Security remains a complex discipline.  This ever-changing challenge grows in complexity daily as new threats emerge and compliance requirements increase.  Several regulations including HIPAA require organizations to have a person whose role is to ensure compliance within the organization. 

This is why organizations need a designated person with primary responsibility for security and compliance.  This person is the Chief Security Officer (CSO).

The Role of a Chief Security Officer

A Chief Information Security Officer, or CISO, is first and foremost a business leader in the organization.  He or she sets the organization’s security vision and ensures that it is in line with other business objectives. 

The CISO works with other business leaders such as the senior financial manager such as a Chief Financial Officer (CFO), business owner, senior partners, or Chief Executive Officer (CEO), senior IT executive such as the Chief Information Officer (CIO) and Chief Operating Officer (COO) to implement security and compliance initiatives throughout the company.

Some CISO activities may include:

  • Establishing and evangelizing the security vision
  • Defining security strategy and goals
  • Determining the level of acceptable risk
  • Defining and implementing security and compliance governance
  • Coordinating compliance activities and communicating with regulatory groups
  • Creating, publishing and maintaining security policies
  • Ensuring security awareness of risks and of organizational security policies
  • Coordinating incident response activities (e.g. data breach, IP theft)
  • Ensuring physical security for company facilities including offices, sites and datacenters.

Challenges

The CISO role is still relatively new and it has seen some challenges in implementation.  Information security involves much cooperation from Information Technology (IT) and compliance requirements include many sections on technical controls so it is understandable that IT is often seen as the group responsible for security but this is not ideal because security and compliance both involve much more than just technical controls. 

The actions of people including employees and outside actors are essential to maintaining security and compliance and this requires someone or a group with more than the technical skills.

Some chief security roles may be given to IT, legal, or HR, employees. However, this approach often results in these individuals handing security as a secondary role so security does not get the priority it is due.  Furthermore, a central point of contact is lacking in the organization in this approach.

The Rold of a Virtual CISO

A virtual CISO performs the same activities a CISO would but they do so on a part time basis.  The role may actually be comprised of several persons to cover a company even when a person is on vacation or otherwise unavailable.  Virtual CISOs allow organizations to utilize highly specialized skill sets by provides companies with expert resources in security. This is made possible without the high fixed cost of adding dedicated security executives.

Virtual CISOs are able to assist organizations by developing effective strategies essential to evaluate and mitigate risks, maintain operational continuity and secure the organization. Virtual CISOs address areas of security needs whether these are on personnel issues, timely employee background checks, technology, rehabilitation or procedures and policies to designing.

Virtual CISOs partner with businesses to understand how core information assets have been deployed. They work hand in hand with organizations as they study the security placed around the assets and what improvements can further be made. Virtual CSOs provide assistance in integrating security into organizational strategies and processes and they help companies develop tailor-made delivery plans that are fitting to their needs and budget.

Ideal Traits

Ideal virtual CISOs should be well-versed at understanding exploits, attacks, controls, countermeasures and vulnerabilities. They should have a thorough understanding of technology such as operating systems, virtualization, storage and networking but business and leadership skills are even more important for this role.  

Security and compliance is more about people than it is about technology so the virtual CISO should be able to interface and direct people and lead change efforts.

Virtual CISOs need to be able to translate risk to data, information or computers, into the risk to business. They should be able to determine the how to respond to risks including mitigating, accepting, transferring or avoiding risk.

Summary

The Chief Information Security Officer role is more vital to companies of all sizes than ever before.  CISOs are in high demand but for those who do not need a full time person and the expense that goes with it, a virtual CISO may be the answer. 

Sometimes this role is added to a pre-existing role within the organization but this can lead to compliance being treated as a secondary activity and it does little to protect organizational information security.

Virtual CISOs work across business and functional lines. They see through the complete deployment of strategic and holistic approaches in dealing with specific business issues. This is done by carefully assessing risks related to the organization’s reputation, information, assets and all people involved. Such is crucial especially for businesses that are looking at long-term sustainability and expansion.