{"id":875,"date":"2024-11-18T06:00:00","date_gmt":"2024-11-18T06:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=875"},"modified":"2024-11-18T06:00:00","modified_gmt":"2024-11-18T06:00:00","slug":"so-you-dont-have-a-chief-information-security-officer-9-signs-your-company-needs-one","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=875","title":{"rendered":"So, you don\u2019t have a chief information security officer? 9 signs your company needs one"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

The threat of cyberattacks keeps many US CEOs awake at night, but fewer than half of them have a CISO to check under their company\u2019s bed for digital monsters.<\/p>\n

Cyber-attacks were ranked as the No. 2 geopolitical concern in the Conference Board\u2019s 2024 CEO survey<\/a>. Yet only 45% of American companies have a chief information security officer, according to a Navisite poll<\/a> from 2021, the most recent research on the issue.<\/p>\n

Those numbers suggest a whole lot of businesses out there have no CISO. Let\u2019s break down why so many companies don\u2019t have one, how they\u2019re managing cybersecurity without one, and nine key signs that a company does indeed need a CISO.<\/p>\n

Why some firms go without a CISO<\/h2>\n

Size matters when it comes to hiring a CISO. Smaller companies simply may not need (or realistically be able to attract) a CISO.<\/p>\n

\u201cJust imagine you\u2019re a 200-person company with one business line that\u2019s not very complicated. Do you really need a full-time CISO? What are they going to do all day? It probably doesn\u2019t make sense,\u201d says Rob Black, CEO of Fractional CISO, a Boston-based firm providing companies with virtual and part-time CISO services. \u201cIf it\u2019s a 200-person widget-maker, is there a CISO that wants to work for that organization? CISOs want interesting work,\u201d he added.<\/p>\n

That said, even businesses with sizable headcounts choose to forego the CISO role. \u201cWe run into 1,000-person companies all the time without a CISO, and maybe even larger,\u201d says Black.<\/p>\n

The cost to hire and retain a CISO is a major stumbling block for some organizations. Even promoting someone from within to a newly created CISO post can be expensive: total compensation for a full-time CISO in the US now averages $565,000 per year<\/a>, not including other costs that often come with filling the position.<\/p>\n

\u201cIf it\u2019s a larger business then they\u2019ll need to hire a team behind the (CISO). They\u2019ll need architects, they\u2019ll need a SOC, they\u2019ll need engineers. So, then the cost of resources kind of expands,\u201d says Sistla Vaishnavi, a UK-based principal at Riviera Partners, an executive search firm headquartered in San Francisco.<\/p>\n

The Navisite survey suggests companies face another barrier to hiring a CISO: the never-ending talent gap. \u201c(The) cybersecurity skills shortage \u2026 extends to the highest levels. Companies value and want cybersecurity leadership, but it is increasingly difficult to find and retain these individuals,\u201d the Navisite study declared. In a nutshell, the global dearth of cyber talent discourages many firms from embarking on a lengthy, expensive CISO search that could ultimately prove fruitless.<\/p>\n

Non-CISO cyber options<\/h2>\n

Who\u2019s managing cybersecurity at organizations that don\u2019t have a CISO? Navisite\u2019s survey revealed 60% of companies rely on other parts of their organization to manage cybersecurity, such as IT, executive leadership or compliance staff.<\/p>\n

In most cases, it\u2019s probably the CIO. A 2023 report<\/a> by Cybersecurity Ventures suggests CIOs are most likely to manage cyber at companies with no CISO. The study estimates approximately 90% of organizations with a full-time CIO do not employ a full-time CISO.<\/p>\n

Running cybersecurity on top of their own duties can be a tricky balancing act for some CIOs, says Cameron Smith, advisory lead for cybersecurity and data privacy at Info-Tech Research Group in London, Ontario.<\/p>\n

\u201cA CIO has a lot of objectives or goals that don\u2019t relate to security, and those sometimes conflict with one another. Security oftentimes can be at odds with certain productivity goals. But both of those (roles) should be aimed at advancing the success of the organization,\u201d Smith says.<\/p>\n

Though delegating cybersecurity to other people in your organization \u2014 CIO, CTO, IT director or compliance manager \u2014 is faster and cheaper than hiring a CISO, Vaishnavi warns of potential downsides to this stopgap approach:<\/p>\n

A CIO or CTO may not have the cybersecurity certifications and expertise a CISO would bring.<\/p>\n

CIOs and CTOs who add cybersecurity to their overloaded plates risk \u201cspreading themselves too thin\u201d.<\/p>\n

Cybersecurity may not get its own separate seat of influence at the boardroom table.<\/p>\n

No CISO at the boardroom table can be perilous<\/h2>\n

In the event of a breach or hack, this lack of direct boardroom access can be disastrous.<\/p>\n

\u201cYou don\u2019t want to be going through multiple layers of command rather than going to the person who can actually give you the go or no-go to make decisions to protect the business. The decision-making timeline is significantly reduced as well (with a CISO),\u201d she says.<\/p>\n

A virtual CISO<\/a> (sometimes called a fractional CISO or CISO-as-a-service) is one option for companies seeking to bolster cybersecurity without a full-time CISO. Black says this approach could make sense for companies trying to lighten the load of their overburdened CIO or CTO, as well as firms lacking the size, budget, or complexity to justify a permanent CISO. Most virtual or fractional CISOs:<\/p>\n

Are experienced former CISOs.<\/p>\n

Work remotely or hybrid.<\/p>\n

Work part-time for various clients simultaneously.<\/p>\n

Work on a temporary or renewable contract basis.<\/p>\n

Though some people define a \u2018virtual CISO\u2019 as remote only, and a \u2018fractional CISO\u2019 as on-site, Black\u2019s company Fractional CISO uses the terms interchangeably. Here\u2019s how his firm helps companies that don\u2019t have a full-time chief information security officer:<\/p>\n

