome some of the key problems with building a team. However, it is not a realistic option for companies that are large enough and lucky enough to already have a good IT team, or those that are growing, but lack the ability to make the kind of financial investments for a dedicated CISO. 

Outsourcing IT wholesale has its risks too. In the case of security, it simply becomes one of the many tasks an external team needs to get through in the limited time that they have, in much the same way as an internal IT team would struggle. Sure, they will check all the essential firewall and other configurations are in place and maintain systems - but those are purely fundamental tasks. In the long-run this is ineffective and can lead to a false sense of security.

It doesn't need to be all or nothing

For large and growing companies, a much more strategic approach is needed towards cybersecurity.  One that encompasses current needs, the strategic direction of the company, as well as the evolving threat and technology landscape.

A different way to approach the challenge of gaining immediate access to an experienced CISO that can offer the support a company needs to rapidly improve their security posture, is hiring a virtual CISO. This is an individual with decades of industry experience that a company can use to enhance and advise its internal IT team, without needing to find, wait and pay for, an expensive CISO to join the company. 

Some companies use virtual CISOs as an external risk auditing resource, whereas others will take advantage of their industry experience to assess technology for mitigating future threats and build an implementation roadmap that aligns with the future goals of the company.

For some, the idea of being tied to external outsourcing companies is an uncomfortable one, but the role of virtual CISO is really one of a trusted advisor. Whilst they can of course play an active role in the implementation of technology and running cybersecurity operations, their key benefit is their experience and strategic insight. For many companies this is used as a bridging mechanism, a way to deal with their immediate security needs, but using the virtual CISO's experience to build the internal team, processes and resources that will eventually replace them. Even acting as part of the selection and interview process for their direct replacement.

A CISO worth considering

Whatever has led a company to the position where it knows it must up its cybersecurity game - speed and strategy are of the essence. The virtual CISO can be a role that enables both, without being a long-term investment. It can remove complexity and that ‘rabbit in the headlights' feeling, buying a company time to make more considered and strategic decisions, whilst rapidly and cost effectively solidifying its stance on cybersecurity. It's a different approach worthy of consideration when cybersecurity is forced to the top of the IT and boardroom agenda.

Stuart Jubb is Director Of Consulting at Crossword Cybersecurity. He joined Crossword from KPMG where he was Associate Director, Defence & Security. Prior to that, he was Chief Operating Officer of a global consulting team of over 200 in KPMG Advisory. Jubb spent nine years as an officer in HM Forces, after Sandhurst, serving in Afghanistan, NATO and elsewhere.