Today, Cybersecurity is not just an IT problem, it affects entire businesses, customers, suppliers, shareholders, and regulators alike. An organization’s response to cyber threats has become a part of its comprehensive security posture.
Companies need to move away from the concept of just managing point security and operational IT issues. They need to be looked at and managed together and not separately. It is generally felt that merely having a CIO is not enough and is only a part of the overall response; having a CISO/CSO (roles that are still evolving and undergoing changes) in addition to a CIO provides a more comprehensive view.
Not every organization is ready for a CISO, nor does it make business sense to hire a full-time CISO/CSO irrespective of the nature of threats. This is particularly true for small and medium-sized businesses (SMBs) who are just starting out in their information security (InfoSec) journey to build an effective yet cost-efficient security framework.
However, this is not to suggest that smaller organizations do not need the services of a CISO; it is just that the terms of engagement and responsibilities are markedly different. Smaller companies do have a need for a CISO, but cannot be generally equated with the needs of a large enterprise. While major corporations are always at the centre of large-scale attacks, SMBs are also facing a lot of challenges from organized crimes. There is some bit of reluctance on the part of small and medium businesses to hire a full-time CISO but do have their specific needs to be taken care of.
Here in comes the concept of CISO-as-a-service.
CISO-as-a-service, also known as a virtual CISO (vCISO), is a cost-effective way to bridge the gap between the requirements of a nascent security organization and its need for a full-time CISO. The key idea is to have a functioning CISO/CSO office within the organization without the associated overhead costs.
In this arrangement, which is an alternative to traditional staff-augmentation, the talent provider deploys a CISO professional to the client organization, from a pool of qualified and experienced practitioners. It is a consumption-based, pay-as-you-go model just like any other on-demand service. It generally includes all the services that make up the CISO role framework. While it is still evolving, it is increasingly becoming popular with small and mid-sized businesses. Today, renting a CISO is providing a lot of organizations access to top-class advisory and expertise in a cost effective manner.
“IBM offers CISO-as-a-service, renting out and deploying some of their best brains on Cybersecurity to their clients in need. IBM’s pool consists of a large bench of senior professionals and experts who have worked as CISOs across industries earlier. Under the agreement IBM employees are deployed/deputed to client organizations who work as acting CISOs. The agreements range from a few months to even years. The CISOs generally work out of client locations and can also provide remote support. After the termination of the agreement, they come back to their previous roles in IBM”.
What is driving the adoption?
For smaller organizations, it is often challenging to find the right Cybersecurity talent with the skills, experience and background that is needed to fulfill the requirements of the organization. It is generally known that one in every 5 Cybersecurity practitioners change jobs within a year. Naturally for these organizations it makes sense to avoid the usual pitfalls while recruiting. Additionally, companies are finding it difficult to fill Cyber/Information security positions on time while being able to keep the costs down. These factors can put a lot of companies under stress.
How does it work?
The CISO-as-a-service market is fragmented and there are a large number of small players vying for market share. An analysis provides us with the following market participant categories:
1) Global IT providers: IBM
2) Global consulting companies: KPMG (Interim CISO Services)
3) Niche Providers/Managed Security Services (MSSP): Sentor, ForesightCyber, Alphaserve Technologies
4) Specialist Cybersecurity Providers: Secureworks, Cybderdefenses
5) Staffing firms (specializing in Cybersecurity): Cyber360 Inc., 3P Resources, Templar Shield
The providers have specialists on their rolls, who can be deployed to client organizations on demand at a short notice. They are typically senior resources with experience ranging between 12-20+ years with one or multiple specializations. The process starts at the client organization with an exercise in risk assessment, gaining a thorough understanding of the security landscape, the nature and intensity of potential threats, criticality and location of physical and information/digital assets, and assessing the current security scenario. These services generally fall within the ambit of the providers’ Cyber-risk, GRC, Information Security, Managed Security Services and Advisory Services offerings.
Since the market is still nascent, there is not one accepted best practice or contracting model for virtual CISOs. Most virtual CISOs are contracted with set retainer agreement with definitive outcomes that works well for small and medium sized businesses. However, the trends also indicate the following emerging models of engagement for CISO-as-a-service:
1) Retainer agreement for a fixed term (week/s, month/s, year)
2) On-demand model based on hours/per day (hourly rates)
3) Fixed fee for an end-to-end project
4) Purchasing man-hours and using them in blocks to suit the requirements
Hiring a virtual CISO can not only help in reducing costs, it can also help in putting together security policies, guidelines and standards. According to Bank Info Security, it takes between 35% and 40% of what it costs to pay normal full-time industry salary to a qualified and experienced CISO.
What are the potential advantages?
1) Provides an outside-in view, making it easier for the CISO to work according to the needs of the client
2) Can be entrusted with overall responsibility and oversight of the information security function; help in liaisoning with other departments
3) Flexibility owing to on-demand access
4) Can step in at a short-notice, particularly in case of incidents, breaches and data losses
5) Access to a team of professionals from a wide range of background across a range of disciplines with a fixed cost. Can transition to a permanent roles if the need be
6) Can be replaced quickly in case of under/non-performance
The services generally include the following:
1) Policy: Advisory & Consulting, Document Review, GAP Analysis, Policy Design, ISMS Framework
2) Compliance: Global standards and frameworks such as PCI DSS (Financial Services), ISO 27001, SOX
3) Risk Services: Risk Management, Risk Assessment & Acceptance, Critical Asset Review, 3rd party Risk Assessment
4) Business Continuity Planning (BCP)
5) Assessment Tests: Penetration Testing, Vulnerability Assessment, Perimeter Security Review
6) Incident Response: Detection & Analysis, Post-incident Activity, Incident Management Plan
7) Training: Awareness Training