March 4, 2022

Last Updated on January 13, 2024

A recent episode of The Virtual CISO Podcast features host John Verry’s common-sense predictions on significant trends that will shape the cybersecurity industry in 2022.

John’s prediction #4 is that the use of fractional/virtual Chief Information Security Officers (vCISOs) will continue to increase. As John says, “it’s the only logical response” to multiple drivers already in play, all of which are also escalating.

3 top reasons why vCISO engagements are the rise

John cites three major reasons why he thinks more organizations will engage vCISOs in 2022:

  1. The ongoing cyber staffing shortage continues to make it difficult, time-consuming and (prohibitively) expensive to find a full-time CISO—especially for SMBs. Plus, many SMBs don’t need a full-time CISO in the first place.
  2. Many SMBs are short on strategic guidance regarding cybersecurity and privacy. “I talk to executive management and IT directors at SMBs every day and they are significantly challenged to navigate cyber risk, deal with the evolving and overlapping regulatory requirements they’re seeing, deal with client expectations—it’s not what they do every day,” observes John. “They need guidance to ensure that they’re positioning their company to be effective not only near-term, but longer-term. And that’s really what the role of a CISO is.”

  3. There is increasing pressure on many firms, especially in financial services, to appoint or name a CISO, either to address stakeholder due diligence concerns or to comply with regulations (similar to the requirement in some privacy guidance for a “data privacy officer”). For example, New York’s 23 NYCRR 500 regulation requires banking, insurance and financial services companies with over 10 employees, $5 million in gross annual revenue and $10 million in year-end total assets to designate a CISO or vCISO. The similar Insurance Data Security Model Law (MDL-688) requires insurers nationally to appoint a CISO/vCISO. Likewise, Massachusetts 201 CMR 17 requires any company that stores data on Massachusetts citizens to designate a CISO/vCISO.

The bottom line is that engaging a qualified vCISO is a proven way for SMBs to get the information security expertise and direction they need to be successful, with less cost and risk than hiring a full-time CISO. Leveraging the expertise of a vCISO is also a great way to take the strain of handling diverse security demands off a CIO/CTO who has competing priorities and may not be a security expert.

Next Steps

To check out all of John’s 2022 predictions, click here.

Considering hiring a vCISO to help you develop and execute your security roadmap? Pivot Point Security can help. Get in touch to talk over our vCISO Services and Virtual Security Team options.

Considering hiring a Virtual Chief Information Officer?

There are many benefits to bringing in outside information security talent into your organization, but it must be done right to realize success.
Download our vCISO Roadmap now!