The longstanding view that cybersecurity is a business cost and a constraint on innovation, agility, and growth is being flipped on its head. Led by startups and SMBs alongside cyber-mature enterprises, today’s leaders are leveraging demonstrably robust cybersecurity and privacy programs to win new customers, build stakeholder trust, and reduce innovation risk.
As cybersecurity aligns with business goals and strategy, the Chief Information Security Officer (CISO) or virtual CISO (vCISO) focus is rapidly shifting from technology and operations to board-level communication and influence.
Why is the CISO/vCISO role becoming more strategically relevant than ever before? This article surveys the evolving CISO/vCISO emphasis and explains how SMBs, startups and other organizations can benefit from a cyber-aware C-suite supported by a business-savvy vCISO.
Top takeaways
- C-suite concerns about escalating cyber risk put the CISO/vCISO at the center of strategic business decision-making, with a growing focus on business continuity and risk management.
- A CISO/vCISO’s ability to engage with traditional business leaders like the CEO, CFO, and COO is now vital to cybersecurity program success.
- A strategically oriented CISO/vCISO can help make cybersecurity a business enabler, not just a cost.
- To find the right vCISO you need to understand both your tactical/technical and strategic requirements.
How has the CISO/vCISO role been changing?
In today’s business landscape, escalating cyber threats and associated risks have become a top boardroom concern. This trend is shifting the core focus of the SMB CISO/vCISO in two important ways:
- Historically focused on tactical concerns around technology and operations, CISOs/vCISOs are now charged with empowering organizational resilience and sustaining business continuity.
- To build a cybersecurity posture that can support these initiatives, CISOs/vCISOs are increasingly centered on integrating cybersecurity into strategic business goals.
These days, security starts with strategy. If your company doesn’t have a cybersecurity strategy that fits with its strategic business vision, on what basis can you make technology investments, resource allocations, and other cybersecurity decisions?
No longer just an IT function but now a critical C-level priority, cybersecurity is becoming interlaced with big-picture plans and budgets aimed at maximizing the organization’s long-term ability to manage risk and maintain business continuity.
In this context, the CISO/vCISO must successfully frame cybersecurity priorities and technical concepts in the language of business priorities. Developing a cyber-aware mindset among senior management should be at the top of every CISO/vCISO’s agenda.
According to Deloitte’s latest Global Future of Cyber Survey, one-third of respondents report a notable increase in CISO/vCISO input into strategic technology areas like digital transformation, supply chain, and cloud. Similarly, about 20% of CISOs currently report to the CEO, highlighting a trend toward greater visibility and C-suite influence.
How can a CISO/vCISO help make cybersecurity a business enabler for SMBs?
Technology startups, SaaS providers, and other SMBs face unique challenges in establishing and demonstrating robust cybersecurity. Many of these smaller, newer innovators want to do business with big firms that are subject to strict external and internal regulations. In the face of sharp pre-sales cybersecurity questions, it’s all but impossible to make a sale without a compelling cybersecurity story.
But with guidance and influence from a strategically alert CISO/vCISO, SMBs can “get security right”—making it a powerful enabler for acquiring marquee customers and enticing investors while building stakeholder trust and loyalty. Crafting the right “security positioning” can put an evolving cybersecurity posture in the best light when facing questions from major prospects.
With customer trust at the foundation of business growth and success, SMBs that can transparently prove their ability to protect sensitive data will step right over competitors whose cybersecurity story doesn’t have that happy ending. Prioritizing and building C-suite support for cybersecurity is an essential early step toward this outcome.
Besides priming sales, a robust cybersecurity program can also enable the business by:
- Managing the cyber risks associated with digital transformation.
- Supporting richer collaboration and data interchange with customers and partners while limiting associated cyber risk.
- Reducing potential downtime from cyber incidents to maintain productivity and eliminate associated revenue and reputational impacts.
Do we need a CISO or a vCISO?
As cyber-conscious organizations increasingly seek to integrate cybersecurity risk management, best practices, and trust-building tactics into their digital cultures, the CISO/vCISO role takes center stage.
But how do today’s CISO and vCISO compare? Is a full-time CISO essential? Or can vCISO services do the job as well or better with less cost and risk?
Notwithstanding full-time availability, qualifications for a CISO or vCISO are effectively the same. Importantly, these are executive advisory roles not “technical guru” roles. But many CISOs/vCISOs have strong technical backgrounds. Candidates should be conversant in key areas like cloud security, security operations, cyber threat intelligence, incident response, identity management, AI risk, GRC, privacy, and risk assessment. When deeper technical expertise is needed, vCISOs ideally can call on a virtual team of security engineers and other specialists—a leading benefit.
Familiarity with your industry and its regulatory and technology landscapes is also important. For example, a manufacturing firm should look for a CISO/vCISO who has experience with operational technology (OT) and Internet of Things (IoT) cybersecurity issues. A healthcare business should seek a CISO/vCISO who is familiar with HIPAA compliance and the HITRUST controls framework.
Is a cost-effective, scalable vCISO service right for your business? Some of the indicators include:
- Insufficient budget to hire a full-time CISO.
- A smaller and/or less complex cybersecurity program that does not require full-time strategic guidance.
- An “early days” cybersecurity program where a vCISO and virtual team can efficiently build a risk-based foundation of policies and critical controls.
- A need for strategic leadership to direct in-house IT staff.
- Demands for expertise and/or project support in diverse areas, such as risk assessment or technology implementation, requiring a virtual team’s broad, on-demand skill set plus a senior leader’s strategic direction.
- A need for third-party objectivity to provide unbiased insights to leadership or investors, and/or to help surmount in-house politics and advocate for effective change.
- A looming compliance crisis, time-sensitive deal, recent data breach, or other “fire alarm” scenario where a typical executive hiring process would take too long.
If you need to build or maintain a strong cybersecurity and compliance foundation with limited resources, a vCISO service could be ideal. The key to success is often the individual who will be your vCISO. Make sure they are a good fit with your company culture, with great communication skills and a business-first mindset.
Do you know your strategic and tactical vCISO needs?
As managed service providers (MSPs) and managed security service providers (MSSPs) increasingly add vCISO services to their traditional technology offerings, the distinction between strategic and technical vCISO services becomes more important.
Look for a vCISO provider that matches your balance of “strategic versus tactical” requirements, and take time to articulate your specific needs. Do you want to focus on “first line of defense” technology issues and tasks? Or are you looking for a strategic, risk-based approach?
Experience shows that one of the top causes of failed vCISO engagements is getting caught up in tactical issues at the expense of strategy and business alignment. This can stem from an in-house cultural tendency to “oil the squeaky wheel” and never get around to strategy. IT-centric cybersecurity advice that is too focused on products is another common contributor. Be clear about the level of strategic guidance a prospective vCISO can offer and whether it meets your (potentially evolving) needs.
What’s next?
If you’re looking for vCISO support to help your business reap the benefits of demonstrably robust cybersecurity and compliance, contact CBIZ Pivot Point Security.
