What is a Fractional CISO?
A fractional CISO is an executive-level cyber security professional who specializes in helping organizations protect against cyber threats. Whether full time or fractional, a CISO performs the following functions:
- Assessment: A full inventory of software, hardware and systems needed to run the business, along with their vulnerabilities, and employee cyber awareness.
- Defense: Installation and setup of hardware and software systems to secure the organization’s data, prevent breaches and detect attempted cyber attacks.
- Training: Development and implementation of employee cyber awareness training and phishing prevention.
- Monitoring: Ongoing evaluation of threats and defenses. Maintenance of cyber defenses, including any needed software updates.
- Reporting: Compliance reporting for stakeholders and insurance providers, as well as the executive team.
- Planning: Involvement in new business initiatives and growth strategies with a focus on security as well as business goals.
Do I really need a CISO?
You don’t need a CISO if your business or organization operates no computers or computer-controlled devices, never communicates via email or text and never uses any kind of online financial services. Cash-only farm stand operators, clam diggers and scrap metal foragers don’t need cyber security. Everyone else does, to some degree. A fractional CISO is often the better choice.
When should I hire a full-time CISO?
In general, the following types of organizations need a full-time CISO.
- Tech Companies: If you’re writing your own software, you also need to secure it. You probably have a much higher level of online exposure that can attract cyber criminals as well. A full-time CISO should help you anticipate and guard against vulnerabilities and have extensive experience in any technology that supports your systems.
- Financial Service Providers: The liability and regulatory environments are changing, with Congress expected to place a greater burden on companies that manage financial accounts. These businesses are high-value targets for cyber criminals looking to steal money. A full-time CISO with particular experience in monitoring, identifying and stopping intrusions, including Day One vulnerabilities and shared-service intrusions is needed.
- Critical Infrastructure Operators: Power companies, hospitals, power plant operators, water departments and some manufacturers need a full-time CISO with experience identifying and stopping novel attacks. Any system that can kill people if it is disabled or operated improperly should be considered vulnerable to cyber warfare and must be continually monitored and protected.
When should I hire a Fractional CISO?
The best time to hire a Fractional CISO, also known as a Virtual CISO, is when your organization begins to accelerate full- or part-time employee hiring. You probably do not need a full-time CISO to help you scale operations at this point, but you do need someone to ensure that all new employees are trained and properly set up with secure systems. Remember that as you grow, your exposure and risk of cyber attacks also grow. Any new employee can be the weak link in your security chain if you do not train them on your company’s security protocols and ensure they have their own secure methods of accessing needed systems and software.
If you are looking for a bank loan or investment capital, you need a Fractional CISO to review and sign off on your cyber security. Most lenders and investors now consider cyber preparedness as a critical piece of a business’ valuation. Almost no one will lend to an organization without robust cyber security, and those that will are likely to demand that you hire some kind of CISO.
If you have recently acquired another business, a Fractional CISO can help you integrate new employees and systems. Fractional CISOs can sometimes deliver savings many times greater than their cost when it comes to system mergers and employee orientation.
If you recently expanded or are planning to expand to a new country, find a Fractional CISO versed in international operations. Foreign expansion carries unique risks and, in some cases, compliance requirements and greater business liability. Be sure to ask if a Fractional CISO has specific understanding of the countries where you operate.
Written by Robert Siciliano, CEO of Credit Parent, Head of Training & Security Awareness Expert at Protect Now, #1 Best Selling Amazon author, Media Personality & Architect of CSI Protection Certification.