A CISO in the Workplace, Part 2: Renting a CISO
While many businesses maintain some sort of executive position responsible for the organization’s IT security, less than a third of companies have a chief information security officer (CISO). Most of the remaining two thirds are small to mid-level organizations that may not have the experience or funding to employ a full-time CISO. However, the benefits to security confidence, awareness, and morale, outlined in “A CISO in the Workplace (Part1)," cannot be overstated. Fortunately, for businesses that are not in a position to hire a CISO, there’s an alternative.
A virtual CISO, or “vCISO,” has all the right skills, but doesn’t require benefits, monthly overhead, or long-term pay commitment. vCISOs typically work on retainer or a per-project basis. In some cases, work hours may be bought in bulk and used when necessary. Essentially, a vCISO fills in where he is needed most. For the financially-minded small business, this can mean the difference between preventing an incident and cleaning up after it.
A qualified CISO is up to date on industry best practices, and a vCISO is no different. What’s more, these individuals have training and expertise in all facets of IT security and risk management — everything from regulatory compliance to risk, threat and vulnerabilities assessments, to user security awareness training. By offering SMBs executive-level advisory services and consulting at a third of the going rate for a full-time CISO, vCISOs remove one of the biggest barriers to implementing mature security practices, policies and procedures.