Navigating the Challenges of Cybersecurity Leadership

The Pros and Cons of vCISO and CISO-as-a-Service
Image by Bing Images Creator

Introduction

Virtual CISO – vCISO and CISO-as-a-Service are emerging as popular options for organizations looking to strengthen their cybersecurity posture without hiring a full-time CISO. Sorry for the over-simplification but it would basically be a part-time Security Expert acting as a CISO. While these services offer certain benefits, they also come with potential drawbacks. In this article, we’ll explore the advantages and challenges of vCISO and CISO-as-a-Service and discuss how to find the right balance.

The Benefits of vCISO and CISO-as-a-Service

  1. Access to expertise: vCISO and CISO-as-a-Service can provide organizations with the cybersecurity expertise they might not have in-house. This can be especially valuable for smaller companies or those just starting their security journey. Please note that security professionals are a hot commodity, and organizations should ensure they are using resources with the right skills. For example, someone who configured firewalls might be considered a (Network) Security Expert, but will they be the right expert to define a long term Cybersecurity strategy?
  2. Temporary solution: vCISO and CISO-as-a-Service can serve as a temporary measure to fill the gap in cybersecurity leadership, especially when organizations face difficulties in hiring a full-time CISO or during transitional periods.
  3. Flexibility: vCISO and CISO-as-a-Service offer flexibility for organizations experiencing transition or growth. These services can be scaled up or down according to the organization’s needs, providing a tailored solution to their cybersecurity challenges.

The Limitations of vCISO and CISO-as-a-Service

  1. Accountability: While vCISOs and CISO-as-a-Service providers hold a “C” in their title, they may not have the same level of accountability as a full-time, in-house CISO. Organizations looking to meet ESG (Environmental, Social, and Governance) requirements may need a more accountable figure in the role. In other words, did you ever see a vCFO or a CFO-as-a-Service?
  2. Integration, Authority, and Long-term Strategy: vCISOs and CISO-as-a-Service providers may not have the same level of authority within an organization, potentially limiting their ability to effectively integrate with various departments and functions. Moreover, due to the limited length of their contract and insufficient knowledge of the company (technology, processes, people, and culture), they may struggle to plan and implement a comprehensive, long-term security strategy, leading to a focus on quick wins instead.
  3. Conflict of Interest: If a vCISO or CISO-as-a-Service provider is affiliated with a company that sells or provides cybersecurity services, there may be a conflict of interest. This can result in a lack of neutrality, which could affect their advice and recommendations and even questionable decision-making. Especially because they are not accountable (see point 1, jointly with this point it is a potential recipe for disaster). However affiliation it is not necessary a bad thing as it would allow to involve specific vertical competencies of other Subject Matter Experts when necessary.
  4. Incident Management: A CISO is expected to be involved in the management of cyber incidents. A vCISO, being part-time, might struggle to handle multiple major incidents simultaneously for different clients, potentially prioritizing the one that pays better or has a longer contract remaining.

Finding the Right Balance

While vCISO and CISO-as-a-Service can be valuable solutions for organizations in transition, small businesses part of bigger groups with real CISOs (in this case I also saw a case of an internal CISO-as-a-Service, and this appears to be a great idea) and scaleup companies, it’s essential to consider potential limitations and conflicts of interest. Ideally, organizations should work towards cultivating internal talent to eventually assume the CISO role.
In cases where a trusted internal candidate is not yet ready or a CISO has recently resigned, vCISO and CISO-as-a-Service can be effective interim solutions to put paper over the cracks. However, it’s essential to ensure that the chosen provider is competent, neutral, dedicated to the organization’s best interests, and ideally has knowledge of the industry. Moreover, organizations should make sure that someone internally is identified (e.g., COO or CIO) to be accountable.

Conclusion

I may be biased since I was an advisor for a long period of my career, but these services are not that different from the “old approach,” which is still an alternative: using strategic consultancies and in-house IT and/or system integrators to complete projects. What matters is recognizing the importance of security, regardless of whether the person helping them is called a CISO-on-demand or a security advisor.

vCISO and CISO-as-a-Service can provide much-needed cybersecurity expertise, especially for small businesses and scaleup companies.

When considering the use of vCISO and CISO-as-a-Service, it is essential for organizations to carefully assess the benefits and limitations of these options. By taking into account factors such as access to expertise, competencies (and not just title and certifications), flexibility, accountability, integration, authority, long-term strategy, conflict of interest and involvement in case of incidents, businesses can make informed decisions about whether these services are the right fit for their cybersecurity strategy.

Ultimately, fostering internal talent and working towards a full-time CISO role may be the best long-term solution. Small businesses and organizations in transition can benefit from the expertise and flexibility offered by vCISO and CISO-as-a-Service but must have a holistic approach in selecting a provider who can effectively address their unique cybersecurity challenges and should continuously reevaluate their cybersecurity needs and ensure that their chosen option remains effective .