A growing trend in the world of Cyber Security is companies outsourcing of some or all of their Information Security teams.
This can be just a small part, like vulnerability management, vendor risk management, or responding to customer questionnaires. It could be just the leadership function--a virtual CISO or vCISO--or it could be the entirety of the Information Security team.
As you evaluate the pros and cons of in-house vs. outsourced, consider the following.
Hiring a CISO can be expensive. I mean really expensive. Finding a leader for your InfoSec function that knows what he or she is actually doing will easily set you back over 240k, and that figure will be much larger in high demand areas such as the San Francisco Bay area.
When you outsource InfoSec, you only pay for as much CISO as you need, and that may not be a full FTE. The rest of the Information Security activity can be performed by security analysts and engineers at a much more cost effective price point.
Why pay for an expensive resource to answer the same questions in a customer security questionnaire over and over again?
Even if you do bite the bullet and shell out for a full time CISO, are you really getting an industry veteran who has "been there, done that (and got the tee shirt)?"
The candidates for a CISO hire are often pulled from the ranks of the Security Analysts at larger companies. This trend is more common with start ups that do not have the same brand-name cachet as large or public companies do.
Though they would often make fine team members, you are taking on a risk when you entrust a rising star with his or her first leadership role flying solo.
It is better to rely on a team of industry veterans to define, implement, and monitor your Security Program. The Truvantis vCISO program makes that choice affordable.
3. Customer Perception
A significant part of a CISO's role is articulating details of the security program to current or prospective customers in a way that reassures them. Sometimes this means joining sales calls to articulate why the organization is worthy of the customer's trust. Sometimes it can just mean explaining "what happened" or "what they heard" in a way that calms frayed nerves.
Just as the dulcet tones of an airline pilot's pre-flight announcement to passengers—channeling thousands of hours of flight experience—instills a sense of calm and trust, an experienced CISO can communicate authority, experience, and competence in meetings through just choice of vocabulary and confidence in the security posture of the organization.
We have encountered a number of smaller companies that cannot seem to keep hold of a CISO. There is an initial burst of activity as they set up the InfoSec program, define the controls, make some process changes, and perhaps attain a SOC2 certification. Then, life becomes a never-ending parade of customer questionnaires to fill out, and they start to get bored. Then, the appeal of a larger organization with more complex demands, a higher budget, and a larger team starts to look appealing.
By outsourcing to a vCISO, you get all the attention you need from a career CISO when you need it, while the more day to day work is handled by journeymen who are happy to be part of a well functioning team where they can learn.
5. Maturity & Methodology
When you bring on a CISO full time, you will need to agree strategic goals, monitor progress, and supervise the development and implementation of a security program based on an industry framework such as the CIS Controls that is the right size for your business.
An experienced CISO should be able to handle this. If they have built InfoSec functions a few times before, they probably have an idea of how they want to approach the task.
A vCISO team, however, does this as their basic way of functioning. They should bring a tried and tested methodology for analyzing operations, classifying data, assessing risks, and developing a lean and manageable control set that can be turned into routine procedures and standards that will appropriately manage risk. They should also be able to present a baseline of reporting that will allow executive oversight of the function identifying status and maturity development.
An in-house CISO may be building this from scratch.
6. Adaptive sizing
How big should your InfoSec team be? Larger than a breadbox? Smaller than a two car garage? It can be difficult to justify any proposed headcount. Many smaller entities start by hiring a CISO and then expect that hire to perform all the functions at every level until the size of the company will support a larger team.
With a vCISO team, you can ramp the delivery team size up and down on demand. More customer security questionnaires this month? Pull in some extra resources. Need to build out operations to support a new certification (SOC2, PCI DSS, HIPAA)? Just ask for some burst bandwidth.
It is much easier to vary the level of effort than hiring and firing staff.
7. Staff Turnover Resilience
It is a fact of work life that employees come and go. There will always be the unexpected resignation that was not on the business plan and causes an impact. Losing a CISO is such a concern. Not only do you have the usual headache of finding a replacement and needing to hope that operations are well documented and portable, you may also find yourself worrying about your next audit. Will you be able to maintain the SOC2 certification that is so essential to supporting sales with a change of CISO mid term?
vCISO teams are adept at capturing this process in a methodical way that will support a headcount change. They need to be able to assure you that the commitment to maintaining your InfoSec controls is between you and the vCISO company—not with any individual person. They must have sufficient maturity in their delivery model to make sure that that remains true.
Not only is outsourcing your Information security function possible, it is recommended.
Leave Cyber Security to companies that are great at it, so you can focus on what you are great at.