Few corporate crises are as reputation-damaging as a cyber breach. It is cited as a top concern of virtually every major organization worldwide.
The Ponemon Institute 2018 Cost of a Data Breach Study found that globally the average cost of a data breach was $3.86 million, a 6.4% increase over 2017. The average cost per record stolen was $148. The average cost of a data breach to a small business is $690k.
With that in mind, we turned to Jessica Robinson, CEO of PurePoint International, which provides Virtual/Outsourced CISO to middle market businesses in financial services and insurance. Jessica and her team specialize in working with companies with $100M-$500M in revenues. This article is excerpted from a LinkedIn essay advising C-Suite decision-makers what to avoid when hiring a Virtual CISO.
It was recently suggested to me by a security colleague who works in penetration testing that I write this article. However, it was only when I was feeling a bit alarmed after talking with several people recently about the security services they are receiving (or providing – yes) that I thought I would share a few thoughts.
More and more people are asking me about my role as an Outsourced Chief Information Security Officer (CISO). Since I started my company, the growth and size of the cybersecurity industry is predicted to expand by $133B in total spend of products and services by 2022. With regulations like the New York Department of Financial Services (NY DFS) Cybersecurity Regulation (23 NYCRR 500), the General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA), there are increasing companies offering an Outsourced or Virtual Chief Information Security Officer (CISO) service, cybersecurity services in general, and data privacy services.
After recently working with a $200M insurance company to meet NY DFS cybersecurity compliance requirements which was later validated by a regulatory visit from NY DFS, and additionally, in a role as Data Privacy Officer (DPO), working on a data privacy program to support organizational Binding Corporate Rules commitments to GDPR (which was validated by two other Data Privacy Officers), I continue to be concerned at what leaders (on the business side and technology side) think a CISO does.
7 Erroneous Assumptions about Outsourced CISOs
Though I have clear, distinct thoughts on what makes a good Outsourced CISO, below are the top seven mistakes C-level leaders make, and technology leaders believe, when hiring an Outsourced, or Virtual, CISO. For the sake of this discussion, I will define an Outsourced or Virtual CISO as a non-full-time employee. The actual hours may vary based on the needs of the business (size, business growth, industry, and regularly requirements the business adheres to). The word virtual also indicates the CISO may not actually spend much time, or any time, in the office and may work remotely. Even if that is the case, that would not negate the ultimate responsibilities an Outsourced/Virtual CISO has.
1. It can cost $500 a month for a Virtual CISO service. It’s important to understand every business does not need a CISO. If there is a CISO service offered for $500 per month it is a service being offered to a business that may not need a CISO service and/or they are simply not executing on the role of CISO, but more supporting as a virtual security manager. This role can be important for very small businesses depending on the industry, projected growth and target base of clients. However, an Outsourced CISO would not be hired for $500 a month, and certainly not for a regulated company compliant to key cybersecurity and data privacy regulations.
2. Outsourced CISOs only need to spend a few hours a month on your business. Perhaps this is true, if you are small company in a non-regulated industry. This can be the case with a small consulting company, or a few small retail stores and restaurants. Again, these businesses may need a security manager, not a CISO. In my experience, this also would not suffice for a regulated company in financial services. I have had security leadership roles in very large companies and in very small companies. Without a doubt, more of my actual time in hours has been with smaller companies because of the limited resources. As a CISO, with a regulated entity more than a few hours a month will need to be spent in the business.
3. An Outsourced or Virtual CISO is like Outside Counsel; they are on retainer and you just call when you need them, and they respond. I am not in a position to comment on the role of Outside Counsel, however, an Outsourced CISO is providing key deliverables to the business on an ongoing basis, not just when the business asks for something. If you have a CISO and they just “respond” when you need them, or just send you a monthly report, that is a red flag.
4. Why hire a CISO when the IT team “has got it?” It is not the role of IT to fully manage security. Everyone in the organization is responsible for security, including IT, but having IT fully own security, inevitably, can surface inherent conflicts of interest and a false sense that security is fully adhered to. The IT team already has a really important job and we need them to do it really well! Simply, if security was solely IT’s job, in the United States we would not need over 300,000 people to fill cybersecurity roles currently, according to CyberSeek. Why would the CISO role even exist?
Additionally, there would not be a mandatory cybersecurity requirement for the role of the CISO to be implemented or serviced to covered entities regulated by the Department of Financial Services. The only exemptions include organizations with less than 10 employees, organizations that produce $5M or less gross revenue from NY operations in each of the last three years, or businesses that have less than $10M in total assets. The CISO would also not be required to report to the board, as stated in the NY DFS cybersecurity regulatory requirements. Regulators would be fine with just having the Director of IT, Head of Infrastructure or the Chief Information Officer (CIO) do it.
5. All the CISO does is write policies. A CISO does not write polices. Someone, or multiple people, on their team does, unless it’s a smaller company. In short, the CISO, along with several other partners help to validate (and enforce) that the policies accurately reflect the business and IT environment and culture, address regulatory concerns, and address current and future business and security objectives.
6. The CISO, especially in a $100M – $500M company, is just a project manager. No. In these smaller companies, a CISO is executing on core priority objectives at a much higher percentage of the time than CISOs in larger multi-billion companies because the team is much smaller. All CISOs are interpreting key technical information from a variety of sources and presenting that information to the board and influencing the decisions of board members, CEOs and C-level executives, and influencing the behaviors of ALL employees. They are also making the priority decisions on how the cybersecurity budget is spent and providing input on how the IT budget can (better) support security. The CISO is a strategic advisor, not a functional leader, to the business. Though project manager skills can be helpful, a CISO, as a leader in the business, influences the security of the products and services a company offers, which impacts the clients and other stakeholders, and impacts the profitability and reputation of the business. These are just a few reasons why this position is required to report to the board for companies regulated by the Department of Financial Services in the state of New York.
7. CISOs don’t really need to be a security leader; another leader in the organization can take on the responsibility. Each business may have a unique complexity or reporting structure that includes security. However, this approach, inevitably, can surface inherent conflicts of interest that exist within roles of responsibility (CIO, Chief Financial Officer (CFO), etc). It is easy for security to be added behind the priorities of other executives.
Having the right outsourced CISO is critical
In hiring a CISO, as a C-level leader, you are investing in a change to bring about desired business or regulatory outcomes, you are adjusting your schedule to make time for a topic you may not understand nor have a desire to discuss, you are making investments in your business positively, and you are creating true accountability on a topic where the ultimate responsibility lies with you.
Read the complete article: What Really Does a Virtual CISO Do? The Top 7 Mistakes C-Level Leaders Make (and Myths Technology Leaders Believe) When Hiring a Virtual CISO
Left: Jessica Robinson, CEO PurePoint International