InfoSec Teams Underfunded, Understaffed – Gives Rise to Virtual CISO

Attendees at Black Hat were surveyed and the results are no more reassuring than last year.  15% have no doubt that they will have to respond to a major security breach in the next year, 25% say it is highly likely and 32% say it is somewhat likely.

63% of the security pros say that they do not have the budget to defend against current threats while 20% say they are severely hampered by a lack of funding.  Only 26% – a quarter – say that they have enough staff to defend against current threats.   None of this addresses future threats.  Ransomware, for example is running wild this year.  Last year it wasn’t even on most people’s radar.

66% say they do not have enough training and skills to perform all of the tasks they are responsible for.  10% say they are ill prepared for the threats and tasks that they face each day.  Again, none of this talks about the skills that they will need for dealing with tomorrow’s threats.

37% say security initiatives fail due to a shortage of skilled technical staff.

9% are currently worried about the Internet of Things, but 28% feel this will be a problem within 24 months.

This has caused some firms to use virtual CISOs.  For everyone other than the largest firms, hiring a CISO is not in the budget.  Given the skill shortage, a good CISO can get up to $250,000 plus benefits. One security executive I know asked the company to pay for his automobile tolls and the company agreed.  While this is not a huge cost, companies are having to bend over backwards to attract the talent they need.

And, for many organizations, they don’t need a full time CISO.  One day a week or one week a month may well be completely adequate.  By doing this the firm still has access to great talent, but doesn’t have to recruit, relocate and retain that talent – a tough task in this market.

The Information Systems Security Association says that there is a shortfall of 300,000 to 1 million cybersecurity professionals.  According to the Ponemon Institute, a senior information security executive is lured away to another job, on average, after a little more than two years at the current position.

All this is giving rise to the virtual CISO.  Companies that go this route do not have to find, interview, evaluate, relocate or retain a senior cyber security executive.

For medium size firms and smaller, they are likely to get outbid by Fortune 2000 firms, who can afford higher salaries, more benefits and a bigger challenge.

For companies who lose their CISO to another firm, the virtual CISO can fill the gap and even help assess the skills of new candidates, all the while making sure that the company’s security efforts do not lose momentum during the gap.

For companies who are not sure that they need a CISO, think about the costs of cleaning up a breach.  It is not unusual for breach response teams like Mandiant to charge $500 per hour per team member for breach response.  Of course, hiring a CISO does not guarantee that you won’t be breached, but having an executive focused on cyber risk mitigation will certainly improve the odds.

For many companies, the virtual CISO is the perfect solution – pay only for what you use.

Information for this post came from National Law Review and Network World.

by