Chief information security officers (CISOs) are very much in demand. Consequently, many organizations struggle to find the personnel they need to fill these vital positions. If they are lucky enough to find candidates, they often can't afford them. Yet they need a CISO more than ever due to the surge in ransomware attacks and data breaches.
Virtual chief information security officer (vCISO) services have emerged to fill the void. Various cybersecurity executive management firms, managed service providers (MSPs), and managed security service providers (MSSPs) now offer access to experienced and highly skilled cybersecurity executive resources.
In place of a full-time CISO, some organizations pay firms a subscription or retainer to gain expert cyber assistance in the form of a vCISO, said Alexandre Blanc, strategic and security advisor at managed security service provider VARS. They offer C-level assistance in devising and implementing strategies to prevent breaches, reduce risk and mitigate the consequences of attacks. They assess the cybersecurity risk profile and help the organization build a comprehensive program that encompasses compliance and cybersecurity. They ensure that organizations put basic security measures in place to reduce the risk of a cyberattack as well as adequate safeguards to protect sensitive information.
Technology Leadership Shortage
The vCISO service is part of a broader trend, said Greg Schulz, an analyst with StorageIO, an IT advisory firm in Stillwater, Minn. In addition to vCISO services, there are virtual chief information officer (vCIO) and virtual chief technology officer (vCTO) services that have recently entered the market. This all comes under the general banner of "technical leadership as a service." These services offer experienced experts that "hold" high-level positions virtually for as many hours a week as the organization requires.
Terms are flexible. Companies such as Fortium Partners, Ntiva and IT Support Guys offer vCISO, vCIO and other virtual C-level IT positions. But the breadth and depth of the services vary considerably from provider to provider. Some only go as far as strategic input or security advice. Others get involved in contract negotiation with IT vendors and help in the product selection process. The most comprehensive offer access to a part-time virtual executive. As well as being much cheaper than hiring full-time employees, many small and midsize businesses may not need a full-timer in the role.
Of all the virtual C-level positions, the vCISO market is probably the hottest due to the ongoing scramble for cybersecurity talent, Schulz said. Even fresh cybersecurity graduates can earn a six-figure sum. The higher up the organizational chart you go, the greater the experience, and the better the certifications and qualifications, the salaries will keep rising.
Some cybersecurity executive management firms and MSPs also offer access to highly skilled and experienced teams of security consultants. Those providers focusing on cybersecurity instead of general C-level IT talent include H2Cyber, Thrive and VARS. All provide C-level cybersecurity assistance in devising and implementing strategies to prevent breaches, reduce risk and mitigate the consequences of attacks.
"A vCISO allows organizations to navigate through the increasing number of cybersecurity regulations by building a comprehensive cybersecurity program accounting for compliance and security," said Paul Horn, founder and CEO of H2Cyber. "Regulators will be looking to make sure you have basic cybersecurity measures in place to reduce the risk of a cyberattack as well as having required safeguards in place to protect client and customer information."
Horn's cybersecurity executive management firm provides vCISO services as well as cybersecurity and risk management services. The company has its own consultants and provides clients with MSP-type services for cybersecurity compliance, antivirus and cybersecurity support.
"It is merely a matter of time before a regulatory body or threat actor comes upon your business," Horn said. "Threat actors are looking to exploit any lack of basic safeguards regardless of company size. Just because an organization is compliant doesn't mean they are secure. It is a game of risk management."
H2Cyber makes its money in C-level advice and expertise. It leaves the nuts and bolts of IT to other providers and MSPs, such as Barracuda for backup and Syxsense for patch management, in order to free up its highly trained personnel to focus on vCISO duties. As part of this, the company helps its customers research and evaluate different solutions and get them implemented by various MSP partners. Thus, H2Cyber operates a lean infrastructure consisting of cloud services via Microsoft Azure and Amazon Web Services. It augments a small data center with MSP services, leveraging white-labeled products where possible. Its focus remains on high-level cyber-risk consulting to serve its clientele.
Not everyone is as organized as H2Cyber when it comes to the division of labor. It harnesses other MSPs to relieve the burden of general IT tasks. But when newer MSPs dive into the potentially lucrative vCISO space, they might lack the expertise to deliver these services competently. Even those with skilled executives at hand become overloaded once they move beyond a couple of clients, said Roy Azoulay, co-founder and COO of vCISO provider Cynomi.
To solve that dilemma, vCISO platforms have been developed that seek to automate the hands-on aspect of the CISO position. These platforms are constantly conducting and updating risk assessments of the cybersecurity risk posture. Findings are used to draw up or revise risk mitigation plans. These plans must take into account every nuance of applicable regulations and standards to ensure compliance.
It is probably best, therefore, to favor those vCISO providers that take advantage of evolving vCISO platforms that enable them to scale their services. Platforms such as Cynomi have developed software that takes care of risk assessment and general planning automatically and harnesses artificial intelligence to take into account the many variables introduced by vulnerabilities, exploits, regulations, standards and overall risk.
"We are seeing demand in the vCISO space outstripping supply," Azoulay said. "The value proposition of vCISO platforms is that they enable MSPs to scale their service without needing to scale or upskill staff."
These AI-powered, automated vCISO platforms continuously assess cybersecurity posture, automatically generate tailored policies and remediation plans with actionable tasks, and manage their execution. Such platforms don't replace the expertise of a vCISO, Azoulay said. Instead, they take care of manually intensive tasks that generate overload wherever the MSP or MSSP attempts to scale up. They arm the vCISO with a wealth of assessment data and automatically provide suggested actions in definite sequences that align with regulations and compliance requirements. This enables any vCISO to not only serve far more clients but also serve them better.
Drew Robb is a freelance writer in Clearwater, Fla., specializing in IT and business.