As cybersecurity gets more attention in businesses and organisations, the need for a Chief Information Security Officer (CISO) has come into focus. In the past, many organisations tackled security piecemeal, as a series of point-in-time exercises, but some now realise they need a dedicated resource to manage their security on a consistent, ongoing basis.
Many organisations, for perfectly understandable reasons, like resources or budget, haven’t given this kind of priority to security before. They might have addressed one specific risk area, such as conducting a penetration test on a website and fixing the issues found. But, the bigger threat to their business could be a badly configured Wireless network, allowing external access to unauthorised users. The problem is, any sort of testing is only relevant to the known threats at that point in time, but the threat landscape is constantly changing.
The whole picture
CISO as a service gives you a system-wide, whole picture approach. With a CISO, there is one person overlooking the entire organisation from a security perspective. They know all of the different areas that need addressing.
They ensure a coordinated approach to security with regular testing of systems for vulnerabilities, with follow-up and improvement. The value a CISO brings is the ability to oversee and coordinate all security controls. This ensures the organisation or business is protecting all potential weak points.
The challenge is that finding people with the necessary skills for the job is neither easy, nor cheap. The role calls for a specialised set of skills which aren’t widely available in the market,. Also, salaries can run into six figures for an experienced person. In other cases, some organisations see the value in having a dedicated full-time person in finance or IT roles. However, not necessarily for cybersecurity.
CISO as a service – the independent approach
That’s where CISO as a service comes in. CISO as a service involves an external, independent expert who provides strategic security advice and guidance to organisations on an outsourced basis. As the title suggests, the ‘as a service’ approach means the customer buys a certain number of days per week or month, so it’s a lower cost than hiring a full-time employee – with the option of adding more time if the circumstances require it.
There are lots of advantages to sourcing security advisory expertise this way. Organisations and businesses get a valuable external, independent point of view on their security. It’s an outside voice with the expertise to ask the right questions. For example, an organisation might be looking at adopting a new service or an application to help them with running their business. A virtual CISO will want to know if that has been tested, and what security is in it. They can evaluate and advise on whether it could increase the organisation’s risk profile. They have the seniority to be involved in those meetings at the business level, and to be the voice of security.
Augmenting security skills
A CISO as a service allows businesses and organisations to add skills and expertise that aren’t in their internal team. These are also rare to find in any one person. The security provider will often fulfil the service using a combination of people in their team with specific skills. These skills include governance, risk and compliance, data protection, security testing, incident response, or awareness training. So in a way, they’re buying the expertise of the service provider, not just one individual.
Another advantage of working with an external provider is that they can call on the experience of working with multiple companies and organisations across a wide range of industry sectors. They bring broad, first-hand knowledge from the coalface of security. This avoids the narrow thinking that can sometimes happen when a person has worked in the same organisation for a long time.
The CISO as a service delivery model is highly flexible. In effect, a menu of services that organisations from SMEs to multinationals can tailor to suit their size, budget, and risk profile. A smaller company might want help to develop a cybersecurity strategy, some security assessments, and awareness training that might take ten days in total. A larger organisation might buy similar services (which take longer due to their size and scale), while also adding periodic cloud security assessments, security policy reviews, or more extensive workshop exercises like breach management to test the customer’s incident response plan for different scenarios to check it’s robustness.
There are a couple of reasons why CISO as a service makes sense as a model for delivering security. Consequently, why it’s starting to gain traction. One is the increased level of business risk around security issues; ransomware infections, data breaches and security incidents have now become so regular that no-one can afford to say: ‘that could never happen here’. External pressure also plays a part. The arrival of GDPR in 2018 forced many organisations and businesses to re-evaluate the importance of the data they hold. They also had to put measures in place to protect it. (Data protection is not the same as security, but there are some natural crossovers.)
Another driver that’s giving greater prominence to security is supply chain risk. Some organisations are asking all of their vendors to show their security credentials by becoming certified to an independent standard like ISO 27001, for example. In other cases, visible signs of good security practice are essential in bidding for tenders.