Cybersecurity Is Not A Luxury, It's A Necessity

Perhaps you remember a day when computers were an oddity in the business place. I can remember the days when I could take my car to a local auto mechanic and not see a single piece of information technology (IT) gear anywhere. I can also remember store clerks using a manual credit card impression machine (or imprinter) to charge my purchases back in the 1980’s. Those days are gone.

Nowadays, you can hardly buy a cup of coffee without interacting with a vast array of information systems. Everything from the payment system to the back-end inventory control system requires and produces data, metadata, and potentially sensitive information. As a result, businesses of every size have come to recognize the need for IT support. Whether they hire an in-house IT staff or outsource their IT to managed services providers (MSPs), even small businesses really on “IT professionals” to keep their technology platforms running.

However, in working with many small and medium-sized businesses (SMBs), there seems to be a perception that standing up a cybersecurity program is a luxury that only "larger" organizations can afford or need. Many (if not all) SMB clients I meet are looking for a product that will handle all their cybersecurity needs. There is no single product that can do it.

As I write this short article, I can already hear the objections... “We’re too small to worry about cybersecurity,” “We don’t store any sensitive information about our business or clients,” or “We don’t deal in large financial transactions that would attract hackers.” My experience has shown me these are not good reasons to delay starting a cybersecurity program. The large majority of security incidents I’ve worked on dealt with smaller organizations that thought they had little to worry about from hackers. These security incidents cost them more time and money than they ever imagined.

So, let me ask you:

·     Does your organization make financial transactions (pay staff, pay bills, or receive fees)?

·     Do your clients or employees value their privacy and sensitive information?

·     Do you rely on your information systems working and being available to you to perform your business functions / organizational mission?

If you answered yes to any (or all) of these questions, you need a cybersecurity program to protect your IT systems and data. The only question is, who is going to build and run that cybersecurity program?

In much the same way organizations need to decide whether to hire an internal IT staff or outsource the IT support function, SMBs are finding they need to either hire an internal cybersecurity staff or outsource the function. Hiring an internal staff is cost prohibitive for most SMBs and finding an experienced cybersecurity leader may be even harder than coming up with the budget for such a hire.

What's the answer? The shortage of qualified cybersecurity experts and the cost of hiring them has given rise to the Virtual Chief Information Security Officer (vCISO) service offering. vCISOs give small and medium-sized organizations access to cybersecurity experts on a part-time or fractional basis. The range of services vCISOs can provide is nearly limitless, but typically include:

• Commissioning or performing an initial baseline cybersecurity risk assessment

• Evaluating, selecting, and deploying additional security protections

• Overseeing vulnerability assessment, vulnerability management, and penetration testing

• Creation of a cybersecurity roadmap and tracking progress toward completion

• Running governance, risk management, and compliance

• Reporting to the organization’s leadership and Board of Directors on the state of the cybersecurity program

According to CSO Magazine, vCISOs typically cost 60 to 70% less than hiring a full-time CISO (1), which makes them very attractive for SMBs or even larger organizations that haven't fully formulated their cybersecurity strategy (or may not want to commit to hiring a full-time employee to handle cybersecurity yet).

An added advantage to the vCISO approach is that most vCISOs operate in a remote delivery mode, which allows organizations to retain highly-talented individuals outside their geographic area. This is especially timely as many organizations are increasingly learning how to operate with work-from-home employees.

On a final note, one might ask, “Does the vCISO model scale?” After careful consideration, I have to say “no.” There are a limited number of qualified vCISOs and they can only be divided up between a limited number of clients. As more and more organizations suffer security incidents and realize they need an experienced cybersecurity expert, demand will likely outstrip supply. Proactive organizations that are serious about handling their cybersecurity issues should move quickly to retain access to top-quality vCISOs before they're fully booked.

Footnotes:

(1) https://www.csoonline.com/article/3259926/what-is-a-virtual-ciso-when-and-how-to-hire-one.html?upd=1603311897701