June 15, 2022
How a Virtual CISO Can Help You Address Your Cybersecurity Needs
Even mature organizations can benefit from a security professional who can augment internal staffing and expertise.
Many IT professionals assume that a virtual CISO can be helpful only for small or midsize businesses or less mature organizations. In fact, after conducting a security assessment, organizations of many sizes and maturity levels determine that they can benefit from bringing in a virtual CISO. These experienced cybersecurity professionals can fill in vacancies, offer executive sponsorship to short-term initiatives and provide targeted expertise that may be lacking internally.
Virtual CISO arrangements are also flexible. These experts may work remotely or onsite, and they may be brought on for a full-time engagement or only for a set number of hours per week. Their focus may be project-based, or they may have a broad purview. A virtual CISO engagement is intended to provide a needed skill set to an organization, and it’s up to organizational leaders to structure the engagement to meet their needs.
Security professionals are hard to find — CISOs especially — but a service such as CDW’s virtual CISO can help organizations address this challenge. It may take six to 12 months to hire an appropriate candidate. During that period, while looking for the right long-term professional, organizations can hire a virtual CISO rather than let a program languish without leadership or strategy.
Some organizations use our service to bring in a temporary CISO with the possibility of hiring the person permanently. We help them identify candidates they can bring on board on a trial basis.
Even when organizations already have a global CISO, they may want to bring on a professional who can provide that level of leadership for a specific department or program. A virtual CISO can step into that deputy role to drive those initiatives.
Here are three more ways to think about virtual CISOs and the value they can provide.
CISOs Speak the Language of Technology and Business
Effective CISOs are both technical experts and business leaders. They set direction, assess programs, identify risks and translate “security speak” into the language of business. This last step is essential for obtaining buy-in and communicating effectively with board members and other leaders.
The core of a virtual CISO’s skill set is the ability to connect technology and business objectives, particularly with regard to return on investment, budgeting and investment strategies. A virtual CISO can help an organization figure out how to leverage security to accomplish its goals.
CISOs Help Organizations Obtain and Align with Cybersecurity Insurance
CDW works with organizations of all sizes in all industries, and it’s clear that many are wildly underprepared for cybersecurity risks, especially ransomware. Many organizations do not have comprehensive plans for incident response, disaster recovery and business continuity; if they do have such plans, they are often untested. CISOs can address these weaknesses by assessing risks, security controls and gaps.
Similarly, CISOs are valuable partners as organizations pursue cybersecurity insurance. Ransomware has made it harder to buy insurance, and underwriting requirements have become onerous. Simply answering an insurer’s questionnaire is beyond the ability of many security practitioners, who often need help.
Once an organization has secured insurance, it still must align that insurance with its response plan — another area where many IT teams struggle. Virtual CISOs can help organizations cover the bases that will help them qualify for payment if they ever have an insurance claim.
CISOs Bring a Security Perspective to Business Modernization
Digital products and services are part of every organization’s business today. When organizations move quickly to modernize, they often try to bolt on security after the fact. It is not usually on their radar to embed security concepts into new processes and applications. A CISO can help an organization build in security early. The organization can still get its new product or service to market quickly, but in a secure manner that protects business objectives.
Story by Walt Powell, an accomplished cybersecurity expert and executive coach who specializes in providing executive guidance around risk, governance, compliance and IT security strategies. He is the executive security strategist at CDW and prior to that served as a senior security adviser at Optiv and a virtual CISO at Left Brain Security. Through these roles, he has had the opportunity to learn from and contribute to hundreds of CISOs and their programs. Powell holds dozens of professional certifications including CISSP, CISM, Carnegie Mellon – Heinz CISO, and the Stanford Advanced Cybersecurity Certificate, along with countless technical and presales certifications from top security vendors. Powell is also an accomplished musician and father who loves to spend time with his kids.