The market for virtual security officers is growing. We’ve had virtual chief information security officers for a few years (vCISOs), and we can expect to see virtual data protection officers (vDPOs) in the next few. The demand for both is higher than it has ever been, and it is likely to grow.
This article will examine the rise of virtual security officers, the role of virtual security officers, and navigating the choice of a virtual officer.
The rise of the virtual security officer
It is increasingly important for organizations to have and be seen to have a CISO. The difficulty in keeping data safe from sophisticated cyber criminals and well-resourced and persistent nation state actors is compounded by a likely increase in regulatory demands that organizations have a named CISO or head of cybersecurity.
The latter is already happening. The New York State Department of Financial Services regulation 23 NYCRR Section 500 states, “Each Covered Entity shall designate a qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy (for purposes of this Part, ‘Chief Information Security Officer’ or ‘CISO’).” It then adds that this CISO need not be directly employed, but could, in fact, be a virtual CISO.
GDPR, Article 37, states, “The controller and the processor shall designate a data protection officer…” This requirement for a DPO applies to public bodies (apart from courts) and any organization where data subject processing or monitoring occurs ‘on a large scale’. Paragraph 2 adds, “A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment;” again paving the way for virtual DPOs.
It then becomes a supply-and-demand problem – there simply aren’t enough good experienced CISOs and DPOs to go around. Those that exist are attracted to big prestigious companies that can afford to pay high salaries. A leading CISO told SecurityWeek he had applied for a different position because of ‘the insane amount of money being offered’. He was one of 200 qualified applicants for the position; and the whole process is indicative of the migration of good qualified CISOs from small and medium organizations to large and prestigious organizations.
This leaves smaller firms struggling to find security officers that are required by law and cybersecurity conditions. Virtual officers would appear to be the obvious solution.
“Virtual CISOs are certainly on the rise,” Rick Moy, CMO at Acalvio told SecurityWeek. “Like previous trends where mid-sized organizations lacked financial and legal talent, they turned to retainer-based professionals with specialized expertise. In many ways virtual security officers are similar to virtual CFOs and attorneys.”
The CISO role is not an easy one. Scott King, senior director with Rapid7’s security advisory services, explains, “They must be adoptive of a mindset where they anticipate how, and where, bad things will happen, understand how the technology can be abused by adversaries, while at the same time being able to communicate all of that in terms of risk and potential financial exposure to the C-suite and the Board.”
He adds, they “must be able to demonstrate the typical soft skills any leader needs to have… The hard part though, is learning how to talk to people about security in a way that resonates and doesn’t alienate or create tenacious relationships. In other words, the supply of people with those skills is short, and the need for those people outpaces the supply.”
The two key requisites for a DPO are the ability to act independently of the security team, and to have a deep understanding of data protection regulations. The latter is no easy task. Apart from GDPR and other national laws around the globe, each state in the U.S. has its own separate data protection regulation.
The DPO is defined in Recital 97 of the GDPR as “a person with expert knowledge of data protection law and practices [who] should assist the controller or processor [primarily the CISO] to monitor internal compliance with this Regulation.” It adds that the DPO should be able to act in an independent manner.
The implication is that under GDPR the DPO role must not be undertaken by the CISO, while under other regulations it almost certainly should not be. It is a position that sits between Legal, Security and IT that demands an understanding of each. However, it is hard to see how for any organization other than the very largest, the required DPO needs to be a full-time position.
The role of the virtual security officer
Virtual security officers may be the solution for smaller companies that cannot find a qualified CISO within their price range, or have just lost a CISO and are struggling to re-fill the position; and for companies that are required to have a named DPO but do not wish or cannot afford a full-time specialist.
The vDPO is a new and emerging role. It is a service offered by numerous agencies, but there are as yet few seasoned vDPOs. This is not the case with vCISOs. Candy Alexander, the ISSA international president, has been an accidental vCISO for the last four years. She had been a CISO with a federal contractor and was moving to a new position which fell through at the last minute.
