It has been extensively reported that there is a shortage of cyber security skills across industries. The 2017 Global Information Security Workforce Study commissioned by (ISC)² has projected the skill shortage will reach 1.8 million professionals by 2022.
Previously, as Chief Information Security Officer within a FTSE 100 group I have experienced how difficult it is to hire and retain the right skills. Salary expectations are on the rise too, as skilled professionals understand their worth to businesses.
To compound the issue further threats are continuously evolving, and becoming increasingly indiscriminate. Gone are the days when having “nothing of obvious value” helped you avoid unwanted attention. If you are connected to the digital world, you are a target, or potential victim, as is evident through the widespread impacts of ransomware such as WannaCry.
Criminals have ‘productionised’ attacks, which can be bought Off-The-Shelf products or tailored at an additional cost. This reduces the required capability to perform these attacks, making them accessible to anyone with motivation.
In response to this an increasing number of security vendors are releasing products and services positioned to defend organisations against the latest threats. However, this has resulted in confusion, with organisations faced with the unenviable task of selecting the right solution to mitigate continuously evolving threats. Where they have acquired products or services, they often do not have the skills in-house to operate, respond to, or maintain them effectively.
So how do organisations with an often constrained security budget, and an inability to attract, hire, and retain the appropriate skills, navigate through the jargon, understand what the real-world threats are to their business, and make timely investment decisions that will deliver demonstrable improvements in their security posture?
Enter the Virtual CISO
A Virtual CISO (vCISO) is a service-based engagement that can be customised to your own information and/or cyber security needs, helping you identify these where they are unclear. Providing both on-site and remote access to CISO capabilities, the duration can be adjusted in line with your changing requirements, from a few hours a month to a full-time interim CISO.
This approach allows organisations that otherwise cannot attract the required skills to benefit from access to them. Employing a full-time CISO could be cost-prohibitive for some organisations, alternatively, an organisation may lack specific skills that are not required on a full-time basis.
Depending on the maturity of the organisation the vCISO service may be up and running within a matter of days. The vCISO service can;
complement existing skills and capabilities
provide organisations with access to an experienced security leader
help organisations identify threats relevant to their business
help define and implement a pragmatic information security strategy
support engagement with boards, regulators and 3rd parties
liaise with service providers on matters of security
perform knowledge transfer to your staff
With organisations facing challenges in attracting and retaining skills, indiscriminate attacks for the size of the target, and technology overload when trying to select new products or services, a vCISO is a cost-effective and efficient way to gain access to required capabilities, lifting the fog on security.