The threat of cyber attacks keeps many US CEOs awake at night, but less than half of them have a CISO checking under their company’s bed for digital monsters.
Cyber attacks are listed as the country’s number 2 concern in the 2024 Conference Board CEO survey. However, only 45% of American companies have a chief security officer, according to Navisite’s 2021 survey, the most recent study on the issue.
Those numbers suggest that many businesses do not have a CISO. Let’s break down why so many companies don’t have one, how they manage cybersecurity without one, and nine key signs that a company really needs a CISO.
Why some firms go without a CISO
Size matters when it comes to hiring a CISO. Smaller companies may not need (or be able to realistically attract) a CISO.
“Imagine you are a company of 200 people with one uncomplicated line of business. Do you really need a full-time CISO? What will they do all day? It probably doesn’t make sense,” said Rob Black, CEO of Fractional CISO, a Boston-based company that provides companies with physical and temporary CISO services. “If it’s a widget maker with 200 people, is there a CISO who wants to work for that organization? CISOs are looking for an exciting career,” he added.
That said, even large scale businesses are opting to leave the CISO role. “We go into companies of 1,000 people all the time without a CISO, and maybe even bigger,” Black said.
The cost of hiring and retaining a CISO is a major stumbling block for some organizations. Even promoting someone from within to a new CISO post can be expensive: the total compensation of a full-time CISO in the US now averages $565,000 per year, not including other costs that often come with filling the position.
“If it’s a bigger business, they’ll have to hire a team behind the (CISO). They’re going to need architects, they’re going to need SOC, they’re going to need engineers. So resource costs are increasing,” said Sistla Vaishnavi, UK-based principal at Riviera Partners, a San Francisco-headquartered search firm.
Navisite’s survey suggests companies face another obstacle to hiring a CISO: the chronic talent gap. “(The) cyber security skills shortage … extends to very high levels. “Companies value and seek cybersecurity leadership, but it is increasingly difficult to find and retain these individuals,” Navisite’s research said. In short, the global hunger for cyber talent is discouraging many firms from embarking on a lengthy, expensive search for a CISO that may ultimately be unsuccessful.
Non-CISO cyber options
Who is in charge of cybersecurity in organizations without a CISO? Navisite’s research revealed that 60% of companies rely on other parts of their organization to manage cybersecurity, such as IT, senior leadership or compliance staff.
In most cases, it may be the CIO. A 2023 report by Cybersecurity Ventures suggests that CIOs are likely to manage cyber at companies without a CISO. Research estimates nearly 90% of organizations with a full-time CIO do not employ a full-time CISO.
Applying cybersecurity in addition to their duties can be a tricky balancing act for some CIOs, says Cameron Smith, senior director of cybersecurity and data privacy at Info-Tech Research Group in London, Ontario.
“The CIO has many goals or objectives that are not related to security, and those sometimes conflict with each other. Security can often conflict with certain production goals. But both of these (roles) should be aimed at furthering the success of the organization,” said Smith.
While outsourcing cybersecurity to other people in your organization — the CIO, CTO, IT director or compliance manager — is faster and cheaper than hiring a CISO, Vaishnavi warns of potential pitfalls in this stopgap approach:
- A CIO or CTO may not have the cybersecurity certifications and expertise that a CISO can bring.
- CIOs and CTOs who add cybersecurity to their already full plates run the risk of “spreading themselves too thin”.
- Cybersecurity may not find its separate seat of influence at the boardroom table.
No CISO at the boardroom table can be dangerous
In the event of a breach or hack, this lack of direct boardroom access can be catastrophic.
“You don’t want to go through multiple layers of instructions rather than going to someone who can give you a chance or not to make decisions to protect the business. The time to make decisions has been greatly reduced as well (with the CISO),” he said.
A virtual CISO (sometimes called a part-time CISO or CISO-as-a-service) is one option for companies that want to strengthen their cybersecurity without a full-time CISO. Black says this approach may make sense for companies trying to reduce the burden of an overburdened CIO or CTO, as well as firms that don’t have the size, budget, or complexity to justify a permanent CISO. Most virtual or fractional CISOs:
- They are experienced former CISOs.
