Should we be hiring a Chief Information Security Officer (CISO)? An increasing number of Entrepreneurs, Board Members, CEOs, Talent Directors, and Vice Presidents of Human Resources are asking themselves this question as the number of reported security breaches is steadily increasing across the United States.
Although the CISO is a relatively new role in corporate America, many small to midsize businesses are now assessing whether or not they should be hiring one. Even some larger enterprises are without a CISO at a time when their systems are extremely vulnerable. According to the FBI, business e-mail compromise (BEC) alone has accounted for $26 billion in theft. Unfortunately, large companies are not the only ones on cybercriminals’ radar either. According to Verizon’s 2019 Data Breach Investigations Report, 43% of cyberattacks target small businesses.
Before making a decision on how to best protect your company from cyber threats, you must first asses your risk, risk tolerance, and the cost you are willing to incur to minimize that risk. According to the National Cyber Security Alliance, 60% of small companies go out of business within six months of being victimized, and the insurance carrier Hiscox reports that the average cost of a cyberattack for businesses of all sizes is $200,000. These statistics provide one with a general understanding of the average risk and average cost of a breach. Businesses must personalize this risk, however, depending on the industry they serve, the value of the data they need to protect, and the estimated costs they could incur with potential fines and brand damage, not to mention embarrassment or potential termination of members of the C-suite.
Unfortunately, deciding when to hire a CISO is not as simple as achieving a specific annual revenue threshold. According to Christine Vanderpool, Florida Crystals CISO and former Deputy CISO for Kaiser Permanente, “companies should be evaluating their risk tolerance based on the type of data they have, the industry they are in, the types of regulatory requirements they are accountable for and, generally, how much overall risk they are willing to accept.”
There are many cybersecurity consultants, “Virtual CISOs,” and third-party Managed Security Service Providers (MSSPs) that can provide companies with a cyber threat and vulnerability assessment but, in the end, it will be a board decision that ultimately weighs the level of risk tolerance vs. the costs associated with minimizing that risk tolerance to be at or below their risk threshold.
Once the organization understands the costs associated with a cybersecurity strategy that can sustain an acceptable level of risk, it must then decide how to develop and manage it day-to-day.
Developing a Cybersecurity Strategy
When the organization is ready to develop a cybersecurity strategy, it needs to determine whether to: 1) outsource this responsibility to a virtual CISO or third-party MSSP, 2) add this overwhelming task to the existing responsibilities of its IT leadership or, 3) hire a full time CISO who manages most of what is needed in-house (with their own staff) and supplemental services from MSSPs.
If there is no in-house IT leadership (i.e. no CIO or IT Director), the organization needs to assess whether or not its management team is capable of overseeing a third-party that develops and manages their cybersecurity strategy. In a decentralized organization this can be very complicated. The organization must also compare the cost of outsourcing to the third-party provider vs. the cost of hiring a full-time CISO and managing cybersecurity in-house. For some small organizations, it will make sense to outsource to a third-party, whereas others find they need to bring it in-house and have it fully under the control of their own full-time CISO.
If there is an existing CIO or IT Director with the bandwidth and capability to develop and manage the cybersecurity strategy, the organization will need to compare the cost of outsourcing cybersecurity to a third-party vs. hiring a full-time CISO. If the decision is to outsource to a third-party, the organization is then tasked with finding the provider that will deliver the broadest set of security solutions with the most value at the lowest cost. If it does not have the bandwidth to handle this, the organization needs to consider hiring a full-time CISO. Once hired, a CISO will determine the proper model for balancing internal staffing and external resources required from MSSP’s.
Who should the CISO report to?
Board members and CEOs are increasingly viewing cybersecurity as one of their fastest growing concerns. This can be managed appropriately, however, by taking the adequate steps needed to prevent and prepare for cyberattacks. In order to do this, they must look closely at their unique corporate framework to ensure that the CISO reporting structure will allow for efficient communication and support throughout the organization. If cybersecurity is viewed by the board and C-suite as a top priority and as an ongoing initiative, it has an opportunity to be embedded in the company’s culture and to thrive.
Unfortunately, there is no one-size fits all answer to this question, but one should keep in mind that CIOs and CISOs do not necessarily have the same goals. So blending the two together is not ideal if you are committed to a comprehensive cybersecurity strategy. CIOs are already tasked with the overall IT strategy of the company, often have revenue goals, and need to make sure the employees have the IT network and tools necessary to execute on the company’s strategy. CISOs, however, are laser-focused on protecting the company’s data, being constantly aware of new threats, frameworks, regulations, and cybersecurity best practices while enforcing security throughout the organization. They must keep the company, its data, and its employees safe regardless of financial goals and/or employee convenience.
One final thought
Many small- to mid-size businesses are aware of the dangers of cyberattacks but think that they won’t happen to them or is something to deal with in the future. Unfortunately, cyber threats are happening every day and are growing at an alarming rate as cyberattacks grow in complexity and organizations are tasked with a growing number of endpoints that extend beyond their perimeters with smartphones and IoT devices. It is no longer a question of whether or not your organization will be attacked by cyber criminals; it is a question of how much it will cost your organization when it is attacked.
For the organizations that are properly prepared, the cost could be $0 as cybercriminals’ first attempt will be thwarted and they will quickly move on to their next target, taking the path of least resistance. For those that are not prepared, get prepared today. Speak with consultants and third-party security providers that understand your current vulnerability. If you do decide to hire a full time CISO, speak with an executive search firm like Wolf Hill Group that specializes in identifying CISOs who are experts in cybersecurity and will identify an excellent candidate that is a solid fit for your organization.