Looking for a CISO? Three Reasons to Consider Outsourcing the Role
Jun 19, 2020
Everybody, it seems, wants to hire a Chief Information Security Officer these days. In early June, for example, LinkedIn showed 805 CISO job openings. Business disruption related to the COVID-19 pandemic is one key factor driving demand, as evidenced by a recent study by VMWare Carbon Black that found a 238 percent in cyberattacks against banks between February and April.
Clearly, businesses recognize that a cybersecurity strategy should be a top priority – a good thing. But is hiring an in-house, dedicated CISO role the best way to ensure that security needs are addressed? Here are three reasons you should consider outsourcing the CISO role to a qualified partner.
One: You will be able to rethink recruitment and retention
While demand for CISOs skyrockets, the supply of qualified candidates isn’t keeping pace. Risk, strategy and technology landscapes continually evolve, creating new challenges. The experience needed to address those challenges, meanwhile, by definition becomes increasingly scarce. For HR teams tasked with finding individuals – not to mention supporting teams – with just the right background, that dynamic presents a significant challenge, as well as a significant distraction from other recruitment priorities.
Relatedly, the fact that CISOs are a hot commodity means that new hires inevitably become targets of poaching. And for many IT executives with a strong security background, an in-house CISO role can be a rung on a ladder towards, say, a CIO spot. Moreover, unless you’re at a F1000 global enterprise, an in-house CISO role typically involves a fair amount of tedium. For an ambitious professional, boredom can quickly lead eyes to wander to greener pastures. Finally, the accountability of the role means that a serious data breach or ransomware attack may lead to a CISO’s dismissal – and the reality is that everyone has been breached. Is it fair to hang the blame on one individual in the organization? Unfortunately, it happens.
In a nutshell, in-house CISOs are hard to find and likely to leave. For a business prioritizing expertise and stability in its cybersecurity posture, that’s a high-risk scenario, to say the least. Hiring a “virtual” CISO by outsourcing the role to a technology partner, meanwhile, addresses the risk. At a basic level, the fact that filling the role is no longer your problem is a benefit. Moreover, cybersecurity skill sets and technology tools are core competencies for service providers, who tend to have better access to the scarce talent available. While turnover obviously impacts providers as well, they are more likely to have pipelines and contingencies in place.
Two: Partners have loads of credibility
The cybersecurity credentials of a good partner are, exceptions notwithstanding, generally a cut above those of in-house CISOs. Again, this reflects the technology focus of service providers and their ability to learn from continual exposure to the latest threats, innovations and industry trends. “A cybersecurity expert who works for, or partners with, a service provider is better positioned to be at the cutting edge of the industry relative to their in-house counterpart,” says Ray Watts, a cybersecurity consultant and compliance expert. Another consideration: in-house CISOs can find themselves unsupported by senior executives, as well as understaffed and overwhelmed by the minutiae of security concerns. In such environments, Ray cautions, CISOs risk falling behind the curve.
Apart from the direct benefit of having access to top talent, the credibility a service provider brings to the table can be valuable to customer relationships. Demonstrating security compliance to supply chain partners is becoming increasingly important to business operations, particularly for mid-sized organizations. As such, a security expert with impeccable credentials can enhance competitive positioning.
Three: Outsourcing the CISO role enhances efficiency and flexibility
Another reason to outsource the CISO role: it’s not really a full-time job. In most cases, cybersecurity requirements are an ebb and flow proposition. Budgets and headcounts fluctuate in response to specific events or requirements. In heavily regulated industries such as healthcare and finance, annual audits require intense effort and extensive resources for brief periods, followed by stretches of relative downtime. By allocating additional resources as needed, a virtual CISO function can be more flexible, cost-efficient and agile than an in-house organization.
Meanwhile, day-to-day security requirements such as employee onboarding and off-boarding, password resets and anti-virus updates don’t really need specialized cybersecurity expertise, and can fall under the purview of the IT organization.
As cybersecurity requirements continually evolve, businesses need to adapt their organizations accordingly. The ability to leverage deep levels of technical expertise and the latest technology innovations through a technology partner can be an effective way to keep up with rapidly changing risk landscape.
Contact us for a free assessment of your organization’s cybersecurity maturity and risk levels.