In early October, hackers targeted American Water, one of the largest utility providers in the US. While the attack didn’t disrupt delivery, it followed similar attacks on water utilities in Arkansas, Indiana, and Texas.
The American Water incident came on the heels of other notable cybersecurity breaches this year. In March, AT&T revealed that the personal data of more than 70 million current and former customers had leaked to the dark web. In May, Ascension, one of the nation’s largest healthcare systems, suffered a ransomware attack that locked employees out of its critical systems for almost six weeks. In June, CDK Global, a leading SaaS vendor for auto dealerships, experienced a series of attacks that shut down customer operations across the country.
These are just a fraction of the thousands of attacks that occur every day.
The cost of cybersecurity breaches is also growing. According to the FBI, losses associated with cybercrime complaints hit $12.5 billion in 2023—up $2 billion year-over-year. These high-profile events and the accelerating pace of financial loss have placed a renewed emphasis on data security. However, achieving real protection requires the right leadership, something many organizations struggle to implement.
Having a full-time chief information security officer (CISO) on staff would be ideal, but that solution isn’t viable for every organization. Some assign CISO responsibilities to existing leaders, such as a chief technology officer (CTO) or chief information officer (CIO). Others turn them over to a compliance manager.
Unfortunately, organizations operating without CISOs often develop glaring holes in their security leadership, leaving them vulnerable to attack or hamstrung for further growth. In these scenarios, a virtual chief information security officer (vCISO) can provide cost-effective, strategic leadership to help organizations align cybersecurity with their long-term business goals and growth plans.
Hiring a vCISO isn’t the right choice for everyone. However, there are certain situations where the role will provide significant added value. Here are a few examples:
Many organizations need strategic security leadership but can’t fully utilize an in-house CISO. A typical vCISO contract will provide 10-20 hours of expert strategic security guidance each month, which is often enough to keep critical projects on track.
Sometimes, an organization’s IT or compliance staff lacks specialized security knowledge. In these instances, a vCISO can provide the necessary expertise to complete both short-term projects and long-term strategic planning initiatives.
Some organizations may hire a vCISO to help them manage specific regulations, such as HIPAA, PCI compliance, or GDPR requirements. Some regulations require organizations to appoint a head of cybersecurity, and a vCISO could fill this role.
For many organizations, there’s an ongoing tension between optimizing systems for performance and efficiency while ensuring everything remains secure. A vCISO will strategically balance these needs, identifying where security controls are crucial and where organizations can take calculated risks to support business growth. They’ll also have the experience to effectively communicate those decisions to a board of directors or leadership committee.
In some cases, a vCISO provides checks and balances to executives who want an outside perspective on their existing security initiatives. These executives value feedback from experts who operate outside of the organization’s traditional reporting structure and can offer reassurance that the IT department has handled the company’s security needs.
vCISOs fill a critical organizational role, but as outsiders, they face challenges different from those of traditional CISOs. Consequently, a good vCISO must be a mature individual who knows they can’t come into an organization and expect to implement wholesale change. Instead, they need to understand where the organization is, where it needs to be, and how they can help it get there. With that in mind, here are a few qualities effective vCISOs share:
A vCISO’s work will probably touch every aspect of an organization because they are all connected to security and compliance in one way or another. The best vCISOs understand how different parts of an organization work together, along with their strengths, struggles, and how they’re spread thin. This knowledge enables them to find the balance between efficiency and security that will keep an organization moving in the right direction.
Effective vCISOs also understand that security is a best effort. Doing the bare minimum isn’t an option, but neither is throwing an unlimited budget at the problem. A good vCISO walks this tightrope by learning about their organization’s risk tolerance and spending enough so that the odds are in their favor. Unfortunately, this work has no guarantees, so vCISOs must also communicate to leadership that there could be a security incident even if they’re doing everything right.
A vCISO can’t accomplish these daunting challenges without solid communication and interpersonal skills. They’ll need to find their place within an organization as they work as an outsider. They’ll also need to build alliances with key stakeholders and recognize competing priorities where they exist. This isn’t a role for someone who shies away from conflict. Instead, an effective vCISO needs to lean into difficulties because this is often where the most important work needs to be done.
An effective vCISO will also be aware of the organization’s position within its industry. They’ve done their homework and know how much their competitors spend on their security programs and whether they’ve experienced any security breaches. By comparing their budgets, strategies, and results against key competitors, vCISOs can create markers to help them set objectives and judge progress.
A great vCISO will also be a strategic thinker. They’ll understand the organization’s overall business plans and ensure the security program supports these objectives. These factors could include company growth, expansion into new markets and locations, or international compliance requirements.
Unfortunately, finding a great vCISO is difficult because almost every cybersecurity company offers that service. As a result, organizations often receive shallow reporting rather than the strategic leadership they need. Organizations that want to buck that trend should follow these tips during their search and selection process.
In an era of constantly evolving cybersecurity threats, where the stakes of a breach are astronomically high, organizations need strategic security leadership more than ever. A well-chosen vCISO can provide cost-effective and flexible guidance that will help organizations make smarter security decisions.
By carefully assessing their needs, thoroughly vetting candidates, and setting clear expectations, an organization can create a partnership with a vCISO that will strengthen its security efforts while aligning them with its broader business objectives.
With the right vCISO in place, an organization can turn cybersecurity from a necessary expense into a strategic advantage, positioning it for secure and sustainable growth.