A growing trend in the world of Cyber Security is the outsourcing of some or all of the Information Security team.
This can be just a small part - vulnerability management; vendor risk management; responding to customer questionnaires. It could be just the leadership function, a virtual CISO or vCISO. Or it could be the entirety of the Information Security team.
As you evaluate the pros and cons of in-house vs. outsourced, consider the following.
Hiring a CISO can be expensive. I mean really expensive. To find a leader for your InfoSec function that knows what they are doing will easily set you back 240k+. Much more in high demand areas such as the San Francisco Bay area.
When you outsource InfoSec, you only pay for as much CISO as you need - and that may not be a full FTE. The rest of the Information Security activity can be performed by security analysts and engineers at a much more cost effective price point.
Why pay an expensive resource to answer the same questions in a customer security questionnaire over and over again?
Even if you do bite the bullet and shell out for a full time CISO, are you really getting an industry veteran who has 'been there, done that' (and got the tee shirt)?
Particularly with start ups that don't have the same brand-name cachet as perhaps a large or public company would, the candidates for a CISO hire are often pulled from the ranks of the Security Analysts at larger companies.
Though they would often make fine team members, you are taking on a risk when you entrust a rising star with their first leadership role flying solo.
Better to rely on a team of industry veterans to define, implement and monitor your Security Program - and the Truvantis vCISO program makes that choice affordable.
3. Customer Perception
A significant part of a CISO's role is articulating details of the security program to current or prospective customers in a way that reassures them. Sometimes this means joining sales calls to articulate why the organization is worthy of the customer's trust. Sometimes it can just mean explaining 'what happened' or 'what they heard' in a way that calms frayed nerves.
Just as the dulcet tones of an airline pilot's pre-flight announcement to passengers instills a sense of calm and trust channeling thousands of hours of flight experience, an experienced CISO can communicate authority, experience and competence in meetings just through choice of vocabulary, confidence in the security posture of the
We've encountered a number of smaller companies that cannot seem to keep hold of a CISO. There is an initial burst of activity as they set up the InfoSec program - define the controls, make some process changes, perhaps attain a SOC2 certification. Then life becomes a never-ending parade of customer questionnaires to fill out and they start to get bored. Then the appeal of a larger organization with more complex demands and a larger budget and team starts to look appealing.
By outsourcing to a vCISO, you get all the attention you need from a career CISO when you need it, and the more day to day work is handled by journeymen who are happy to be part of a well function team where they can learn.
5. Maturity & Methodology
When you bring on a CISO full time, you will need to agree strategic goals, monitor progress, and supervise the development and implementation of a security program based on an industry framework such as the CIS Controls that is the right size for your business.
Now an experienced CISO should be able to handle this. If they have built InfoSec functions before a few times then they probably have an idea of how they want to approach the task.
A vCISO team however does this as their basic way of functioning. They should bring a tried and tested methodology for analyzing operations, classifying data, assessing risks and developing a lean and manageable control set that can be turned into routine procedures and standards that will appropriately manage risk. They should also be able to present a baseline of reporting that will allow executive oversight of the function identifying status and maturity development.
An in-house CISO may be building this from scratch.
6. Adaptive sizing
How big should your InfoSec team be? Larger than a breadbox? Smaller than a two car garage? It can be really hard to justify any proposed headcount. Many smaller entities start by hiring a CISO and then expect that hire to perform all the functions at every level until the size of the company will support a larger team.
With a vCISO team, you can ramp the delivery team size up and down on demand. More customer security questionnaires this month? Pull in some extra resources. Need to build out operations to support a new certification (SOC2, PCI DSS, HIPAA)? Just ask for some burst bandwidth.
It's much easier to vary the level of effort than hiring and firing staff.
7. Staff Turnover Resilience
It's a fact of work life that employees come and go. There will always be the unexpected resignation that was not on the business plan and causes an impact. Losing a CISO is just such a concern. Not only do you have the usual headache of finding a replacement, not only do you need to hope that operations are well documented and portable, you may also find yourself worrying about your next audit. Will you be able to maintain the SOC2 certification that is so essential to supporting sales with a change of CISO mod term.
vCISO teams are adept at capturing process in a methodical way that will support a headcount change. They need to be able to assure you that the commitment to maintaining your InfoSec controls is between you and the vCISO company - not with any individual person. They must have sufficient maturity in their delivery model to make sure that that remains true.
Not only is outsourcing your Information security function possible - its recommended.
Leave Cyber Security to companies that are great at it - so that you can focus on what you are great at.