Do you need a CISO? The answer may surprise you.

Why do companies hire a CISO?

The answer to the question "Why do companies hire CISOs?" sits squarely in what an effective CISO really does for the companies they represent. A CISO is not just another IT expert in your company. They shouldn’t be expected to do break-fix or network design. A truly effective CISO is a key senior level executive leader within your organization who is as tied to business operational strategy as the Chief Operations Officer. In order to do their job, they need to have a seat at the executive table.

Of course, they need to have the experience to be part of business strategy. This means that your CISO needs to have proven business acumen, as well as a keen ownership of business impacts on risk, the business’ unique alignment to necessary compliance requirements, a seat at the budget table, and the power to impact change. In short, everything the business does potentially exposes that business to risk. While it may not be apparent to every business leader, your business is exposed to risk every time you:

• Make a financial transaction
• Make big business announcements
• Expand your sales team
• Hire a new HVAC vendor
• Merge or acquire a new company (or even discuss a merger or acquisition)
• Take on seed capital
• Hire a new HR employee
• Go public
• Win a new contract or renewal
• Outsource marketing, sales, manufacturing, distribution, or anything critical to your business
• Provide your board members with board-books

This list goes on—and notice that I didn’t mention a single “technology” decision on this list. I didn’t even mention any change in compliance, incident response, awareness training, or even penetration testing schedules. In fact, a good CISO needs to know what’s happening with the core business functions described so they can properly align what we think are traditional cybersecurity functions.

This is why it can be unproductive to simply elevate someone from the IT department to the CISO role. More than once, I’ve talked to C-Suite leaders who asked “Why did we get breached when we’ve increased our IT budget (2X, 3X or even 10X)? We bought every tool our new CISO recommended.”

In every case, the company either elevated their IT lead to the CISO role, or hired someone who had incredible IT chops. This isn’t an attack on the IT experts out there. This is a simple statement around how we, as human beings, will always pull from our experience or stay within our comfort zone. IT simply is not the same as security, although it is a component of it.

If you’re going to hire a CISO, here is a recommendation for screening criteria ranked by priority:

1. Business acumen and experience
2. Strategic collaboration
3. People management skills
4. Ability to assess capabilities and delegate tactical responsibilities
5. Executive partnership and support needed to hold people accountable
6. Ability to recognize and organize foundational risk exposure relevant to your business focus
7. Compliance alignment relevant to your business focus.
   • It’s actually nice to see a candidate who understands compliance from several business vantage points. In today’s world, many businesses touch other verticals which may bring additional compliance accountability. For example, you make baby food, but pick up a contract to produce specific food items for classified Department of Defense operations. This will add a whole new level of compliance mandates, not to mention, new exposure to corporate risk. Even if it is just processed applesauce in a resilient, easy-to-eat-from pouch.
8. Project leadership and accountability
9. Identification, design, implementation, and understanding of key performance indicators (KPIs)
10. Understanding of the technology layer.
    • Here’s the important part… They don’t need to know the intricacies of a Fortinet device or even have the ability to run a penetration test. They do need to know the risk posture impacted by installing that Fortinet device. And they need to know why they need to conduct penetration tests, what to expect from the test findings, and a keen understanding of how to prioritize the penetration test findings as related to the business’ core functions.

Like any C-Level leader, they need to trust the specialists on the team and hold them accountable for doing everything their role requires.

Always remember, when hiring your next CISO, you’re building a job req, structuring the interview process, and hiring a candidate who can help you grow your business and protect your critical operations.

Why should companies hire a CISO?

This is simple. Companies should hire a CISO to build clarity around what they don’t know. This is the same reason the founders of a start-up hire a CEO. In the case of a start-up, it’s a fact that just because you’re the founder, doesn’t mean you’re the ideal CEO. Start-up founders hire CEOs to take their company to the next level. To bring clarity around what they don’t know. The correct CISO will do the same thing. They will be part of the team in-charge of elevating your company and bringing clarity around unknown operational risk management and alignment to your business.

What are the primary challenges faced by companies when trying to hire a CISO?

