Data has become more valuable than ever and organizations must make protecting it a top priority. According to IBM and the Ponemon Institute, the average data breach now costs American companies $8.19 million. On top of that, the recently-released Verizon Data Breach Investigations Report found that 86 percent of all breaches were financially-motivated.
As attacks become more sophisticated and complex, data breaches can more quickly undermine a company’s growth and erode customer trust. This growing concern places an incalculable value on the role chief information security officers (CISOs) play, as they possess both technical expertise and business acumen to implement security strategies that enable business.
However, despite the growing need for the guidance a CISO can provide, 38 percent of 2019 Fortune 500 companies operated without one, and of those companies, just 16 percent listed any executive at all as responsible for cybersecurity strategy. In the absence of a CISO, critical responsibilities are often transferred to IT managers, which can result in fragmented policies and lax practices that leave systems vulnerable.
Today, many organizations have turned to virtual CISOs (vCISOs) – on-call security and business experts who can quickly assess and manage a company’s many challenges. Additionally, vCISOs can serve as an interim CISO as organizations look to fill the position permanently, bring in fresh perspectives for projects and strengthen overall security and business strategies as an ongoing consultant.
While motivations for considering a vCISO vary, organizations can use their services to address any or all of the following challenges:
- Manage massive amounts of sensitive data. IBM and the Ponemon Institute found that an average of nearly 26,000 documents are compromised with each data breach. A vCISO can quickly determine where critical data and assets reside and what level of protection is necessary.
- Sort out organizational complexity. There are any number of intersecting factors to consider when determining risk, like the distribution of architecture, the lifecycle of applications, and the data and technology stack. A vCISO can sort out these complexities and identify current and future risk factors.
- Assess risk. A vCISO can coordinate efforts to examine perceived and actual risk, identify critical vulnerabilities and deliver a better picture of risk exposure that can inform future decisions.
- Identify the attack surface. Organizations face internal and external threats that are both known and unknown. A vCISO can identify security blind spots, determine the probability of compromise and quantify the potential impact.
- Implement compliance. Because vCISOs are well-versed in regulatory standards, they can implement processes to remain compliant today and offer strategies that allow the organization to prepare for potential regulation changes.
When considering a company’s data assets, companies can’t view security as a set of checked boxes. Rather, security has become a critical element of business success. Moving forward, we expect to see vCISOs play a more prominent role in organizations across all industries. Their technical expertise can help establish a strong and consistent security strategy, and their business insight will help companies meets their goals by integrating security measures into every aspect of the business.
Ken Jenkins, principal and founder, EmberSec