Last Updated on May 17, 2021
To a harried CTO who is tasked with dealing with security issues at the expense of his cloud migration efforts, a vCISO to make some of that work/pain go away sounds like the answer to a prayer. But is the vCISO an expensive luxury that is likely not cost justifiable? Or an absolute necessity to the long-term success of the business?
I have spent many hours on the phone with potential vCISO clients over the last four years, trying to help them make that often-challenging determination. As our portfolio of vCISO clients has grown, the litmus test for determining whether you need a vCISO (or a CISO for that matter) has become much simpler.
Do you need an agent of change to address an exponential growth in information security, information technology, and/or compliance requirements? One that can support/drive the required transformation from where you are to where you need to be?
If that level of change is not a necessity, then you likely do not need a vCISO. If that level of change is necessary, you probably will not be truly successful without one.
Much like the business systems, processes, and management that are suitable for a 20-person startup will not scale successfully to achieve the business requirements of a 600-person organization, the information security/privacy/compliance systems that work for a 20-person company will not scale successfully to meet the legal, contractual, and business requirements of a 600-person organization. Simply put, there is an exponential relationship between the number of client and contractual obligations that you are subject to and the complexity of managing information security and compliance (Complexity = X # of obligations). A good vCISO provides the vision to define the required changes and the operational expertise to achieve them.
Looking at a small sampling of our current clients illustrates this transformative concept:
- National Membership Organization
- Year 1 & 2: Moved from a traditional information security model to one capable of detecting and responding to a nation state adversary level attack
- Year 3: Transform Information Security from a distributed to a centralized program across all 50+ member organizations
- Year 1: Transform information security program from ad hoc to ISO 27001 certifiable to support migration from beta program to information security attestable Minimum Viable Product (MVP)
- Year 2: Transform information security program to an Information security and privacy program and move to ISO 27001, HIPAA, ISO 27701 and SOC 2 attestations in support of migration to near Unicorn status
- Wealth Management Services
- Year 1: Transform from an ad hoc “mom & pop” information security program that resulted in a data breach to a SOC 2 (or equivalent) attestable state mandated by the SEC regulators
- Year 2 & 3: Transform the security and compliance program from an on-premises to a hybrid cloud model to position the company for a seven-figure acquisition
- Law Firm
- Year 1: Transform from an ad hoc information security program to a mature information security program that supports the increased client contractual obligations encumbered by their growth in banking clients
- Year 2: Transform the information security program to an ISO 27001 attestable state to meet client contractual obligations and achieve the firm’s business objectives
- Year 3: Implement an ISO 27701 certifiable privacy program to address GDPR requirements in support of their European expansion
One interesting side note is that if transformation is necessary, it is also likely that having a CISO (virtual or otherwise) will be an expectation of key stakeholders (the board, senior management, clients, partners, vendors, regulators) when you get to where you need to be. With all of the clients above, we spend a significant amount of time interfacing with these stakeholders.
Hope this helps you decide whether you need a Virtual CISO.