In early October, hackers targeted American Water, one of the largest utility providers in the US. While the attack didn’t disrupt delivery, it followed similar attacks on water utilities in Arkansas, Indiana, and Texas.
The American Water incident came on the heels of other notable cybersecurity breaches this year. In March, AT&T revealed that the personal data of more than 70 million current and former customers had leaked to the dark web. In May, Ascension, one of the nation’s largest healthcare systems, suffered a ransomware attack that locked employees out of its critical systems for almost six weeks. In June, CDK Global, a leading SaaS vendor for auto dealerships, experienced a series of attacks that shut down customer operations across the country.
These are just a fraction of the thousands of attacks that occur every day.
All Eyes on Cybersecurity Leadership
The cost of cybersecurity breaches is also growing. According to the FBI, losses associated with cybercrime complaints hit $12.5 billion in 2023—up $2 billion year-over-year. These high-profile events and the accelerating pace of financial loss have placed a renewed emphasis on data security. However, achieving real protection requires the right leadership, something many organizations struggle to implement.
Having a full-time chief information security officer (CISO) on staff would be ideal, but that solution isn’t viable for every organization. Some assign CISO responsibilities to existing leaders, such as a chief technology officer (CTO) or chief information officer (CIO). Others turn them over to a compliance manager.
Unfortunately, organizations operating without CISOs often develop glaring holes in their security leadership, leaving them vulnerable to attack or hamstrung for further growth. In these scenarios, a virtual chief information security officer (vCISO) can provide cost-effective, strategic leadership to help organizations align cybersecurity with their long-term business goals and growth plans.
Five Reasons a Company Should Consider Hiring a vCISO?
Hiring a vCISO isn’t the right choice for everyone. However, there are certain situations where the role will provide significant added value. Here are a few examples:
1. Strategic Leadership Without Full-Time Commitment
Many organizations need strategic security leadership but can’t fully utilize an in-house CISO. A typical vCISO contract will provide 10-20 hours of expert strategic security guidance each month, which is often enough to keep critical projects on track.
2. Limited In-House Security Expertise
Sometimes, an organization’s IT or compliance staff lacks specialized security knowledge. In these instances, a vCISO can provide the necessary expertise to complete both short-term projects and long-term strategic planning initiatives.
3. Regulatory Compliance Requirements
Some organizations may hire a vCISO to help them manage specific regulations, such as HIPAA, PCI compliance, or GDPR requirements. Some regulations require organizations to appoint a head of cybersecurity, and a vCISO could fill this role.
4. Balancing Security with Business Growth
For many organizations, there’s an ongoing tension between optimizing systems for performance and efficiency while ensuring everything remains secure. A vCISO will strategically balance these needs, identifying where security controls are crucial and where organizations can take calculated risks to support business growth. They’ll also have the experience to effectively communicate those decisions to a board of directors or leadership committee.
5. Creating Checks and Balances for Existing IT Efforts
In some cases, a vCISO provides checks and balances to executives who want an outside perspective on their existing security initiatives. These executives value feedback from experts who operate outside of the organization’s traditional reporting structure and can offer reassurance that the IT department has handled the company’s security needs.
Qualities of an Effective vCISO
vCISOs fill a critical organizational role, but as outsiders, they face challenges different from those of traditional CISOs. Consequently, a good vCISO must be a mature individual who knows they can’t come into an organization and expect to implement wholesale change. Instead, they need to understand where the organization is, where it needs to be, and how they can help it get there. With that in mind, here are a few qualities effective vCISOs share:
Broad Technology and Business Experience
A vCISO’s work will probably touch every aspect of an organization because they are all connected to security and compliance in one way or another. The best vCISOs understand how different parts of an organization work together, along with their strengths, struggles, and how they’re spread thin. This knowledge enables them to find the balance between efficiency and security that will keep an organization moving in the right direction.
Effective vCISOs also understand that security is a best effort. Doing the bare minimum isn’t an option, but neither is throwing an unlimited budget at the problem. A good vCISO walks this tightrope by learning about their organization’s risk tolerance and spending enough so that the odds are in their favor. Unfortunately, this work has no guarantees, so vCISOs must also communicate to leadership that there could be a security incident even if they’re doing everything right.
Strong Communication and Interpersonal Skills
A vCISO can’t accomplish these daunting challenges without solid communication and interpersonal skills. They’ll need to find their place within an organization as they work as an outsider. They’ll also need to build alliances with key stakeholders and recognize competing priorities where they exist. This isn’t a role for someone who shies away from conflict. Instead, an effective vCISO needs to lean into difficulties because this is often where the most important work needs to be done.
Industry-Specific Expertise
An effective vCISO will also be aware of the organization’s position within its industry. They’ve done their homework and know how much their competitors spend on their security programs and whether they’ve experienced any security breaches. By comparing their budgets, strategies, and results against key competitors, vCISOs can create markers to help them set objectives and judge progress.
Strategic Thinking
A great vCISO will also be a strategic thinker. They’ll understand the organization’s overall business plans and ensure the security program supports these objectives. These factors could include company growth, expansion into new markets and locations, or international compliance requirements.
Tips for Selecting the Right vCISO
Unfortunately, finding a great vCISO is difficult because almost every cybersecurity company offers that service. As a result, organizations often receive shallow reporting rather than the strategic leadership they need. Organizations that want to buck that trend should follow these tips during their search and selection process.
- Assess the Organization’s Specific Needs: Organizations operate in unique ecosystems with different regulatory requirements, operational needs, systems, and tech stacks. Outlining these needs at the beginning of a search will help organizations narrow their search field.
- Evaluate Candidates’ Qualifications and Experience: Organizations should look for vCISOs with at least 15 years of overall experience and as many years of experience as possible in a particular industry. Qualified candidates should demonstrate that they’ve continued their education and are up-to-date on modern technology, methods, and emerging threats. Organizations should also prioritize so-called “battle-tested” vCISOs who’ve managed a breach response at some point because this experience is much less common.
- Ask Tough Questions During the Selection Process: Organizations will never have more leverage than they do during the selection process. So, they should use that opportunity to ask tough questions, like, “Does the vCISO I would be assigned have specific experience in my industry?” Organizations can also share their needs with multiple cybersecurity companies and compare the responses they receive. Prioritize specific answers. If a company offers high-level responses, they’re probably not the right partner.
- Review Deliverables and Reporting Processes: During the selection process, organizations should clearly outline the vCISO’s deliverables and the process they’ll use for reporting progress. Without those elements in place, measuring success will be almost impossible.
Maximizing the Value of a vCISO Partnership
In an era of constantly evolving cybersecurity threats, where the stakes of a breach are astronomically high, organizations need strategic security leadership more than ever. A well-chosen vCISO can provide cost-effective and flexible guidance that will help organizations make smarter security decisions.
By carefully assessing their needs, thoroughly vetting candidates, and setting clear expectations, an organization can create a partnership with a vCISO that will strengthen its security efforts while aligning them with its broader business objectives.
With the right vCISO in place, an organization can turn cybersecurity from a necessary expense into a strategic advantage, positioning it for secure and sustainable growth.
