Cyber attacks are the conference board’s 2024 CEO SurveyIt was ranked second in geopolitical concerns. However, the most recent study 2021 Navisite SurveyAccording to , only 45% of U.S. companies have a chief information security officer.
These numbers mean that many companies do not have a CISO. Let’s take a look at why so many companies do not have a CISO, how they manage cybersecurity without a CISO, and why a CISO is absolutely necessary for companies.
Reasons why companies do not have a CISO
Size matters when hiring a CISO. Smaller companies may not need or realistically be able to attract a CISO.
“Let’s say you’re a 200-person company with one uncomplicated line of business,” says Rob Black, CEO of Fractional CISO, which provides virtual and part-time CISO services to businesses. Do we really need a CISO? What does a CISO do all day? “It probably doesn’t make sense,” he said. “It’s the same with CISOs. Who wants to work for a widget manufacturer with 200 employees? CISOs want interesting work.”
In other words, even companies with a significant workforce sometimes give up the CISO position. “Even companies with 1,000 people often don’t have a CISO, and even larger companies do not have a CISO,” Black said.
For some companies, the cost of hiring and retaining a CISO is a major obstacle. Even promoting someone from within to the newly created CISO position is expensive. today Total compensation for a full-time CISO in the U.S. averages $565,000 per yearall. It does not include other costs involved in filling the position.
“Bigger companies will need to hire a (CISO) team,” said Sisla Vaisnavi, UK head of executive search firm Riviera Partners. Architect, SOC, and engineers are also needed. “Then resource costs increase,” he said.
Navisite research shows that companies face another barrier to hiring CISOs: a seemingly endless talent gap. According to the study, the (cybersecurity) skills shortage… has reached an all-time high. Companies value and want cybersecurity leadership, but finding and retaining talent is becoming increasingly difficult. In short, the global shortage of cybersecurity talent is one reason why companies do not take on the costly ordeal of finding a CISO.
Cyber Options for Non-CISOs
Who manages cybersecurity in companies without a CISO? Navisite’s survey found that 60% of companies rely on other departments, such as IT, management or compliance, to manage cybersecurity.
In most cases, it will probably be the CIO. According to a 2023 report from Cybersecurity Ventures, the position most likely to manage cybersecurity in companies without a CISO is the CIO. The study estimates that about 90% of companies with a full-time CIO do not employ a full-time CISO.
Cameron Smith, head of cybersecurity and data privacy advisory at strategic advisory firm Info-Tech Research Group, said that for some CIOs, juggling cybersecurity on top of their primary responsibilities is a tricky balancing act.
“CIOs have many non-security-related goals or objectives, and sometimes those goals conflict with each other,” Smith said. Security can often conflict with certain productivity goals. However, both of these (roles) must aim for the success of the company,” he explained.
Although delegating cybersecurity to someone else in the company (CIO, CTO, IT director, compliance manager) is faster and cheaper than hiring a CISO, Vaishnavi warns that there are potential downsides to this ad hoc approach. Do it.
- A CIO or CTO may not have the cybersecurity certifications and expertise that a CISO can bring.
- CIOs and CTOs who add cybersecurity to their already overburdened workload risk “taking on too much.”
- Cybersecurity may not have a separate, influential seat at the board table.
The Risks of Not Having a CISO at the Board Table
Failure to directly approach the board of directors when a breach or hacking occurs can lead to a major disaster.
“When you make decisions to protect your business, it’s better to go to someone who can actually approve or disapprove, rather than going through multiple layers of command,” Vaishnavi said. “Decision-making time is also greatly shortened (with a CISO),” he said.
A virtual CISO (also known as a partial CISO or CISO-as-a-service) is an option for companies looking to strengthen their cybersecurity without a full-time CISO. Black said this approach could be appropriate for companies looking to offload an overburdened CIO or CTO, and for companies that don’t have the size, budget or complexity to have a full-time CISO. Most virtual or partial CISOs are:
- He is an experienced former CISO.
- Remote or hybrid work.
