Good talent is like finding a horcrux in Harry Potter – essential, hard-to-find, and something you don’t want to lose track of (but let’s not destroy good vCISOs using artifacts). With a shortage of good people come higher prices for your business to hire one full time, thus the demand of the vCISO (virtual Chief Information Security Officer) or fractional CISO.
The Role of a (v)CISO
As companies choose to operate in the digital space, the demand for experienced and knowledgeable security professionals continues to rise. Virtual Chief Information Security Officer (vCISO) services have become increasingly popular in recent times as organizations seek to strengthen their cybersecurity strategies without hiring full-time staff.
However, not all vCISOs are created equal. Some may lack the necessary skills, knowledge or experience to provide adequate cybersecurity protection. Some companies or MSSPs may try to advertise this capability for your company, but in essence placing an Individual Contributor in that position.
In this blog post, we will explore what to look for in a vCISO so that you can make an informed decision when choosing a provider.
How to Hire a (v)CISO: 6 Traits to Look For
1) Business Acumen:
As table stakes, a vCISO should have a thorough understanding of the company’s business model, systems, and processes as a part of the initial engagement and take a good amount of time getting to know the company, culture, and regulatory and landscape. This knowledge will help them determine where to implement security measures that meet the company’s unique needs. A vCISO should work in close partnership with senior management and the board of directors to ensure that all stakeholders are on board with the cybersecurity strategy. If a company doesn’t have a board of directors, it should work with the person(s) with the most to lose in the case of a major breach.
Another aspect that truly bothers me: A competent vCISO should have the ability to distinguish between implementing a flashy, buzzwordy product solely for its impressive features, and selecting a more cost-effective solution that effectively mitigates risks in a sustainable manner.
2) Proven Track Record in Cybersecurity:
Because of the demand for cyber leadership, I’m seeing a good amount of individuals and companies coming to the market advertising fractional or virtual cyber executive services when
those individuals respectfully have never run a program or stared down an auditor before.
When considering a vCISO, it’s crucial to seek out someone with a strong cybersecurity track record spanning multiple phases. The ideal candidate goes beyond technical expertise, possessing a deep understanding of the business of risk and its impact on the organization’s revenue. Throughout my experience collaborating with CISOs and information security leaders,
While may be a somewhat controversial opinion, the vCISO that best suits most businesses is ideally someone who has dealt with and resolved significant incidents in the past. This seasoned expert can effectively guide the organization, share valuable insights, and foster a broader understanding across the company to align with business goals and develop effective risk-mitigation strategies.
3) Stay Up-to-Date on Cybersecurity Trends:
A top-notch vCISO should possess comprehensive knowledge of emerging threats and maintain awareness of cybersecurity trends because that’s literally what they’re being hired for in the company as they don’t possess someone who thinks about Cyber, compliance, trending, and overall technical risk mitigation.
When interviewing potential candidates, it’s crucial to inquire about their strategies for staying updated and the industry influencers they follow. This ensures their ability to deliver innovative solutions that address the latest developments in cybersecurity. If their answer is “we go to our partners”, you may want to re-evaluate that candidate and company as they will be being paid as an advocate for you and not their vendors.
As cybersecurity risks continue to evolve alongside advancements in technology, such as ERPs, CRMs, and IaaS, it is crucial to continually learn and expand our knowledge base. This ongoing pursuit is essential for effectively mitigating the ever-evolving risks associated with cybersecurity.
4) Be an Agile and Flexible Leader:
A vCISO should possess strong leadership qualities that enable them to bridge personal gaps and establish connections with business teams, fostering the development of an effective cybersecurity program. For this part-time or short-term contractor, it is crucial to possess exceptional communication skills to effectively engage with business partners. Additionally, a proactive problem-solving approach and the ability to build trust are vital attributes needed to foster strong relationships throughout the duration of the partnership. Additionally, the vCISO must demonstrate agility and flexibility to adapt to evolving conditions and priorities.
5) Tactical and Strategic Thinker:
The vCISO plays a vital role as a tactical and strategic thinker, with extensive experience in various situations. Their ability to resist groupthink within a company’s culture allows them to provide unparalleled value. By leveraging their deep expertise and extensive network, they develop and implement cybersecurity policies that ensure the highest level of protection for the organization. It is crucial for this individual to strike a balance between cybersecurity needs and business objectives while maintaining compliance with regulations.
6) Can Take Action:
If planning to establish a formal cybersecurity program for your organization but hiring a high-profile executive doesn’t seem practical, selecting the right vCISO becomes the natural decision. Outsourcing it to your MSSP might not be the most independent way of getting the best bang for your buck.