Businesses have a corporate responsibility to secure their own and the information they have been entrusted with. Many companies believe that this is expensive, not their responsibility, etc. They also assume (usually incorrectly) that the IT department is handling cybersecurity. Most companies lack the talent necessary to build a security program that is cost-effective, enables the business for success, and has the necessary depth. When the Cyber Self-Defense team speaks with companies, they tell us they do not know where to begin. Our answer to this issue is always the same; start by hiring the right talent to make you successful. CISO-as-a-Service® might be your answer!
At Cyber Self Defense, we often hear that cybersecurity talent is becoming harder and harder to come by. With the increasing level and complexity of cyber attacks, companies are looking for cybersecurity teams to help them to build their programs, yet job requisitions remain unfilled.
This is what we know;
- Cybersecurity professionals are demanding more money.
- Companies are creating positions that are vague, all-encompassing, and that fail to help them to build a comprehensive cybersecurity program.
- Companies are electing to hire junior professionals who are unqualified to lead the program; with no strategic or leadership experience.
- Companies are compromising on experience, qualifications, and other critical knowledge factors, just to get someone in the role.
- Companies are over-spending on technology because they do not have the strategic outlook and risk-based approach which is so critical to any cybersecurity program.
- Audit Pleasing- many companies build their cybersecurity programs to please auditors; they fail to see the need for true security. They also fail to see that a properly built program can be done at about the same cost of program meant only to “check the box”.
- Companies add technologies that are just sitting in the racks.; we have seen situations where systems are installed with less than 10% of the features configured and used. Please see my article on “Blinky Light Syndrome”.
Common fears of hiring a CISO-as-a-Service®
1. Is the CISO-as-a-Service® a group of professional consultants who have no real-world experience?
- The one thing we hear from our customers, when wanting to hire a CISO-as-a-Service® is that they tend to get “professional consultants”. It is important to hire companies who hire individuals with real leadership level experience building cyber security programs, while an employee of the company.
- Professional consultants are great, but unless they have the practical experience of managing a program for an organization, they will struggle finding the correct balance between security and operations. They will also struggle with the political aspects of building a program.
- Any leader can tell you that there is a huge gap between the professional consultant and someone with full-time experience.
- You should interview YOUR CISO and determine if he/she has the requisite knowledge and skills to make you successful. We enjoy having people interview us, as they would an internal employee. We would be glad to provide you with a resume of your CISO to show their qualifications.
2. Is there a conflict of interest, when a company comes in as a CISO and then sells us their other products and other non-related services?
- It can be a conflict of interest if your CISO-as-a-Service® professional is a part of a large firm that sells products and other services; occasionally, they tend to push you to purchase their products, meaning the CISO might have not have your best interest at heart. Instead of being fully vested to ensure a purpose fit program for the company, he/she might be forced to push product and services.
3. How can a part time company build a program faster and cheaper than our internal employee?
- A CISO-as-a-Service® professional hits the ground running with the tools, tricks of the trade, and other pieces of information that can make a huge difference in the overall successful delivery.
- We have discovered that being a third party, your professional opinions are more likely to be considered. Many times, an internal person must deal with too many internal politics.
- With a professional company, you do get the collective knowledge of the team. This benefit is critical to your success.
4. I am the acting CISO or want that job; I am the CIO and do not want to look bad; or I have other fears that this company will displace me, my team, or others and or damage my reputation.
- As a consultant with experience performing in this capacity, it is our job to make you successful, based on your definition of success. Your CISO should ensure that your company is highly successful in all aspects of the process.
- It is also our responsibility, as it would be in a full-time CISO, to ensure that we mentor staff and prepare them to take over for us.
- We should be a core part of the TEAM that is designed to enable the company to succeed.
5. Is a CISO-as-a-Service® just going to come in, drop templates on my desk and have me implement them?
- No unless they don’t want to succeed! This person should be YOUR CISO and perform is the SAME capacity, just on a part time basis.
- Any templates or other tools that are brought in should be used as a starting point, above ground level, to allow a faster (controlled) implementation; No template is a one size fits all, it must be molded to your company. It must have an implementation strategy. It must be your company’s established program that is implemented through a formal process that follows your company’s normal flows.
A responsible company knows that to run their company correctly, they must have the correct leadership! Most companies would never ask corporate attorney to lead the IT department. At the same time, most companies would never place a paralegal into the corporate counsel position.
We believe that the same is true for companies who make the Chief Information Officer (CIO) in direct charge of cybersecurity. Most Chief Information Officers (CIOs) will tell you that they are not comfortable managing cyber security and IT at the same time; these can be conflicting. We’ve also found that companies who place a Security Analyst into the position of strategically building a cybersecurity program will fail to recognize a comprehensive, risk-based, and cost-effective solution that truly enables the business to succeed. Hire the right person for the job and you will reap the rewards of your decision.
We look forward to your feedback on our website; www.cyberselfdefense.org
Cyber Self-Defense was built as a result of a growing demand in the marketplace seeking out knowledge, expertise, and leadership in cybersecurity and risk management. Our clients wanted us to bring in our templates, processes, experiences, and our collective knowledge and put it to work for them. They wanted people who had built programs from the organically — from the ground-up. They wanted people who were known for enabling the business through cybersecurity efforts, not people who shut the business down with high costs and inappropriate rules. This is how we grew into a full-time business which has positively and directly contributed to the success of our clients.
Cyber Self-Defense has years of experience in reducing your cybersecurity risk and we would love to work with you on all your cyber risk needs. We make cybersecurity attainable for all organizations, without inhibiting your ability to work and make a profit. Cyber Self-Defense can be reached at: (866) CYBER-96 or on our website: www.cyberselfdefense.org