Each client gets a virtual CISO plus a cybersecurity analyst.<\/p>\n

The fractional CISO performs board-facing duties (creating a cybersecurity roadmap,\u00a0 communicating with senior leadership).<\/p>\n

The analyst conducts risk assessments and gap assessments, performs vendor reviews, and edits security policy.<\/p>\n

Costs can be much lower than a full-time CISO, especially since each client gets access to a part-time CISO and an analyst. \u201cWe have quite a big range with our clients, but the average client\u2019s spend with us is a little over $100,000 a year,\u201d says Black.<\/p>\n

What if all of those options still aren\u2019t enough? What are the signs you actually need a full-time CISO?<\/p>\n

9 signs you need a CISO<\/h2>\n

You\u2019re in a highly regulated industry<\/h3>\n

\u00a0\u201cFinancial services, medical, health care, legal \u2013 those businesses will always need a CISO,\u201d says Vaishnavi.<\/p>\n

Black widens the CISO-ready scope further: \u201cIf you\u2019re doing anything for the federal government or if you\u2019re a public company, those (circumstances) all make sense.\u201d<\/p>\n

The tightening legislative environment around executive and corporate liability for cyber incidents<\/a> is also motivating companies in non-regulated sectors to think about hiring CISOs.<\/p>\n

\u201cWhen GDPR was introduced in the EU and the UK, you could see a shift or increase in terms of people talking about security as a whole. That sort of thing has a very direct knock-on effect in terms of hiring trends,\u201d says Vaishnavi.<\/p>\n

You plan to go public<\/h3>\n

On its website, VC firm Andreessen Horowitz recommends<\/a> that \u201call companies preparing for an IPO \u2026 designate a CISO who can implement the right IT controls, risk assessment, compliance testing, audit trails, and reporting functions in compliance with the Sarbanes-Oxley Act<\/a>.\u201d<\/p>\n

You had a cyber incident<\/h3>\n

\u201cAs part of your root cause analysis, you might determine \u2018why did we end up here?\u2019 That would tell you, yeah, it\u2019s time for the security role to be dedicated,\u201d says Smith.<\/p>\n

\u201cIt can kind of convert someone to become a true believer,\u201d adds Black. \u201cThey have some horrible breach or incident and say hey, that just cost us $10 million. We would\u2019ve been way better off if we\u2019d just spent a fraction of that every year (on a CISO).\u201d<\/p>\n

Your peers have been breached<\/h3>\n

\u201cSome companies are more forward-looking. Maybe they see a peer in their industry that\u2019s had problems and they say you know what, we don\u2019t want to be them,\u201d says Black.<\/p>\n

You want to stay on top of the expanding threat landscape<\/h3>\n

\u201cWhy is having a CISO important for some organizations now? I mean, the bad guys are making billions and billions of dollars from fraud, scams and attacks. Not mitigating that risk seems unwise,\u201d says Black.<\/p>\n

Your company is growing<\/h3>\n

\u201cAs the scale climbs \u2014 the number of people that work for you, the number of users, how much data you\u2019ve got, how much revenue you\u2019re turning over \u2014 all of these things play a big part in the decision that should go into whether you need to hire a CISO,\u201d says Joe Head, founder of The Blueprint, a cybersecurity executive coaching firm in Henley-on-Thames, England.<\/p>\n

Your board wants one<\/h3>\n

\u201cWe have seen smaller (companies) where there\u2019s someone on the board who just says no, you have to (hire one) now,\u201d says Black.<\/p>\n

Your clients and prospects want one<\/h3>\n

Not having a CISO in place could cost your company business with existing clients or prospective customers who operate in regulated sectors, expect their partners or suppliers to have a rigorous security framework, or require it for certain high-level projects.<\/p>\n

\u201cIf you\u2019re selling IT and the large enterprise (customer) says \u2018your security program is not good enough to comply with this thing or do this thing,\u2019 you know that clearly they\u2019re very concerned about security and you just don\u2019t have a very strong (cybersecurity) program,\u201d says Black.<\/p>\n

Your VC or private equity fund wants one<\/h3>\n

\u201cIf you\u2019re going through a funding round and you\u2019re in an environment which is dealing with a lot of data or dealing with a lot of personal information, usually you have a CISO come on board at that point. I would say series A round or higher is usually the time,\u201d says Vaishnavi.<\/p>\n

\u2018CISO\u2019 is more than a title<\/h2>\n

Head has seen a few companies take on a CISO based on the suggestion of a VC or PE fund. He argues, however, that the role must be treated as more than a technical manager hired to tick a box on a financing deal.<\/p>\n

\u201cA company should hire a CISO when they\u2019re willing to invest in security and take cybersecurity seriously,\u201d he says.<\/p>\n

\u201cThey should hire one when they understand they\u2019re hiring another business leader. But if you\u2019re hiring a CISO and not giving them the responsibilities and the complexity of that level of position, then I would argue maybe you\u2019re not ready for a CISO yet.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

The threat of cyberattacks keeps many US CEOs awake at night, but fewer than half of them have a CISO to check under their company\u2019s bed for digital monsters. Cyber-attacks were ranked as the No. 2 geopolitical concern in the Conference Board\u2019s 2024 CEO survey. Yet only 45% of American companies have a chief information […]<\/p>\n","protected":false},"author":0,"featured_media":876,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-875","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/875"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=875"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/875\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/876"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=875"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=875"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=875"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}