The Business Case for Virtual CISOsCan't Afford to Hire a Full-Time CISO? Then Rent One
Challenged by rising cybersecurity threats and a deficit of qualified security leaders, many organizations are now opting for "CISO as a service" - virtual CISOs who will step in and provide critical strategic leadership
In some cases, the virtual CISOs are short-term to fill a tactical need. Other times they sign long-term contracts to, say, develop a security road map for an organization. Whatever the end goal, for organizations that cannot find or afford a full-time CISO, the virtual leader fills a vital security gap.
"A virtual CISO provides security management and governance similar to a CISO," says Delhi-based Pradeep Eledath, chief executive officer at Safe++ Global Technology Services Pvt. Ltd, which provides virtual CISO services. "The key differentiator is an external service provider with a multitude of skill sets in each discipline of security delivers this [virtual service]."
Sanchit Vir Gogia, chief analyst & group CEO, Greyhound Research, says that as organizations move their workloads to the cloud, implement virtualization and mobility, they also open themselves to complex security threats. The need for sophisticated security architecture becomes critical, and so does the need for CISO.
"The problem is of simple demand and supply," Gogia says. "While there are a number of organizations seeking expert guidance on security, there is lack of expertise in the industry, therefore the need for a virtual CISO is opportune."
Bangalore-based Oman Transformers, the Indian subsidiary of the Muscat-headquartered manufacturing company, hired virtual CISO services to set up its entire security platform.
"Since we are a non-IT company and the team not completely focused on security, I went ahead to hire virtual CISO services to avoid the hassle of hiring in-house security team," says H Anand Krishnan, Head of IT and finance at Oman Transformers.
Since making the move, Krishnan says, Oman has seen nearly a 60 percent savings in security costs. And "the quality of service is equally assured as compared or equivalent to having a full-time CISO," Krishnan says.
Why a Virtual CISO?
Large Indian enterprises and heavily-regulated sectors such as banking and telecom are mandated to have a CISO for managing enterprise security and laying down the process. But mid-sized organizations are not driven by such mandates, and they often struggle to find qualified security leadership.
"Mid-size enterprises cannot afford a full-time CSIO and lack internal security resources," says Pune-based Sharat Airani, security consultant and virtual CISO for mid and large enterprises.
Bangalore-based Dr Harsha E, chief IT security consultant, HK Strategies, and a virtual CISO for large enterprises, sees the need for such services in manufacturing, biopharma, government and automotive, for instance, with the virtual leader providing multi-domain expertise.
"The difference between a virtual CISO and a consultant is: a virtual CISO is a security practitioner with a hands-on approach in creating a security framework within the customer organization," Harsha says. "A consultant could just suggest ways to secure and advise internal teams on the plan of action."
Eledath agrees, saying that, for many organizations, retaining a virtual leader is far more cost-effective than searching for and hiring a qualified CISO.
"A virtual CISO provides an expert, independent and unbiased view of the organization's risk, compliance and security postures with on-demand expertise of sector-specific information security domains," Eledath says.
Virtual CISOs often are not individuals, but rather a team of InfoSec generalists and specialists. The generalists act as an interface between the client and service provider. They engage at the business layer to assess the security needs, provision the required skillsets from the pool of security specialists to provide an unbiased security solution completely agnostic of OEM security products.
Eledath lists three variants of virtual CISO offerings:
- The Team Approach - Organizations ask a virtual CISO to provide 10 specialists to handle security activities around tasks such as DLP, policy framework, overall security and application layers. The customer is less worried about the team's skills, as the virtual CISO is the point of contact.
- Project-Based Model - In the second model, enterprises opt for a project leader who works with the CIO to handle multiple layers of security - the network, applications, data, Identity and access management, as well as people and processes to design a security process and manage it for a stipulated period.
- The Strategist - The third model (gaining prominence) is about moving from a people-centric model. Business heads and sometimes CEOs are involved, and they task the virtual CISO with understanding the enterprise risk. For example, the virtual CISO is expected to conduct a top 10 risk-based study to establish how risk-prone the organization is. The leader must create a security structure, deploy 270001 framework and a five-year security road map with a risk mitigation plan. In this model, the virtual CISO must create a security structure with clear written SLAs and KPIs and penalty clauses in case the desired goals are not met.
When Oman Transformers hired virtual CISO services, it was for the strategic model, to set up the security infrastructure and related processes.
"We got the virtual CISO to fly to our headquarters at Muscat to meet up with the top management to understand the business objectives and align the security to meet the goals and prescribe policy guidelines," Krishnan says.
In Oman's case, virtual CISO services were extended to map organizational risk, doing penetration testing to detect vulnerabilities, auditing and to recommend necessary measures to protect organization against attacks.
"We have one team member who understands security, and the virtual CISO handles all security requirements," Krishnan says. "And since now the infrastructure is set, it is handled remotely."
The chief benefit of virtual CISOs is the instant access to expertise, sources say. But there also is a significant cost benefit. The normal annual contract rate for virtual CISOs is about 35-to-40 percent of what it costs to pay the normal industry salary for a full-time information security team to perform the same services.
"You can save 60-65 percent of the annual cost by deploying virtual CISO services," Eledath says. "A security professional with 12-15 years' experience specialized in one area costs $70,000 annually; a CISO with multiple specializations is an expensive proposition."
Conversely, says Harsha: "Hiring a virtual CISO gives access to a highly qualified and experienced resource with multi-domain knowledge, no long-term commitments and easy to change virtual CISO if delivery is unsatisfactory."
Gogia of Greyhound Research agrees. "Most virtual CISOs work around a co-op, retainer agreement with set target outcomes that works well for small and mid-suite organizations that have limited budgets,"