- Work part-time for a variety of clients at the same time.
- Work on temporary or renewable contracts.
Some define ‘virtual CISO’ as someone who only works remotely, and ‘partial CISO’ as someone who only works onsite, but in fractional CISO, these two terms are used interchangeably. Here’s how a fractional CISO can support companies that don’t have a full-time chief information security officer.
- Each customer company is assigned one virtual CISO and one cybersecurity analyst.
- Partial CISOs perform board-facing work (creating cybersecurity roadmaps and communicating with senior management).
- Analysts perform risk assessments and gap assessments, perform vendor reviews, and edit security policies.
In particular, because each client company can receive help from a part-time CISO and analyst, the cost will be much lower than a full-time CISO. “We have a very wide range of clients, but the average annual spend is just over $100,000,” Black said.
Still looking for other options? What are the signs that you actually need a full-time CISO?
9 signs you need a CISO
highly regulated industry
“Whether it’s financial services, health care, health care, legal, these businesses will always need a CISO,” Vaishnavi said.
Black explains the broader scope of what a CISO is needed for. “If you’re working with the federal government or if you’re a public corporation, these situations all make sense.”
As the legal environment for management and corporate responsibility for cyber incidents strengthens, even companies in unregulated sectors are considering hiring CISOs.
Vaishnavi said, “With the introduction of GDPR in the EU and UK, the overall security response has changed. “These changes have a very direct impact on hiring trends.”
IPO plan
VC firm Andreessen HorowitzOn its website, it recommends that “all companies preparing to go public designate a CISO who can implement sound IT controls, risk assessments, compliance testing, audit trails, and reporting in compliance with the Sarbanes-Oxley Act.” .
When a cyber incident occurs
“As part of root cause analysis, you can figure out, ‘Why did this happen?’” Smith said. “Then you’ll know it’s time to focus on your security role.”
“You can turn someone into a true believer,” Black said. When there’s a terrible breach or accident, you say, ‘It just cost us $10 million.’ “If we spent just a fraction of that cost on the CISO every year, we would have gotten much better results,” he said.
Security breaches in the same industry
Black said, “Future-oriented companies look at cases where problems have occurred in the same industry and use them as a starting point.”
When you want to understand the expanding threat landscape
Black asked, “Why is it important for companies today to have a CISO? Because the bad guys are making billions of dollars through scams, scams, and attacks. “It would be unwise not to mitigate these risks.”
growth of the company
“As you get bigger, the number of employees, number of users, amount of data you have, and revenue volume all play a big role in deciding whether to hire a CISO,” said Joe Head, founder of The Blueprint, a British cybersecurity executive coaching firm.
When the board wants
Black has seen cases where boards of small businesses insist, “We need to hire a CISO right now.”
What your customers and prospects want
Without a CISO, you may be at a loss when operating in a regulated space or dealing with existing or potential customers who expect strict security frameworks from their partners or suppliers, or who may require a CISO for certain high-level projects.
“If you’re selling an IT product or service and your customer, a large enterprise, says, ‘Your security program isn’t good enough to comply with this or do this,'” Black says, “if that customer is very concerned about security and our cybersecurity program is not strong.” “It is clear that this is not the case,” he emphasized.
Security program desired by venture capital or private equity funds
“If you’re doing a funding round and you’re in an environment that deals with a lot of data or personal information, that’s usually when a CISO comes on board,” Vaishnavi said. “Usually the Series A round or higher is the time,” he said.
‘CISO’ is more than a title
Head has seen several companies hire CISOs at the suggestion of venture capitalists or PE funds. But CISOs need to be seen as more than just technology managers hired to raise money.
“When a business is willing to invest in security and take cybersecurity seriously, they should hire a CISO,” Head said. “Think of it as hiring another business leader. When you hire a CISO, you need to hire someone who is worthy of that position. “If you don’t give it responsibility and complexity, you’re not ready to be a CISO yet.”
dl-itworld@foundryco.com
Source: www.itworld.co.kr