There are three major challenges companies face when trying to hire a CISO in today’s market:

1. Shortage of actual CISOs.
   • They are very hard to find—even when the hiring company has created the proper job description, hired an executive recruiter, and offers an awesome financial package. CISOs, like a lot of cybersecurity talent, are in very short supply.
2. Budget.
   • The cost to hire a CISO has exploded. It’s a high-risk position and they’re in high demand. It’s important to remember that even if the company can afford the required CISO talent, the budget doesn’t stop there. Companies must allocate a budget which will allow the CISO to build their team and support the activities required to build and execute upon a risk management strategy. According to Salary.com, the median annual salary for a CISO in today’s market is $226,550 and that’s not representative of the full compensation package. [Graphic: https://www.salary.com/research/salary/benchmark/chief-information-security-officer-salary]. Just when you think you have solved the budget concern, you’re going to be hit with change. According to a ZDNet article published in 2020, the average CISO only lasts in their role for 26 months [https://www.zdnet.com/article/average-tenure-of-a-ciso-is-just-26-months-due-to-high-stress-and-burnout/]. This is due to stress and high demand. One CISO I spoke with receives 2-3 aggressive recruitment inquiries a week.
3. The need a team, not a person.
   • A CISO is an individual, and I’ve seen too many really good CISOs leave companies because they just can’t do everything. Risk management, cybersecurity strategy, business alignment, compliance, and planning take more than any one person can accomplish. It’s just not realistic to put it all on your CISO

What is a Virtual CISO or CISO Team-as-a-Service? (TaaS)™

A CISO Program, if structured properly, is nearly identical to the CISO you would hire—but better. After long deliberation and years of delivering what were called vCISO services, here at IGI Cybersecurity, we’re dropping the “virtual” from our program. Moving forward the IGI program name will reflect what we offer, a full team of cybersecurity professionals who have a diverse set of skills and expertise. Thus, dubbed, the the IGI CISO Team-as-a-Service (CISO TaaS). 

The IGI CISO TaaS™ program holds that moniker because they bring an ability to partner with the existing client team, and they can add members of the IGI Cybersecurity team to fill many of the executable gaps such as penetration testing, cybersecurity risk assessments, vulnerability monitoring, incident response team, and compliance or certification readiness assessments.

This service, formally knows a vCISO, when structured correctly brings a level of skillset you just can’t get from an individual CISO. Not because that CISO is inadequate. More because that CISO is always going to be limited in what any one person can do.

When should companies not outsource their CISO?

Outsourcing your CISO requirements isn’t a short-cut to automatic risk management and cybersecurity alignment. Companies still need to buy into the CISO role and expectations. They still need to understand why they need a CISO and what a CISO does. Again, if you’re looking for the outsourced CISO or CISO team to “take direction” from the IT Director of even the Chief Technical Officer (CTO), it won’t work. In essence, you’re just contracting another break-fix IT resource. The CISO function is not IT. It is business operations. The outsourced CISO does need the support and cooperation from the IT department, just as they do from finance, sales, HR, etc.

When is a CISO TaaS right for your company?

Outsourcing your CISO requirements can be right for your company in several situations:

1. You need CISO leadership now.
   • It can easily take 6 months to 12 months-plus to find a CISO. Companies can immediately hire a IGI CISO TaaS to build out their risk management platform. This way when they do hire a full-time CISO, they have a mature, defined program to transition. It takes a CISO three to six months to assess a company’s current risk posture before they can impact change. With a proper transition, the CISO will be able to make decisions in a much shorter timeline. The IGI CISO lead can also assist companies in the hiring process as an experienced advisor. Once the client hires a CISO, the new CISO will also immediately have access to a team who has been working within that environment.
2. Budget constraints.
   • In most cases, companies get access to a IGI CISO TaaS for a fraction of the cost of an individual CISO. Because of the nature of the IGI CISO TaaS, companies get a fully qualified CISO lead and access to a team to support key deliverables. This team also adds resiliency and scalability to the role.                                               
3.  Customization.

• • The IGI CISO TaaS is customized for the unique requirements of each client. This means that the service is built based upon a business operations first approach. After all, true risk management is a partnership requiring corporate adoption and integration within the corporate culture.

Learn more about this new service and out full suite of services at IGIcybersecurity.com.

Wondering where to start in your 2022 planning? Download our Cybersecurity Prep Planner at https://guides.igicybersecurity.com/.