She moved into consulting just as the concept of vCISO began to grow. “Considering many smaller businesses haven’t invested in security at any level,” she told SecurityWeek, “there is a need for a security strategist – someone that understands business and security – but is not necessarily affordable to bring on as an FTE. With the use of a vCISO, a company can pay by hour (retainer based) or by project, and get the expertise of a highly qualified, experienced CISO without the overhead of benefits and total compensation.”
The vCISO, she continued, is “able to work with multiple clients at a time to equal a full-time salary, with the flexibility of work hours and not having to deal with the internal struggles that usually come with the job.”
This last point is echoed by Bill Bonney, another experienced vCISO and co-author of the CISO Desk Reference Guide. “CISOs are burned out and pissed off at the years of torture they received at the hands of their peers and their bosses,” he said. “More and more of them are deciding that they are not going to continue to absorb the stress and risk of moving, commuting, and being the ‘one throat to choke’.”
Bonney’s work falls into three categories. “I work for one firm that uses me purely in a ‘parachute in’ model – I go in, I help out with a single or specific set of projects, and I get out. I also have my own gigs where I help at a strategic level and turn over long-term operations when I have them at the right stage; and still another model where I act as a resource for consultation.” These models allow him to provide vCISO services to multiple clients simultaneously.
Bonney echoes Alexander’s comment that the vCISO is a security strategist, not a tactician. “What makes for a good virtual CISO as opposed to a perm hire is the ability to remain strategic when you are supposed to be strategic. There are so many tactical needs it is easy to fall into the trap of becoming tactical. But, unless the contract calls for operational support, stay strategic. The other critical success factor is breadth and your personal network. What we call the ‘human network’. Consult with your peers. That makes for a better CISO, but it is critical for a vCISO.”
One difference between the role of the virtual officer and the full-time CISO is that there is less need to understand the business side of the organization. “Although important,” comments Stewart Twynham, a security and privacy evangelist, “for a vCISO it is less about understanding the clients’ business and more about the security, compliance and regulatory frameworks in which the client needs to be operating.”
Rapid7’s Scott King tends to agree, but for a slightly different reason. “Most businesses are run in essentially the same manner. Every business leader will think that their business is unique and different; however, that is not the case. There’ll be unique aspects of one company over another, but business is business, and cyber plays a very similar role regardless of industry or market segment. The role just scales or expands into larger companies and/or specific industries (like healthcare, energy, etc.)
But it’s a little different for the vDPO. “A vDPO would be a little different here,” says Twynham, “because the regulatory environment will tend to be a stronger influence in their decision making – so this is where you may well be looking for a background within that particular industry sector – especially in areas such as health, finance or education.”
King thinks it is more important to be able to understand – and accommodate – different corporate cultures. “That is the area where almost every security leader who has failed in their role has struggled,” he told SecurityWeek. “Either the company has adopted a culture where security and risk management are important, or they have not yet gotten there. The successful cyber leader must be able work in both cultures.”
And the virtual officer needs to be able to switch between the two seamlessly, from one client to another.
Navigating the choice of a virtual security officer
Virtual security officers are a good solution in some situations; but are not always the best route for all organizations. If a named CISO and/or DPO is required by law, there are several aspects to consider in deciding between full-time recruitment or a virtual solution.
“Virtual CISOs are a great solution for small and medium businesses that need hands-on expertise and guidance, but would struggle to source, hire and support a traditional CISO,” explains Timur Kovalev, CTO at Untangle. “Smaller organizations already trust channel partners like VARs, MSPs and MSSPs to help them build out their IT solutions. Virtual CISOs are a natural extension to that expertise, bringing together solution architecture and technology services with strategic leadership around policies, compliance and reporting.”
But excessive use of a virtual officer would rapidly reverse the financial equation. “I would never recommend to any customer that they leverage a vCISO on a permanent basis. The cost is prohibitively high and if a company has a need (compliance or other) for a named person in that role, they should just hire for it,” comments King.