- Work remotely or hybrid.
- Work for various clients part-time at the same time.
- Work on a temporary or renewable contract basis.
While some people define ‘virtual CISO’ as remote only, and ‘fractional CISO’ as on-site, the black company Fractional CISO uses the terms interchangeably. Here’s how his company helps companies that don’t have a full-time chief security officer:
- Each client receives a virtual CISO and cybersecurity analyst.
- A partial CISO performs tasks facing the board (creating a cyber security roadmap, communicating with senior leadership).
- The analyst conducts risk assessments and gap assessments, conducts vendor reviews, and drafts security policy.
Costs can be significantly lower than a full-time CISO, especially since each client gets access to a part-time CISO and an analyst. “We have a great relationship with our customers, but the average customer that spends with us is a little over $100,000 a year,” said Black.
What if all those options aren’t enough? What qualifications do you really need for a full-time CISO?
9 signs you need CISO
You see him very controlled
“Financial services, medical, healthcare, legal – those businesses will always need a CISO,” Vaishnavi said.
Black expands the ideal CISO scope further: “If you’re doing anything for the federal government or if you’re a public company, those (situations) all make sense.”
The strengthening legal environment regarding legal and corporate liability for cyber incidents is also encouraging companies in unregulated industries to consider hiring CISOs.
“When GDPR was introduced in the EU and the UK, you could see a change or an increase in people talking about security in general. That kind of thing has a direct impact on employment,” said Vaishnavi.
He planned to go public
On its website, VC firm Andreessen Horowitz recommends that “all companies preparing for an IPO … appoint a CISO who can implement appropriate IT controls, risk assessments, compliance assessments, audit methods, and reporting functions in accordance with the Sarbanes Act -Oxley. “
You had an internet incident
“As part of your root cause analysis, you might decide ‘why are we here?’ “That would tell you, yes, it’s time for the security role to be delegated,” Smith said.
“It might turn someone into a true believer,” Black added. “They have a breach or a bad incident and they say hey, that just costs us $10 million. We would be much better off spending a fraction of that every year (on the CISO).”
Your peers have been violated
“Some companies are looking ahead. Maybe they see a peer in their industry who is having problems and they say you know we don’t want to be them,” said Black.
You want to stay on top of emerging threat areas
“Why is having a CISO important to some organizations now? I mean, the bad guys make billions and billions of dollars through fraud, scams and attacks. “Not reducing that risk seems unwise,” said Black.
Your company is growing
“As the scale goes up – the number of people you serve, the number of users, how much data you’ve got, how much revenue you’re getting back – all these things play a big role in the decision we have to make. enter that you need to hire a CISO,” says Joe Head, founder of The Blueprint, a cybersecurity consulting firm in Henley-on-Thames, England.
Your board wants one
“We have seen (companies) where there is someone on the board who just says no, you have to (hire) now,” said Black.
Your customers and prospects want one
Not having a CISO can cost your company business with existing or potential customers who work in regulated industries, expect their partners or suppliers to have a strong security framework, or seek it out for certain high-profile projects.
“If you’re selling IT and a big business (customer) says ‘your security system isn’t good enough to keep up with this thing or do this thing,’ you know they’re obviously very concerned about security and you’re not doing that. I don’t have a strong (cybersecurity) plan,” Black said. .
Your VC or private equity fund wants it
“If you’re dealing with financing and you’re in a place where you’re dealing with a lot of data or dealing with a lot of personal information, you usually have a CISO come in at that time. I would say series A or above is usually the time,” said Vaishnavi.
‘CISO’ is more than a title
Head has seen several companies hire a CISO based on a VC or PE fund recommendation. He argues, however, that the role should be seen as more than a technical manager hired to tick a box on a financial deal.
“A company should hire a CISO if it is willing to invest in security and take cyber security seriously,” he said.
“They should hire someone else when they understand that they are hiring another business leader. But if you’re hiring a CISO and you’re not giving them the responsibilities and complexity of that level of position, I would argue that you’re probably not ready for a CISO yet.”
Source link