“Implementing strong cybersecurity controls can seem like a gargantuan task for small and midsize businesses. Part-time chief information security officers (CISO) can help.
Some smaller businesses cobble together security programs by outsourcing the role and other technology services. They may work with one provider or many, but at the helm of these operations is a contractor CISO who engages part time to perform many of the same functions as a full-time professional.
This can include an initial assessment of a company's security program, improvement recommendations and continued reports to a business's board and top executives.
"It fills a gap," said Pat Cooley, chief executive of IT Productivity in Annapolis, Md., a provider of virtual CISO and IT services to small and midsize businesses.
Here are four considerations when contemplating a virtual, or fractional, CISO.
Many small businesses don't have enough work for a full-time CISO. Even if they did, hiring someone full-time can cost companies a few hundred thousand dollars to a few million a year.
By contrast, a CISO who works on a fractional basis is only a percentage of that labor cost, said Dave Burg, global head of cyber and data resilience at Kroll, a provider of financial and risk advisory solutions.
Businesses might expect to pay around $150 to $500 an hour for some engagements.
Some providers charge on a per-project basis, which can run in the low tens of thousands to hundreds of thousands of dollars, depending on the expertise of the individual, his or her employer and the project scope and length.
As security risks proliferate and attracting and paying for top-notch CISO talent becomes more difficult, the need for virtual services "will likely grow in importance and application," Burg said.
In many cases, these professionals aren't needed long-term. They may be just a stopgap measure to help a business get up to speed so a full-time employee such as a chief information officer can take over.
"A lot of cybersecurity now is driven through compliance requirements," said Jessica Nemmers, CISO for Flair Data Systems, a Plano, Texas-based company that provides virtual CISOs.
State and federal cyber and privacy laws, as well as industry-specific rules, can be confusing and onerous to meet. Nemmers, a former cyber chief in the financial and steel industries, sometimes consults with compliance departments on how to implement the controls necessary to satisfy legal requirements, and does other types of continuing work.
Many organizations realize they need guidance from a security professional, but they don't know what they don't know.
"A lot of it is going to be part of a discovery conversation with vendors to define a scope of work," said Paul Furtado, vice president analyst at Gartner, a tech research and consulting company.
Small businesses should develop a clearly defined scope of engagement with a virtual CISO provider.
"You never go into a construction project without having the boundaries of time and money," Furtado said. Also, be prudent. "Don't buy the Cadillac if the Chevy will do," he said.
Needs vary by business. It could be a straightforward risk assessment or monthly or quarterly reports, board or executive briefings and other types of security work, said Brian Haugli, CEO of SideChannel, a Worcester, Mass.-based provider of virtual CISO services.
For Flair Data Systems' Nemmers, some clients need services two to four hours a month, while others contract for several hours a week.
Furtado recommends interviewing at least three v-CISO providers to compare the precise services offered, cost, the number of people assigned to the project and their experience and background.
Companies might also request redacted versions of material the provider has prepared for other customers.
Businesses should look for potential partners with experience in their industry and similar-size organizations.
Background checks on the provider and its fractional CISOs are especially important, Kroll's Burg said.
Other countries sometimes supply gig workers to U.S. businesses, and it is crucial to make sure the people aren't security risks.
He recommends frequent videoconferencing with the virtual CISO to help ensure the person hired is the one delivering the work.
Many small and midsize businesses use managed services providers for general tech needs, and some of these companies also offer v-CISO services.
Often, it is better to separate these functions so the CISO can keep an eye on what the outsourced provider is doing, said Kevin Johnson, president of Bluestone Solutions, a provider of virtual CISO services based in Raleigh, N.C.
The downsides are similar to those of any gig-worker model, where company culture, fit and time management can come into play.
Burg compares it to a waiter moving back and forth among multiple tables in a restaurant. Does the virtual CISO have adequate time to devote?
Companies should insist on strong service-level agreements, including provisions for continued accessibility and procedures if a crisis hits, Burg said.
It is also important for companies to understand there is going to be a learning curve, and they must be willing to share the required information to help the v-CISO get up to speed, Nemmers said.
"Especially on day one, I don't completely know your business," he said.” [1]
1. Virtual Cyber Chiefs Fill Security Gaps. Cheryl Winokur Munk. Wall Street Journal, Eastern edition; New York, N.Y.. 06 June 2025: B4.
Komentarų nėra:
Rašyti komentarą