In an ideal world, every organisation would have a Chief Information Security Officer (CISO) who can influence how they approach cybersecurity and strengthen their defences against threats to the business. In reality, resources, risk appetite, and budgets often stand in the way.

Note that I didn’t mention company size as one of the obstacles: I know of many large organisations that don’t have a dedicated security leader. Many businesses, regardless of how big or small they are, have shied away from hiring for this role in the past because of the mistaken belief that cybersecurity is a technical issue and therefore falls under the remit of the IT team.

In my experience, this is the big shift in mindset that needs to happen: organisations need to stop thinking of cybersecurity as an IT problem and start treating it as a business risk.

For better or worse, the IT function in many organisations has unfortunately been perceived as a one stop shop for anything relating to technology: if something is broken, and it’s their job to fix it. Cybersecurity is more complex than that. Yes, it calls for a leader who understands the organisation’s technical environment – and the specific risks to that. But that person also needs to be aware of the external challenges an organisation faces, be that from competitors, the business landscape, regulatory requirements, as well as threats facing the same industry.

Why Cybersecurity is not Just About IT

As the old industry adage says: cybersecurity is not a destination, it’s a journey. Organisations should be constantly revising their cybersecurity strategy to take account of new technologies, business challenges, markets, or regulations. The main business technology systems might only change every three or five years, but in cybersecurity the risk landscape is constantly evolving.

There are many excellent people working in IT, even in senior roles: however, that experience doesn’t necessarily prepare them for a security leadership position. They might be capable from an IT engineering perspective, but they might not understand the different security frameworks, the constantly evolving threat landscape, or the increasingly complex regulatory environment. Without this specialist understanding they may struggle to proactively communicate in a clear and concise way the cybersecurity risks and relevant initiatives to senior management or the board of directors.

That’s where the virtual CISO comes in. The role goes by other names, including CISO as a service, or fractional security leader, but the concept is the same: instead of hiring a fulltime security leader, an organisation works with an external, independent expert who provides strategic security advice and guidance on an as-needed basis, usually an agreed number of days per week or month. The organisation gets the benefit of a mature, experienced, knowledgeable cybersecurity professional without the overhead of hiring a fulltime role.

Another big advantage of working with a ‘virtual’ leader is their perspective. They’re likely to have been working in different industry sectors, in businesses of different sizes, and maybe in different jurisdictions. They’re not blinkered by having only been in the same company for 10 years where that’s the only environment they know. They bring this broad view to bear in your business.

When do you Need a Virtual CISO?

You don’t have to wait for a breach to happen to see the value of having a good security leader. In our experience at BH Consulting, most of our vCISO clients came to us proactively before any problems happened. The driver in many cases was to ensure they had the appropriate approach to cybersecurity for the risk profile of their organisation. In addition, many also recognised that the advent of regulations like GDPR, NIS2 and DORA shifted the responsibility for cybersecurity to the board and senior management. So clients come to us to help make sure they’re able to address and manage those.

In some cases, cyber insurance has also been the trigger to act. As part of the questionnaires insurers send before providing cover, they will often ask if the company has this role in place. Although the company’s technical controls for cybersecurity might be robust and follow industry good practice, the framework and governance around cybersecurity can be lacking – and that’s exactly what a security leader will bring.

How to Choose a Security Leader

Before choosing which provider to work with, I recommend asking them probing questions about the experience of the individual they’re proposing. What experience have they got working with organisations of a similar type? Can they provide evidence of being able to communicate clearly and effectively with all levels of the business? Have they got a good understanding, and proven experience, of the various cybersecurity frameworks such as ISO 27001, NIST, or CIS? How well do they understand the appropriate industry regulations from a cybersecurity perspective? Have they successfully managed responses to a cybersecurity breach?

Although there are very good consultants working for themselves, I believe it’s better to work with a company. Dealing with an individual means you’re dependent on one person – which is a risk in itself. Whereas a well resourced provider will have a team of vCISOs backed up by other cybersecurity experts.

Engaging with a company means that through your virtual CISO, you have access to a pool of experts, who might specialise in specific areas such as operational technology security or application security,. So the advice your organisation gets is richer and more complete than if it was just coming from one person.

Also, individuals will need to take holidays, and may have sick days, or engagements with other clients so they may not always be available when you need them. Working with a company removes that risk: the lead consultant will specialise in key areas relevant to your business, but they will also have supportive colleagues who can provide cover when that person isn’t around.

What the Role Entails

The job of the virtual CISO is manage the risk of the business and that involves communicating those risks appropriately to the leadership, who can make informed decisions. The CISO’s presence reminds all key stakeholders that security risk is a shared responsibility among the business.

It’s a role that involves a lot of dialogue, especially at the beginning of an engagement. In our experience, one of the first jobs to be done is a cybersecurity posture assessment. This gives a sense of where the organisation is strong or highlights areas to improve.

Typical gaps that a vCISO might uncover are the lack of a comprehensive cybersecurity risk management framework, or specific policies around cybersecurity. That often goes hand in hand with a lack of understanding of what various regulations require.

Based on the review of the current state, and the risk assessment, the security leader can then align the existing security controls – be they technical or personnel – and put in place a roadmap to help the organisation mature its cybersecurity programme and give the board confidence they’re managing business risks appropriately in line with industry regulations or best-practice frameworks.

It’s important to set expectations: having a virtual CISO is no guarantee you won’t get hacked, just like buying car insurance won’t prevent you from being involved in a road accident. Let’s be realistic: there’s no such thing as 100% security. Instead, good security is about trying to manage the risk and reduce the likelihood of a breach or incident. A security leader, working well, will make sure there are policies, processes, procedures, people and technical solutions in place to minimise the impact if the worst should happen.

Brian Honan is Founder and CEO of BH Consulting