:: Cybersecurity | Should You Consider a vCISO? ::

Context

Cyber risks have consolidated their position as key concerns, while featuring in the extreme top right (i.e high-impact, high-probability) quadrant of enterprise-wide risk management heatmaps. The susceptibility of the widening landscape of an information system to cyberattacks is accentuated by the inherently borderless nature of cybercrime, the relative limitations of jurisdictional coverage of legislative frameworks to enforce practices or take action beyond their national borders and the fast-evolving malicious practices on the darknet.

It is in this context that the role of a Chief Information Security Officer (‘CISO’) gains prominence. Experts believe that the number of vacant cybersecurity positions are growing exponentially. This trend has also been confirmed by industry reports, which indicate an increase in the number of companies with board members and C-suite executives from a cybersecurity background, from a shade under 20% currently to ~40% over the ensuing 4 to 5 years.

In the light of the foregoing, the issues for consideration are (a) whether all organizations need to have a CISO on board; and (b) what are the options for those who have limited budgets and/or those who may not require a full time CISO. This thought leadership dwells on these and other pertinent aspects.

What is a CISO?

CISOs are executives who are responsible for the cybersecurity strategy of an organization. In several organizations, their role entails the establishment and execution of an organization’s information security strategy, while providing assurance on the effectiveness of the measures to protect data assets. The CISO may also be expected to supervise the deployment of security technologies, respond to incidents in an effective manner, design suitable practices with controls and also oversee implementation of information security related policies and processes (in some cases, this may cover their vendor risk assessments and business continuity plans).

The role of a CISO is highly coveted because it requires a blend of technical know-how, managerial and interpersonal skills with professional maturity. However, identifying and onboarding professionals with these skills and traits; and retaining them in a situation where their demand is fast stripping the supply can be a challenge.

When should you consider a vCISO?

Startups, small, medium and large organizations, who may be facing the aforesaid challenges or otherwise may not be ready to onboard a full-time CISO, would benefit from hiring a virtual CISO (‘vCISO’). This may also serve as a temporary solution (until the business expands) or can even feature as a permanent addition to an existing security management team.

In these situations, you can consider tasking and utilizing your vCISO to help plan, implement and sustain a reliable security strategy to keep your business and customers safe. With a sound security strategy in place, a CISO can facilitate your organization’s information security posture into a competitive advantage.

While large enterprises with existing security teams may have traditionally been of the view that a vCISO would not serve their objective, we are all aware of the fact that the world of information security has changed considerably. Several large organizations that have well-oiled security teams are currently prioritising continuity in terms of role fulfilment and best practice benchmarking - both of these objectives getting fulfilled with a vCISO or availing of reliable vCISO services.

Specific situations in which organizations are engaging with vCISOs (as individuals or from services provided by IT consulting organizations) are summarised in the ensuing bullets.

Enterprise organizations | These companies typically have a well-rounded security department including a full-time CISO. But if this role becomes vacant for even a short period of time, for example, due to illness, during a planned succession period, or due to a surprise resignation, a vCISO could be a good option as an interim measure.

Mid-sized companies | These companies usually need consistent guidance from a CISO, however may not be ready to hire one on a full time basis. In this case, a vCISO serving as a part time security leader could be an effective solution.

Small businesses | Startups and other small businesses realise that they have security requirements, however may be unsure on how best to address the same. They may not have staff who have requisite knowledge about cyber security prevention. These companies can contract a vCISO on a retainer model, so that they have an expert at hand to advise and manage their compliances and general security issues.

Post-incident and remediation services | After a specific incident such as a cyber attack or data breach, as the incident response process is completed, the organization will need to assess the lessons learned. A vCISO can be involved in this process to help in identifying and facilitating remediation actions.

Risk assessment | Risk assessments are helpful tools for an organization to review its cybersecurity practices and ascertain improvements. However, implementing an effective cyber risk assessment framework can be complex and would require bechmarking in terms of identification of risks and their mitigating measures. A vCISO can be contracted to help in this situation on a short-term basis.

While the role of a vCISO will depend on the nature, size and type of an organization, its business model, its information technology framework and other factors; we are setting out in the ensuing chart a birds-eye view of specific areas of utility from a vCISO.

In summary, organizations of all sizes, industries and stages of their growth can benefit from a vCISO, especially those with limited budgets or limited in-house expertise in cybersecurity. A vCISO can help these organisations develop and implement a comprehensive security program, manage their information security requirements during periods of growth and change, ensure compliance with regulations and provide expertise for incident responses.

Should you need any clarifications or assistance please do not hesitate to reach out to us at contactus@mgcglobal.co.in or our IT Risk Advisory Leader - Kirti Kumar at kirti.kumar@mgcglobal.co.in.

Best regards,

Markets Team

MGC Global Risk Advisory

About MGC Global Risk Advisory

Recognized as one of the '10 most promising risk advisory services firms' in 2017, as the 'Company of the Year' in 2018 &, 2019' (both in the category of risk advisory services), one of the 'Top Exceptional Companies to Work For’ in 2020, amongst the ‘Top 25 Customer Centric Companies’ in 2020 and 'The Consultant of the year' in 2021 (in the category of risk advisory services); MGC Global is an independent member firm of the US$ 4.6 billion, Atlanta headquartered - Allinial Global.

MGC Global provides services in the areas of internal audits, enterprise wide risk management, control assessments (SOC, IFCR & SOX), process re-engineering, governance frameworks, IT risk advisory, GDPR, VAPT, ISO readiness, cyber security, CxO transformation and forensic services. Our Firm has the capabilities to service its clients through its offices in Bengaluru, Mumbai, NCR; and has service arrangements in all major cities in India.

About Allinial Global

Allinial Global (formerly PKF North America) is currently the world's second-largest member-based association (with collective revenues of approximately USD 4.6 billion) that has dedicated itself to the success of independent accounting and consulting firms since its founding in 1969. It currently has member firms in 99 countries, who have over 26,000 professional staff and over 4,000 partners operating from 688 offices across the globe.

Allinial Global provides its member firms with a broad array of resources and support that benefit both its member firms and their clients in the key impact areas of learning and development, human resources, international outreach, technical support, knowledge-sharing platforms through its specialized communities of practice, marketing resources, information technology and best practices in practice management.