Why Mid-sized Companies Need a V-CISO
YO! BUSINESS LEADER…HAVE YOU EVER UTTERED THESE WORDS??? “OMG, I can’t wait to hire a Chief Information Security Officer (CISO)”
— No, you haven’t!!!
BUT YOU HAVE SAID SOMETHING LIKE “I hate cybersecurity OR a CISO is probably expensive, they talk in techie speak, and I don’t know that I need one!”
— Yep, and so has every other Mid-Market CEO
Let’s pretend for a minute that you knew your company needed to do better with its cybersecurity, but you didn’t know where to start.
START HERE: Get a fractional CISO (aka a vCISO – pronounced ‘vee-see-so’) — a cost-effective trusted advisor and steward of cybersecurity…and a great place to start! Curious what a Virtual CISO can do for your mid-sized business?
Earl Duby, Chief Information Security Officer (CISO) at Auxiom, explains the critical role a Virtual CISO plays in managing cybersecurity risks without the full-time price tag.
Perfect for businesses not ready to commit to the high cost of in-house security leadership.
Transcript:
Hello, my name is Earl Duby. I’m the CISO at Auxiom. I want to talk to you about the (0:20) questions you have around virtual CISOs.
What is a virtual CISO? Why would you (0:25) need one? And when is the best time to use a virtual CISO? Let’s back up a (0:31) second. What is a CISO? A CISO is a Chief Information Security Officer, so (0:36) someone who’s going to help you manage your technology risk. And the virtual (0:41) piece of it means this is someone that’s going to help you manage that risk(0:45) without actually being an employee of yours.
So you’re going to basically get a (0:50) fraction of a CISO. And why is that important? Well, the main reason why (0:56) that’s important is because a CISO in today’s market costs between $250,000 to (1:03) $400,000 a year. Many small businesses can’t afford to have an (1:08) employee on staff making that kind of money.
So what you’ll do is you will get (1:13) someone for maybe 10 hours a week or some fraction of time that will (1:19) help you manage your risk, look at your environment, know your environment, be (1:24) able to give you strategic advice, but doesn’t necessarily put that cost load on (1:31) your balance sheet. So I’ve been working in this business for a long (1:36) time and the number one thing that you really need to account for when you want (1:41) to take on a virtual CISO. So you’ve had the fourth thought to understand (1:46) that you have technology risk.
You just don’t know what to do about it. And like (1:50) in today’s environment, who doesn’t, you know, have some confusion around (1:54) technology risk with all the breaches and ransomware and all the different (2:00) things we hear about in the news every day. You know, if you’re just trying to (2:03) run your business, service your clients, keep your factories running, you know,(2:08) trying to understand all the ins and outs of the latest ransomware strain is (2:12) probably not top of your list, but someone in your organization should be (2:16) on top of these things and giving you strategic advice about technologies to (2:21) put in place or practices to change in your company to protect yourself better (2:27) from these risks.
That’s where the CISO comes into play. (2:33) So like I was saying, the number one thing that you should be looking for (2:36) when you want to bring on a CISO is trust. You need to trust this person.
You need (2:42) to make sure that you are going to get sound advice, that they are going to give(2:48) you advice that’s pertinent to your company and not just come in with a (2:51) bunch of boilerplate things to do that may or may not even be applicable to your (2:56) organization. So you really need to vet out who your CISO is, and I would say the (3:02) number one way to do that is to look at their experience. You know, has this (3:06) person been a CISO before? You know, a lot of current people that are trying to (3:13) become virtual CISOs are out there offering themselves as virtual CISOs (3:18) have in fact been CISOs in large companies.
So they had the role on a (3:24) full-time basis protecting large complex organizations and maybe they (3:29) retired and they’re just looking to do, you know, semi-retirement type work or(3:36) maybe they just want to help small businesses out and left a large (3:39) corporate job so that they could help a series of smaller companies. Those are (3:43) the kind of people that you’re looking for. You know, they’ve done it, they’ve (3:46) been there, they’re not just somebody that went out and got a certificate and (3:50) now they’re trying to offer themselves up as a virtual CISO.
You really want (3:54) someone who’s been in the trenches, has dealt with the complexities, and can (3:59) handle, you know, managing that risk. And you know, the value in doing that is one,(4:05) when they give you advice, you know you can count on it because time is money (4:09) and when someone gives you a piece of advice, you don’t want to have to (4:12) spend weeks trying to figure out if they’re giving you good advice or not. (4:15) You want to be able to just say like, okay, that’s something we need to do, let’s (4:19) put that into play.
The other piece of it is, you know, it’s really much more (4:24) cost-effective if you have someone that understands the technology that you have, (4:32) isn’t trying to add unnecessary technology to that portfolio, and so (4:37) they’re actually looking at everything you have and optimizing (4:41) your technology so that you’re getting the best value for the money you’re(4:47) spending. The other thing that a virtual CISO brings you is a very specific (4:52) skill set. So, you know, if you’re a manufacturing company, there are people (4:56) out there that have just been CISOs at manufacturing companies and they can (5:00) come in and quickly assess your environment and, you know, tell you where (5:05) you can improve some things and upgrade where you need to.
Whereas if you’re a (5:10) dentist office or a legal firm, there are people that have been CISOs in law (5:17) firms that understand how to come in and quickly make those assessments. So, (5:22) you know, you really want to look at who your CISO is and understand that they (5:29) know what they’re talking about. The other thing that’s really important is (5:33) just, you know, the flexibility that they have.
So some people are very rigid in (5:40) the way that they approach security and, you know, that sometimes works in (5:44) large corporate environments where there’s a lot of structure in place, but (5:47) when you get into small, mid-sized companies, you really have to be much(5:50) more flexible about how you’re approaching your recommendations and (5:55) how you’re approaching risk and risk management. The risk tolerances are (5:59) different. So just, you know, just do the due diligence, get comfortable with the (6:05) person that you’re trying to hire as a virtual CISO, but just make sure that you (6:09) trust them and that they have the credentials to come in and actually give (6:13) you sound advice.
So with that, if you have any other questions, reach out to (6:18) me and I’m happy to have a conversation with you. Other than that, I’ll see you on (6:24) the next episode, so stay safe out there. Thanks.
