Can businesses afford to not have a CISO? It’s a complex question. On one hand, managing security risk is a core function of modern-day business, on the other, there’s the hefty $221,991 average CISO salary. Cost doesn’t stop there–companies often pay a 20% placement fee to a recruiter for a seasoned professional, which is wasted when the CISO leaves after a year for a better opportunity. This game of risk or reward often favors risk because of the large financial commitment. Without a guarantee of a stable resource, opposition to hiring a CISO means that CIOs are saddled with yet another responsibility.
Relying on the CIO to assess security risk and keep data safe from sophisticated cyber criminals isn’t only unfair from a time perspective, but more importantly, from an expertise perspective. Defending today’s complex networks is a daunting task. As the traditional network perimeter dissolves, regulatory demands increase, and attacks become more persistent, cybersecurity can’t be treated as another to-do on an already long list.
Cybersecurity is no longer an issue of technology—and limiting the scope to defying attacks is not a sufficient goal. Given that operational success relies on complying with cybersecurity regulations and satisfying customer demand for secure environments, organizations that do not have formal cybersecurity leadership and strategy incur risks that span from reduced productivity to reputational damage.
So the answer to the opening question, Can businesses afford to not have a CISO?, is an overwhelming—no.
Operating in the Era of Risk
According to the CyberEdge 2019 Cyberthreat Defense Report, after a year reprieve, successful cyber attacks are again on the rise. The effects of the influx are real, with 78% of respondents falling victim to an attack. Even for companies that are willing to address risk and adopt defense measures, the cybersecurity talent pool is becoming increasingly disproportionate to protection needs. That’s why we are witnessing and influx of virtual CISOs (vCISO) and Fractional CISOs to bridge the gap.
What is a vCISO/Fractional CISO?
In our jargon-filled world, definitions aren’t always clear. So what are vCISOs and Fractional CISOs? The terms can be used interchangeably to describe people and services that deliver the benefits that a full-time CISO would deliver, but in an outsourced model at 30%-40% of the cost. These “CISOs on demand” usually require no training and are able to hit the ground running to cover a myriad of tasks, from tactical to strategic.
This model can be appealing to organizations seeking quick security wins, but it doesn’t address aligning security with the long-term goals of the business.
The Cybersecurity Leadership Practice Difference
The NeuEon approach to cybersecurity builds on the vCISO/Fractional CISO models to address current threats and adhere to compliance standards, but views it through the lens of the business.
NeuEon strongly believes that information security is an issue of converging business process, risks, and the use of technology. Our Cybersecurity Leadership Practice works to solve the equation by:
- Factoring risk into executive decision making
- Working cohesively to implement changes that are tied to business goals
- Transferring knowledge for immediate impact
- Bridging People, Process, and Technology with a cybersecurity strategy that touches all aspects of an organization
Instead of prescribing security measures, we unchain organizations from the break-fix mentality for more strategic business-security outcomes. By guiding organizations to redirect cybersecurity efforts, the end result is proactive security that is used to propel positive business outcomes in an increasingly risky era.
Organizations that remain reactive aren’t just risking data loss, but operational shutdowns, unanticipated costs, loss of trade secrets, and reputational damage. If your organization is ready to become proactive and put reward in front of risk, download our service brief on NeuEon’s Cyber Risk Leadership Practice to learn how we can help.