What Is A CISO?
With the increasing surge of cyber attacks that have occurred in the past few months, companies are prioritizing their cybersecurity now more than ever. For businesses that have never had any guidance in this area of expertise, hiring a professional such as a CISO for instance, may be a good first step to take.
A CISO or chief information security officer is essentially a senior-level executive that is responsible for an organization’s information and data security. One of the ways that they go about this is by establishing strategic plans and putting into place processes to reduce the threats of a cyber attack.
So how much do CISOs get paid? You might be thinking that hiring one does not come cheap and you would be right about that. This year CISOs are expected to make about $509,000 on average which is about a $36,000 increase from the previous year. Compensation such as bonuses or stock options have also jumped over $150,000 from the past year as well.
For many businesses, employing a CISO is an investment that is worth taking despite its costs. About 80% of large enterprises employ a CISO and those without such a role have been reported to have an inadequate security strategy and low cybersecurity awareness among staff.
According to one study, having a CISO appointed reduced the cost of a data breach by $12 per employee on average. This is especially valuable considering cyber attacks will only continue to grow in the years to come. A CISO provides leadership, extensive knowledge of governance and compliance, and the ability to manage a company’s risk.
Why Are CISOs In Demand Now More Than Ever?
As previously mentioned, recent high-profile cyber attacks on major companies such as Kaseya, JBS, and Colonial Pipeline have played a major role in the increased demand for a cyber executive. Not only that, the world is moving towards a 4th Industrial Revolution which means data security will only continue to be more important as the years progress. This will especially be the case for the healthcare industry. Unfortunately, only 66% of healthcare organizations currently employ CISO.
There is no doubt that the demand for CISOs will continue to remain high but that isn’t the problem here. The issue is that the supply cannot keep up with the demand for experienced security professionals. Those that do have the extensive technical skills and qualifications will most likely be acquired by larger enterprises. Competition to hire experienced cyber executives, especially as a smaller business, is likely to be stiff.
Another roadblock in place is the fact that there is a large skills gap issue in the cyber industry. To put it into perspective, this year the expected open cybersecurity headcount will be enough to fill 50 NFL stadiums.
With such a huge skills disparity in the industry, it is no wonder why many CISO positions will continue to go unfilled. A primary reason why CISO roles go unfilled is because in many cases companies need a mix of skills that are not just strategy only. Oftentimes companies cannot afford to fill positions especially at the cost of people at the CISO level so they try to mix skills that do not mesh together.
However, one solution that may benefit businesses is the hiring of a vCISO. This way you can have a CISO for a fractional amount of time when you need them to do the strategic work and you can hire a technical, hands on person to do that work full time. Why pay a CISO level salary when you can have someone step in and do the job on a part time basis.
Why Virtual CISOs May Be A Solution
A Virtual CISO may be a happy medium for smaller businesses that do not have the budget or work for a full time CISO, yet still want the security of having a professional protecting their company.
A vCISO is essentially an independent contractor that can quickly come in and give security guidance to a company. This means they are coming in with an unbiased attitude and experience working with multiple different industries.
There are a multitude of perks that come with having a virtual CISO. The most obvious benefit here is that vCISOs cost much less than hiring an in-house CISO. VCISOs cost less because you are only paying them for the work you need them to do. Generally, you will only need someone to take a few days out of the week to keep your security strategy in place.
Another advantage that comes with having a virtual CISO is flexibility. A company can set certain hours for their vCISO that vary from different projects. This is completely scalable which may be quite beneficial for days where there just is not much work to do. As demands increase and the enterprise grows, there may even be enough work for a full-time role.
Hiring a vCISO also means that you will have someone that has worked with multiple companies meaning that they will carry a diverse set of skills and experiences. A good vCISO will likely be quite knowledgeable with compliance and government regulations as well. Virtual CISOs will ensure that business continuity and recovery plans are in place along with the documentation.
It all comes down to what you need for your business. For many large enterprises it may be having a full-time CISO employed, while on the other hand, most smaller companies will find that a vCISO will fit more of their needs.
One downside that can be said for vCISOs is the fact that because they are working with so many different companies at once they may not be able to put all their focus on a singular client. This could potentially lead to trouble if a breach occurs and urgency is needed with timely communication.
Here are some thoughts to consider if you are choosing between a CISO and a vCISO:
- Is there enough bandwidth available to hire a full CISO or will a vCISO suffice?
- Do you need immediate access to security expertise? If so, a vCISO can quickly step in and consult.
- Are you looking to meet security or compliance requirements?
What A Good CISO/vCISO Should Know
With a position as important as a CISO or vCISO it is critical that the right candidate is chosen. Here are a few key responsibilities that have been outlined by Stephen Katz, one of the first individuals to take on the role of a CISO back in 1994.
- Security operations: Real-time analysis of immediate threats, and triage when something goes wrong
- Cyber Risk and cyber intelligence: Keeping abreast of developing security threats, and helping the board understand potential security problems that might arise from acquisitions or other big business moves
- Data loss and fraud prevention: Making sure internal staff doesn’t misuse or steal data
- Security architecture: Planning, buying, and rolling out security hardware and software, and making sure IT and network infrastructure is designed with best security practices in mind
- Identity and access management: Ensuring that only authorized people have access to restricted data and systems
- Program management: Keeping ahead of security needs by implementing programs or projects that mitigate risks—regular system patches, for instance
- Investigations and forensics: Determining what went wrong in a breach, dealing with those responsible if they’re internal, and planning to avoid repeats of the same crisis
- Governance: Making sure all of the above initiatives run smoothly and get the funding they need—and that corporate leadership understands their importance
Getting The Position Filled
At Tiro Security, our hiring process assessment follows a very specific model that we know works. We have filled a number of positions recently that have been open for some time, many with our competitors unable to fulfill them. These positions were filled in a matter of weeks utilizing our 5-step hiring process.
If you are a business looking to get a CISO or vCISO position filled, contact us now to let us know about your requirements. You may partner with us through our assessment and rest easy knowing that you will fill your position. If you are a candidate, send over your resume and we’ll work with you to find your next dream move.