Do You Really Need a CISO?


Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer.

A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership.

It’s a changing role in a changing world. But do you really need one?

How Prevalent is the CISO Title in 2023?

Many companies actually choose to not have a full-time, in-house CISO. A Navisite survey found that a whopping 45% of companies do not employ a CISO.

While the job has to be done, it doesn’t necessarily have to be done by a CISO. Some companies assign parts of that role to a chief information officer (CIO) or chief security officer (CSO). Some believe that a CIO or CSO title carries more weight with a board.

It helps when your head of cybersecurity sits on the board, so the board sees them as an influential equal. Yet only 12% of CISOs have seats on their company’s boards of directors.

And it matters whom the CISO reports to — the CEO, CIO or CFO. The org chart can help or hinder the project of making sure divisions work in harmony toward the goal of maximizing cybersecurity.

With or Without a CISO, Who Can Your Company Go to for Security Advice?

Every organization benefits from outside experience, whether they have a CISO or not. One way CISOs achieve this is by getting together and sharing war stories, solutions, best practices and threats.

And, of course, keeping up on the reading, training and educational sessions at conferences both virtual and in-person are important for every company’s security personnel.

But there are two powerful ways to infuse staff with the cybersecurity expertise you need. The first is to turn to top-level companies in the industry for guidance, workshops, advice and consulting.

The second is to hire outside expertise in the form of a virtual CISO, or vCISO.

What is a Virtual CISO?

Some organizations choose a virtual CISO: someone who performs the role of a CISO, but who does not actually work directly for the organization.

There are many advantages to hiring a vCISO. It’s a way to bring in a more experienced person faster at a lower cost. Some organizations can use a vCISO for security hiring, including the hiring of a permanent CISO. Smaller organizations might use a vCISO to design and build an initial security and compliance program while doing without a vCISO or CISO later on. Additionally, the transition to zero trust is a major one, and it could make sense to bring in a vCISO to help design and execute that transition.

Another place where vCISOs come in handy is to manage the security and compliance dimension of a merger or acquisition. And vCISOs give you flexibility, plus the expert advice you need to make a host of decisions for your companies around compliance, third-party access to your networks, cloud architectures, IoT, risk management, security governance and more.

Whether your company employs a CISO, assigns those responsibilities to other C-level leaders or hires a vCISO, the goal should be strong cybersecurity leadership aligned both with leadership in general and also the goal of minimizing the costs and risks of cyberattacks.

The post Do You Really Need a CISO? appeared first on Security Intelligence.