I’ve been providing CISO (and CTO, and DPO) services for few years. It makes sense for start-ups and organisations undergoing significant change or where an interim is needed before a permanent hire can be made but I disagree with the article in that I recommend a permanent hire for complex and/or highly regulated businesses…:
Regardless of company size or industry, nearly every organization benefits from having a CISO who can establish comprehensive, risk-based security strategies and processes that protect critical data and systems while keeping business moving forward.
However, adding a CISO may be cost-prohibitive for many companies. It can also be difficult to attract and retain individuals with the level of security and business expertise necessary to fill the role. Instead, many organizations lean on managers to incorporate security into existing IT processes, which often results in fragmented policies and challenges with support and adoption that leave systems vulnerable.
As an alternative, virtual CISOs are becoming a viable option for many companies that do not have a full-time CISO on staff. Virtual CISOs are security experts for flexible hire, ready to assess and manage the many challenges posed by the need to balance security and business continuity.
Because more IT and business leaders recognize the need to create more senior security leadership roles, like a CISO, yet are challenged to do so by one of the many barriers to hiring said role, the virtual CISO approach has gained traction. This solution often delivers both economic and strategic advantages to businesses, and it’s important to better understand the benefits and considerations of a virtual CISO.