In today’s business landscape, catalyzed by the COVID19 pandemic, there is a lot of uncertainty to wade through. One of these is in hiring a full-time, direct hire CISO. There are a lot of expenses that go with it, especially when it comes to paying his or her salary.
For example, depending upon their level of expertise and how big the company is, the salaries to be paid can range anywhere from $185,000.00 to the upwards of $400,000.00. Keep in mind that this does not include an elaborate benefits package, stock options, bonuses, etc.
Also, the average tenure of a CISO is just under two years. The burnout rates are very high, and the amount of stress that is placed upon them easily detracts the focus of the tasks that they are supposed to accomplish.
Another key aspect to keep in mind is that the CISO will have a limited range of expertise. While they may be highly skilled in one particular area, the skills that they possess will not necessarily mean that they will easily transfer to other areas of Cybersecurity that are needed by businesses today.
So what is the solution to these problems? The answer lies in hiring what is known as a Fractional Information Security Officer, also known as the “FISO” for short.
What The FISO Can Do For You
There are many FISO services that are available from Managed Service Security Providers (MSSPs) today. You can hire a FISO for as long as you need them, at literally the fraction of the cost (hence the name) of what it would take to hire a full time CISO. For example, you can hire them for just a few hours a week, or more as needed, depending upon your specific levels of requirements.
One of the key benefits of a FISO is that since they are typically hired on a contractual basis, you can end it or onboard them again as needed. In other words, they are highly scalable, unlike the direct hire CISO.
So what can they do for you? Here is a just a sampling:
Initiating an Assessment Program: Assessing the level of risk that your company can tolerate can be a complex process. With the breadth of experience that the FISO can bring to the table, within just a matter of days, they can craft out a Risk Assessment Analysis in order to determine where the hidden vulnerabilities exist from within your policies and practices as well as IT and Network Infrastructure. They will also take each digital asset that you have, and based upon a certain categorical scale, they will rank each one as to how vulnerable (or not) they are to a security breach. With this in mind, you will then be able to carve out a much more efficient and effective Cybersecurity strategy for your company. Plus, the FISO that you hire will also have the ability to vet out third party vendors in order to ensure they are compliant to your established security protocols.
The Development of Key Plans: Given the magnitude of what the word is facing today, the C-Suite across many businesses are now starting to realize the importance of the development and execution of mission critical programs in order to keep their organizations operating even in the face of a second of COVID19 should it occur. Once again, the FISO will have the experience to help you initiate and draft up the following plans:
Incident Response (IR) Planning: This plan will carefully spell out the steps that your business needs to do in order to combat a threat variant once it has been detected. This will include not only the best way to react to it, but how to mitigate head on as well. It will involve analysis of cyber insurance coverage and protocols for reaching out to said insurer, legal counsel and public relations.
Disaster Recovery (DR) Planning: Once you have contained the impact once you have been hit, the next step is then to resume critical business operations as quickly as possible. With the Risk Assessment that the FISO did, you will know immediately which processes need to be restored immediately, followed by the lesser priority ones.
Business Continuity (BC) Planning: After you have brought back operations to some degree of normalcy, the next step is to then figure out how you can continue viably as an organization well into the future. This will be done by further mitigating the risks of any future Cyberattacks with the lessons that have been learned. The FISO that you have hired can also create this plan for you, by further augmenting into it the deep levels of experience that their other contacts will have. This is something that the direct hire CISO will not have the ability to do.
Maintaining Prioritized Cyber Governance and Oversight: Given that the Remote Workforce is now a reality for quite some time to come, the meshing of both home and corporate networks is starting to become a real problem. A key risk in this area is the exposure of confidential information and data. As a result, you are being closely watched, with the likes of the CCPA, GDPR, and even HIPAA. If you do not comply, you will likely be under the scrutiny of an audit, and possibly even face some very harsh penalties. A good FISO will have the necessary skillset to develop a program to encompass compliance with industry, federal, state and best practices statutes, and even develop a set of controls to make sure that you stay that way for a long time to come. In stark contrast, a typical CISO would have to hire outside consultants to accomplish this task, which would cost your company even more money. But with the FISO, any other resources that are needed are part of the fixed, package deal.
Implementing Security Awareness Programs: Security training is very much a hot button topic today, especially with WFH. Unfortunately, many IT Security teams are too overburdened with providing such kind of instruction to employees. Because of this, this task is often left to the Human Resources (HR) department to conquer. More than likely, they will not have the expertise to deliver a deep dive kind of training program. The FISO can fit this role perfectly well and provide the in depth and quality type of instruction that is so badly needed today.
Apart from what has been reviewed, the FISO can also do the following:
Procure the right kind of Cybersecurity Insurance Policy that will be the most optimal for your company
Help you to prepare your IT budget so that you can get the money you need to spend
Take part in Forensics examinations in order to collect hard to find pieces of evidence.