When will you hire a VCISO? Before or after you have the security breach or malware attack that cripples your organization and its reputation? Will you embrace what a VCISO can do or scramble to find one when investigators are asking questions about your cyber security?
This is not an issue to take lightly. If you run any kind of for-profit or nonprofit business, such as a law firm, real estate agency, social services charity or municipal government office, and you access, store or process personal information, you will be a target of a cyber attack. If you have a cyber security plan in place, you will be ready and you may suffer nothing more than an inconvenience. If you don’t have a VCISO, CIO or plan, the results can be devastating.
Hackers using ransomware shut down the entire government of Costa Rica, leading the country to declare a state of emergency.
What’s the difference between a CISO, a CIO and a VCISO?
A CISO (Chief Information Security Officer) is a specialized CIO (Chief Information Officer), tasked with protecting systems and data against intrusions, theft and ransomware encryption. A VCISO, or Virtual Chief Information Security Officer, is an experienced CISO or CIO who offers their expertise as a service to clients. This is also known as an Outsourced CIO or Fractional CIO.
What will a VCISO do for my business, nonprofit or organization?
A VCISO brings experienced, executive-level support to clients at an affordable cost. A VCISO will conduct a thorough audit and assessment of your existing information technology systems to identify vulnerabilities, risks and potential consequences of an intrusion. The VCISO will then develop a plan to secure systems and train staff in cyber security awareness. Some virtual CISOs conduct staff training themselves, while others set up training with third parties.
A VCISO will also set up monitoring that detects any unusual activity on your systems, so that any intrusion or breach can be quickly identified and stopped. New threats and methods of attack continually evolve. It is not enough to secure systems once and walk away.
Law Firm Mossack Fonseca & Co. was the world’s fourth-largest provider of international financial services. Less than two years after a breach disclosed their client information, the firm closed its doors.
Should I Hire a VCISO or Outsource a CIO?
The outsourced CIO model is popular for small and mid-sized businesses that use technology but aren’t built around it. Real Estate agencies, law firms, consulting firms and professional services companies all benefit from an outsourced CIO who can secure systems and establish cyber security for employees. In most cases, these firms cannot afford a full-time CIO and do not have enough ongoing need for one.
Firms dependent on central information technology systems, including hospitals insurance companies and sales, generally need a full-time CIO or CISO to secure those systems and the information they contain. Cyber security awareness training for those companies focuses on protecting the central system, then extends to everyday protection for laptops, email and social media accounts.
To decide whether a full-time or virtual CISO is right for you, look at your office systems. If everyone connects to a single program or a single database, then you need a full-time CISO to protect it. If everyone uses their own laptops and connects to a LAN or via WiFi, a Virtual CISO is often a better choice, because they will have more experience securing these types of environments.
Take our cyber security readiness quiz to gauge your readiness and cyber security needs.
Written by Robert Siciliano, CEO of Credit Parent, Head of Training & Security Awareness Expert at Protect Now, #1 Best Selling Amazon author, Media Personality & Architect of CSI Protection Certification.