Are you an Executive/IT leader/CIO with oversight for security? Do you find yourself resource constrained and reactive? Do you have any idea where your critical data lie? How about a strategy or roadmap or even simple policies, are those fleshed out? Do you wear too many hats in the organization to dedicate time for security? Do you have an analyst that is in way over his (her) head?
If you answered yes to any of the above, then you are also well aware that threats are increasing; risks are extending into your supply chain; security is becoming a board-room issue; and we are facing a massive shortage in talent and more importantly skills. If the sheer number of breaches do not cause you to reconsider your strategy, then the precedent for executives losing their jobs over mishandling of security incidents may do so. Your business outcomes and initiatives are impacted by your ability to manage risk.
You may disagree… you might not be a target; you might not have anything anyone wants; you might be too small and cannot justify a workload for a formal security program. Fair enough. Tell that to your regulators. Coming soon near you, state/industry/local regulations are forcing organizations to designate an accountable person to run a formal security program, manage and implement controls, and report the progress to senior management/BoDs. In many cases, this person has to have qualifications that prevent you from assigning this responsibility to your engineer, analyst or project manager. In short, you need a leader, a business liaison, an effective communicator, and an overseer. Whether you have the 200k+ that it takes to hire a qualified CISO full time or not, you are likely to find yourself in a position where it’s been 9 months since you advertised for the role, yet you haven’t found a fit, or perhaps you dropped the ball on NYC RR 500 (cybersecurity regulation for FSI in NY) and have to react immediately. What do you tell your executives?
Enter, a virtual CISO (sometimes called “CISO aaS”, “Interim CISO”, “Resident CISO”, “Part-time CISO”, “remote CISO”…).
For organizations that need to fill the leadership or comply with regulations, but are not in a position to bring in a full-time and costly qualified CISO, the virtual CISO — a combination of staff augmentation, consultant, advisor and strategist, could be an option that provides executive leadership qualities, security program deliverables and oversight that also is privy to your budgetary concerns. BUT…This options needs to be supported and provided with a business mandate. Organizations that look at a vCISO as a purely cost savings and compliance measure will be happy to know that they will be accepting too much risk that will derail their strategy. Similarly, this option IS NOT for everyone. Certain large environments (think IT/OT), complex initiatives (digital transformation) and the likes require a full time role, not an interim or stop-gap measure.
“OKAY, we will take two of those vCISO thingies… where do we find them?”
There are literally hundreds of consultants, service providers, and vendors that will claim to be a vCISO. This is a market that has no barriers to entry which has caused numerous entrants to saturate the market with sub par work. Choosing the wrong vCISO and putting them infront of the business will impact your credibility and ability to establish trust with senior management.
I have personally spoken to many dissatisfied clients who claim that their original expectations of such work (and cost) has not been met. In reviewing their contracts, you can easily see why. Organizations will need to develop a clear engagement model, with requirements, measurable goals, and proper due diligence results identified.
Gartner clients can address the need for a virtual CISO and navigate the market by addressing the recommendations raised in the two NEWLY published research notes below.
Don’t have a Gartner Subscription? Attend our biggest SECURITY SUMMIT in DC where there will be a dedicated session on the concept of a vCISO.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.