What is vCISO?
Updated: Jul 14, 2021
What is a vCISO?
A vCISO is a virtual chief information security officer who helps organisations like yourself with no existing cybersecurity staff or leadership.
A vCISO or fractional CISO helps small and medium enterprises get in control of their cybersecurity risks.
A good vCISO can help bring a tactical and strategic edge to companies that choose to do so.
It is about being able to communicate with the board of directors on a strategic level and tactically assist the organisation when it comes to areas such as regulatory compliance and risk assessments to provide continuous insight into the cyber risk faced by your organisation.
Most vCISO service offerings also mean you are gaining access to a team of experts giving your organisation more security expertise than your security budget might provide when hiring full-time resources.
When and how to hire one
For larger enterprises, a virtual CISO can function as an advisor when the existing full-time CISO is busy with the day to day tasks of keeping the company secure.
More often so, smaller and medium enterprises are well placed to get the most value out of bringing on a virtual/fractional CISO service.
The cyber security goals for a small and medium enterprise are different as many organisations don't have a security team or it is small.
Due to the shortage of experienced leaders can cost a 6 figure base salary to bring on a full-time Chief Information Security Officer.
Combined with the competition from larger organisations, it can be hard to recruit such a leader.
When a company is willing to approach this differently, they can decide to procure a virtual or on tap service from a service provider.
Doing so reduces cost and decreases the onboarding time to virtually zero.
This can be done at a much lower price target of 30-40 per cent of the cost of a full-time CISO.
Many organisations are offering such a vCISO as a service to SME's like your organisation.
Cyber Security Expert on Tap is just one of many service providers, so it's key to find a provider that matches your organisation's objectives and requirements the best.
Do you need a vCISO?
A small and medium enterprise is as much of a target as a large enterprise. It can sometimes be more of a target as attackers realise it is easier to attack a smaller organisation and use it to gain access to larger organisations.
Businesses with less than 500 employees can lose on average $2.5 million per attack.
Besides the immediate monetary impact, the longer-term reputational damage can lead to growth being impeded over a longer time.
The top 4 cyber security risks facing small businesses today in 2021
1. Phishing Attacks
Phishing continues to be the biggest and most damaging threat facing small businesses, with employees falling victim to increasingly more credibly looking attacks.
With 90% of attacks, including phishing as a so-called attack vector, it has led to $12 billion in losses to businesses. Phishing attacks occur when an attacker pretends to be a trusted contact and entices a user to click a malicious link, download a malicious file, or give them access to sensitive information, account details or credentials.
2. Malware Attacks
Malware is second in class behind phishing attacks when it comes to impact to small and medium enterprises. It includes trojans and viruses with it covering attacks that gain access to networks of your organisation or others, malicious downloads, spam or infected devices.
These attacks are particularly damaging for small businesses because they can cripple devices, which requires expensive repairs or replacements to fix. They can also give attackers a back door to access data, putting customers and employees at risk. Small businesses are more likely to employ people who use their own devices for work, as it helps to save time and cost. This, however, increases their likelihood of suffering from a malware attack, as personal devices are much more likely to be at risk from malicious downloads.
Ransomware is the topic and threat of the day, impacting more and more organisation in security breach after breach. Just in the US in 2020, $350 million was paid out to ransomware attacks as many organisation realise their defences are not strong enough for the current threat landscape.
On top of that, cyber security insurance companies are getting stricter, with some insurers refusing to pay out claims related to ransomware.
Small businesses are especially at risk from these types of attack. In 2018, 71% of ransomware attacks targeted small businesses, with an average ransom demand of $116,000. Attackers know that smaller businesses are much more likely to pay a ransom, as their data is often not backed up, and they need to be up and running as soon as possible. The healthcare sector is particularly badly hit by this type of attack. Locking patient medical records and appointment times can damage a business to a point where it has no choice but to close unless a ransom has been paid.
4. Weak Passwords
Weak passwords such as Password123 or similar are still a threat. Many employees struggle to remember usernames and passwords for the many disparate systems an organisation can have.
Thankfully, the rise of single sign-on (SSO) and multi-factor authentication can drastically reduce these risks.
There are technical solutions to audit password strength and prevent password reuse by using Active Directory GPO policies, password managers and SSO and MFA solutions.
vCISO: A Complete Security Program
Below are some of the steps you should expect a competent vCISO will cover as a part of an overall program.
Review Business Goals
Any vCISO service worth its salt will first review what your business does, what services it provides, and its short, medium, and long-term goals.
After having established goals, the next step would be to discover the tangible and intangible assets your business have
Each of these assets will need to be assessed on their importance to the business and what the impact of a potential compromise of that asset would be. That will inform your security posture.
Suppose your organisation doesn't have a Security Policy in place. In that case, they will help you write a security policy to help you from the basis from which your information security management system grows.
Information Security Management System
With enough information collected to form a complete view, the next step would be to create or update your organisation's ISMS. This will form the basis for your security policies, processes and procedures. This will help you collect necessary evidence in the process of doing so for regulatory requirements. The ISMS is to help your ongoing risk management practices as you reevaluate security threats as security challenges continue to change over time.
Use Cases for a vCISO
The choice of a vCISO service versus a full-time CISO may still be unclear. So, allow me to provide a list of a few possible use cases for when a vCISO may be a great choice:
Bridging and Hiring a New Full-Time CISO – The departure of a business's existing CISO may be untimely concerning current security initiatives. A seasoned vCISO can come in, provide value in reviewing the current cybersecurity strategy and help recruit, select and transition to a full-time CISO.
Developing a Mature Cybersecurity program for a Smaller Organisation – When a full-time CISO is too costly for an SMB, a vCISO works part-time. To provide enterprise-calibre expertise to craft a security program and the organisation would, otherwise, not be capable of developing themselves.
Creating a Compliance Program: Organisations with or without a current CISO may not have the expertise on a specific compliance mandate and how it translates to creating policy and process to secure protected information. A vCISO specialising in a given compliance regulation can assist in developing a strategy and execution plan that meets the specific mandates – think PCI DSS experts helping retail businesses or a HIPAA authority supporting a healthcare organisation.
Re-aligning Cyber Spend – Whatever the organisation was doing six months ago to protect against cyber risk is likely not as effective today. A vCISO can help organisations of every size by looking at the current budget, how it's spent and help identify ways to more effectively and efficiently spend it to create a more secure stance.