The key is in recognizing at what point the use of a virtual officer tips over from being cost-effective to cost-excessive.
The majority of applicants for a full-time CISO role have little or no practical experience of the position. This problem is compounded by the employer often having little or no understanding of what is required – the reason that many companies need a CISO is simply because they haven’t got one.
“Most businesses that need a CISO,” explains Twynham, “don’t actually realize they do. For those businesses that do realize – the difficulty for them is then knowing what they are looking for… which is why some CISO job ads list skills, certifications or frameworks which are just not relevant. Finally – businesses also struggle to understand what a CISO is actually for – which can result in an unproductive engagement.”
However, if a company looks at existing, practicing vCISOs, they will almost certainly – by definition – have the experience of working with and learning from multiple security infrastructures. “The big advantage of operating like this,” adds Twynham, “is that you’re getting the greatest value add out of your vCISO in the minimum time – the 80/20 rule.”
It’s an issue related to ‘cost’. If a company needs a CISO and cannot afford to poach experience from another company, then the virtual route may be the solution. The vCISO could even have a side task to train an existing member of the security team into the role for the long-term.
Immediacy of response
Article 37 of the GDPR allows for vDPOs, “provided that a data protection officer is easily accessible from each establishment.” While access to the vDPO is required, access to the vCISO is self-evidently a necessity. “A vCISO,” says Twynham, “has to be prepared to handle a crisis situation at any time, which obviously cannot be pre-scheduled. Inevitably, if he or she is on the other side of the country, that may necessitate operating remotely which is not always ideal for either party.”
If that crisis involves fire-fighting a malware outbreak with one client, it would be impossible for the same vCISO to tackle active intruders with another. While some of the requirements could be handled remotely, many companies would wish for their primary expert to be available on-site under such circumstances.
The solution to this problem may be to insist on a service level agreement (SLA) with the virtual officer. Most do not work entirely on their own, but may belong to a company offering the service or have at least a working relationship with other virtual officers. Immediacy of response should be the virtual officer’s problem to solve, not the contracting company.
While contracting employers might worry about the level of loyalty a virtual officer might have towards the company, this is probably a non-issue. A virtual officer’s future career will depend upon the quality of testimonials from existing and past clients, and is likely to defend that with as much vigor as any permanent employee.
Where loyalty may be an issue, however, is if the virtual officer is a permanent em
ployee of a third-party company such as an MSP or MSSP. Loyalty to that employer could lead to product pressure.
“Of course an MSSP could fill the role of vCISO,” comments Candy Alexander, “but I would be very careful here. I have seen many of these ‘upselling’ either products or services. I would recommend that if anyone is looking to contract a vCISO, then they ensure that the firm is not a reseller of product, and limit the contract to just vCISO services – with any other consulting services coming from another firm. This would avoid any hidden agendas of getting additional revenue.”
Finding independent virtual officers may become more difficult in future years. More and more consultancies and service providers are likely to add ‘virtual security officers for hire’ over the next few years. “This could be a growth area for traditional MSPs or MSSPs,” says Kovalev, “as well as IT consultants, who want to expand their service portfolio with professional services alongside technology services.”
One position or two?
The final consideration is whether one virtual security officer could be employed as both a vCISO and a vDPO. If the positions were permanent, they would need to be kept separate to conform to GDPR. This specifies that the vDPO must be able to act independently – and the potential for conflict of interest between security and compliance is high where career positions are concerned.
This may not be so with a virtual security officer. “It’s possible that a vCISO could also act as a vDPO,” comments Dana Simberkoff, chief risk, privacy and information security officer at AvePoint. In practice it might be easier for a single virtual officer to find the best route between competing demands than two separate officers with separate priorities. Simberkoff’s primary concern is whether a single officer can have the range of knowledge required for both roles.