Why your SMB needs a Virtual CISO

Small and Medium-sized Businesses (SMBs) have been the focus of a tremendous number of data breaches and cyber-attacks recently.  According to the U.S. Small Business Administration, the 58.9 million SMBs in the U.S. that employ 47.5% of the nation’s workforce were the target of 2 out of 3 of all cyber crimes in 2018 alone.  What’s worse is that 60% of SMBs go out of business within six months of a cyber-attack.

Although large corporations can shoulder a good portion of the financial blow reputational damage when hit by a data breach, SMBs don’t have the same luxury.  It is for this reason that SMBs should consider a virtual Chief Information Security Officers (vCISOs) to help manage and implement their cybersecurity and privacy strategies.  Virtual CISOs turn their leadership and project prioritization expertise into focused strategies that help SMBs stay under budget and optimize forward progress.

How vCISOs Speak the Language of IT Leadership

With rapidly evolving security threats, it takes having a strategic vision, passion for coordination, and the courage to drive culture in the right direction with focused IT policies.  Whereas SMBs may covet speed of product or feature delivery to maintain their growth trajectory, they must also be aware of how these efforts may affect their company culture.  That’s where a vCISO can help to bring immediate value to the organization thanks to their expertise in security and privacy that supplements their powerful business acumen skills.

In short, vCISOs are adaptive security strategists who are keen to the needs of an SMB and learn quickly to construct a sensible roadmap of security objectives and a schedule to achieve goals.  vCISOs aren’t technically part of the organization which makes them more objective in their leadership skills, thereby eliminating any bias and operating free from corporate bureaucracy.  The only agenda of a vCISO is to advance security and privacy objectives while allowing the business focus on its core services.  They are mission-driven, and nurture IT and Security teams towards meeting organizational goals. They also push for efficiency and quality in security and privacy efforts.

Prioritize Your Focused Cybersecurity Strategy with a Virtual CISO

The first order of business for a vCISOs is to prioritize a cybersecurity strategy that is aligned with the SMB’s business objectives that allows them to show measurable improvement in the company’s security posture.  This is usually part of a Business Risk Assessment. This is pivotal for protecting the business from attacks resulting in data loss.  If an SMBs doesn’t have the experienced IT staff to formulate a cybersecurity strategy internally, vCISOs can carve a strategy out in a way that ensures information assets and technologies are adequately protected.  The vCISO’s ability to mesh an SMB’s vision with their cybersecurity strategy ensures that the organization is put in the best position to protect itself with a thoughtful approach based on budget, priorities, and risk.

How vCISOs Augment IT Teams

The best vCISOs are inclusive in their understanding that the adoption of the latest techniques for identifying threats is important.  vCISOs assess the technology procurement decisions, physical access controls, prioritization of key assets and services, legal compliance regimes, and more to lead through coordination.  vCISOs also share lessons learned from other companies and scenarios that they have first-hand experience in addressing to help organizations avoid the same peril.

The vCISO is there to augment IT teams and enhance existing capabilities while meeting client expectations based on the resources at their disposal.  If the culture is resistant to the recommended changes, or lack proper resourcing and budgeting, it will undoubtedly impede progress and prevent the vCISO and related teams from accomplishing their mission.  The vCISO must be allocated the appropriate level of authority to allow them to affect positive change.

Tackling Budgetary Problems with a vCISOs

SMBs may have a hard time justifying the salary and overhead of a full-time, salaried CISO seeing that the median annual CISO salary is $215,273, as of March 01, 2018 according to Salary.com.  This isn’t to mention that 38% of respondents to the Information Systems Security Association (ISSA) ESG survey said that CISOs are bound to change jobs when they are offered higher compensation packages from other organizations.  Since SMBs may just need part-time consulting, a vCISO can satisfy their needs and budget limitations.

It is nearly impossible for SMBs to compete with big firms, their deep pockets, and stronger network relationships.  The good news is that vCISOs operate under retainers that can cost a fraction of the going rate for an in-house CISO.  vCISOs garner less than $40k per year with costs typically decreasing over time as their client’s security programs are being maintained rather than built.  SMBs that enter this nurturing state should still opt to continue consulting with their vCISO regularly to ensure they are implementing the strategies and policies that the vCISO constructed in the correct manner.

Contact CMS to see how we can help with your cybersecurity program, from vCISO services, implementation support, or sustainment.

2 thoughts on “Why your SMB needs a Virtual CISO”

  1. First of all I want to say awesome blog! I had a quick question which I’d like to ask if you don’t mind. I was interested to find out how you center yourself and clear your thoughts before writing. I’ve had a difficult time clearing my thoughts in getting my thoughts out. I do enjoy writing however it just seems like the first 10 to 15 minutes are wasted just trying to figure out how to begin. Any recommendations or hints? Many thanks!

    1. Thanks for the feedback. At CMS, we think about trends in cyber security, gauge what would be interesting, and zero in on a few talking points about the subject. Start broad, and narrow it down to some key takeaways that the audience can identify with. Hopefully, you think about cybersecurity the same way.

Leave a Reply

Your email address will not be published. Required fields are marked *