October 24, 2024
A recent article in Security Magazine, citing a report by Bitsight and Diligent, noted that a mere 5 percent of medium to large-sized companies have a full-time cyber security expert on staff. “At the same time,” the article added, “a correlation was found between strong cybersecurity measures and higher financial performance. In fact, cybersecure companies typically produce a financial performance that is four times higher than those that do not.”
Which is to say, at a time when cyberattacks of all kinds are rampant and growing increasingly sophisticated (particularly with the rise of AI), it’s never been more important to have at least one dedicated security expert whose sole job is to monitor for and protect against malicious incursions that cost time, money and untold reputational damage. A July 2024 Statista report noted that the estimated cost of cybercrime among all businesses and organizations is predicted to “continuously increase” in the next five years by $6.4 trillion on its way to $15.63 trillion by 2029.
“The divide between resilient organizations and those struggling has become stark in 2024,” according to a 2024 SentinalOne report, “with the number of organizations that maintain minimum viable cyber resilience declining by 30 percent. A lack of resources and skills is the biggest challenge for 52 percent of these organizations in designing cyber resilience, even as transforming legacy technology and processes is another significant barrier.”
Of course, many companies can’t afford to hire full-time cybersecurity specialists. Which is where vCISOs—virtual chief information security officers who provide on-demand guidance—come into play. Mindsight’s vCISO, Matt Cox, has worked in the space for many years and for a variety of clients. He shared some insights about the role, its evolution and how organizations can benefit from bringing a vCISO into the fold.
Q: Today’s security climate is increasingly dire, but so many organizations either don’t have access to a cybersecurity expert and aren’t prepared for cyberattacks. What role can a vCISO play for orgs that can’t afford full-time cybersecurity specialists?
A: Your security program, in order to be successful, has to start from the top, and that requires security leadership. And a lot of organizations simply don’t have those people in their work structure. Even large organizations struggle to do that. And that’s where vCISOs come in. You just need somebody that’s guiding and orchestrating things for you. I tell people that I am the guide on their security journey. I’m not there to run the program for them. I’m not there to implement the security tools. I’m not an employee of their organization, so I’m not going to understand it intimately. But what I can do is bring the experience of working with a large range of organizations at similar levels and say, “These are the areas that attackers are exploiting, and so these are the areas that we need to prioritize our security controls around.”
Q: That’s the most-cost effective way for many businesses to hire a cybersecurity specialist without having to bring one on board full time. Why is it so cost-prohibitive to hire one internally?
A: Somebody with that level of experience is going to easily command six figures plus. And so that’s just not really within the budget of many organizations. And you’re not going to keep that person busy full-time. A professional security leader is not necessarily the person that has the skills to implement all of the necessary controls. They touch a wide range of technologies, but nobody has expertise in all of those domains. So what you’re looking for is somebody that can organize and drive that program for you, but it doesn’t need to be a full-time job. Most companies don’t need a full-time CISO running things all the time. That comes with a whole org chart of other people. You have security engineers. You have SOC analysts. You’ve got program managers. You’ve got project managers. There’s a whole suite of people that come with that. That becomes cost-prohibitive for all but larger organizations.
When we do assessments for our clients, part of that assessment process is an annual budget based on things they should prioritize for their security program. Things like software licensing and implementation costs. And they’re often shocked to find that they can make significant improvements in their security posture for less than the cost of a full-time employee. It’s such an overwhelming topic. If they’re not accustomed to the security environment, they’re used to just getting attacked by security vendors trying to sell them something. How do you know which ones to work with? And how much should you be spending on those things? That’s where a consultant like me comes in and says, “You don’t need all these products. Here are some very basic security steps we can take that don’t require outside parties to set up, so let’s prioritize those.” Once you get those basics under control, you can dramatically improve your security posture without a ton of investment.
Q: What are some specific services vCISOs provide?
A: At Mindsight, we start with a comprehensive assessment of an organization’s existing security posture. In my experience, we’ve worked especially well in manufacturing, healthcare and education. But you don’t know where to go unless you know where you’re starting from, so we use a process that involves one or more industry standard frameworks. That can be the critical security controls. That can be the NIST CSF. That can be SOC 1 and 2. It can be HIPAA. It can be PCI. It can be a combination of those things. So that’s where we start. We then determine what they’ve already invested in. Maybe there are tools that overlap, or maybe there are gaps in those tools. From there we do a budget analysis to identify the investments or changes that they need to make. A lot of times it’s just related to internal effort, so we’ll put some dollars around that because customers’ time is money, whether they’re spending on hard costs or not. Then we’ll meet monthly and monitor the performance of the program we advised them to implement, so they’re getting continuous feedback.
We really take a comprehensive approach. Some companies will just do the assessment, and that’s the end of it. But companies get busy, so they need constant engagement to make sure that the security program is being followed. Sometimes we’re talking with the CEO, but generally it’s the CFO who both runs the infrastructure and is in charge of the books. It may also be IT directors, IT managers, even system administrators for smaller organizations. And once they’ve made the decision to invest in a vCISO relationship, they’re open to feedback. I’m not necessarily plugged into their senior management, and they may have different goals and directives than we recommend. But ultimately, we’re there as an advisor. There certainly are times where our recommendations don’t align perfectly with business goals because we weren’t part of the business goal planning process. But oftentimes, they line up quite well.
About Mindsight
Mindsight delivers enterprise managed services to the mid-market across a variety of industries including manufacturing, financial services, government, education – just to name a few. Our solution architects and engineers are expert-level only and are an extension of your IT team. Mindsight is headquartered in Downers Grove, IL, a suburb of Chicago.