Publications
Stout Article
COMPANIES ARE UNDER ATTACK. News headlines warn about hijacked email,
ransomware, and hacked databases,1
while regulators, laws and professional
standards make it increasingly clear that businesses must protect their critical
information and operations, with executives responsible for any breaches. The
risks are real. Unfortunately, many organizations lack the expertise to implement
an effective security program. In particular, many board members and senior
executives lack familiarity with the key issues to supervise a security strategy. This
paper presents several elements of information and cyber security, including how
Chief Information Security Offi cers (CISOs) and virtual CISOs can provide advisory
expertise to companies.
Regulations, Guidelines, and Risks
Business requirements for information and
cybersecurity are changing rapidly. Regulations;
international, U.S., and state laws; and accepted best
practice security standards all demand attention. As
examples of these new requirements, in 2017 both
the Securities and Exchange Commission (SEC) and
the National Association of Corporate Directors
(NACD) issued enhanced guidelines for information
and cybersecurity.
SECURITIES AND EXCHANGE COMMISSION
SEC rules and guidelines drive management controls
for public companies and the securities industry. In
September 2017, SEC Chairman Jay Clayton stated,
“The scope and severity of risks that cyber threats
present have increased dramatically, and constant
vigilance is required to protect against intrusions.”2
The SEC specifi es that cybersecurity efforts cover
assessment, prevention, mitigation, resilience, and
recovery, and that in cases of a breach, companies
may be required to disclose an attack, including its
costs and other business impacts.3
NATIONAL ASSOCIATION OF CORPORATE DIRECTORS
The NACD sets standards for board behavior and
responsibilities, and their 2017 Handbook on Cyber-
Risk Oversight4
emphasizes the direct responsibilities
of board members to review, approve, and monitor
their company’s cybersecurity strategy. Boards are
required to have direct access to information and
cybersecurity expertise, and are being held responsible
for the effectiveness of their organizations’
information and cybersecurity programs.
RISKS
There are many threats to protect against, all of
which are trying to gain unauthorized access to
companies’ information or systems. In addition to
revenue hits, short-term costs to a security breach
include immediate management distraction, lost or
damaged data and systems, and degraded operational
effectiveness with urgent system recoveries and
upgrades. Long-term impacts include lawsuits,
reputation damage, possible losses of customers, and
potential job losses for some employees, executives,
and board members.
Faced with these risks, companies need to develop
and implement a security program appropriate for
their business, balancing regulations (which need to
be followed), professional standards (which should be
followed), and effective protections against expected
threats.
Regulations, Guidelines, and Risks
Companies need to identify and support their
business priorities through the protections of their
security program. Through choice or inaction, some
companies wait for audit fi ndings or a breach to drive
their security improvements. Other companies want to
be proactive but lack an expert to lead their program.
The good news is that while security expertise is
necessary, the core elements of an effective security
program build on general management skills.
RISK ASSESSMENT
A risk assessment is an early task in any security
process, encompassing all current operations and
outsourced relationships. Organizations can and
should do internal assessments, but regulators and
auditors place higher value on (and sometimes
require) independent external risk evaluations.
The FBI reports that some 90% of company security exploits result from employees clicking on an email link or opening a web
page with embedded malware.5 All it takes is one click and a fi rm’s systems can be attacked from the inside.
Risk assessments usually start by conducting
or verifying an inventory of all hardware devices,
systems infrastructure, applications, and data. If you
do not know what you have, you cannot know what to
protect or what threats to protect against.
Next, these assets are linked to critical business
functions, identifying those which are most important
and most vulnerable. This linking of assets, business
activities, and business priorities allows risk
assessments and security plans to focus on what most
needs protection.
A risk assessment broadly covers these steps:
- ● Identify what needs to be protected, plausible threats, and known vulnerabilities
- ● Estimate the business risks if vulnerabilities are exploited (considering probability and potential severity)
- ● Prioritize these risks and identified protective gaps
- ● Document and agree to a plan to address these gaps
- ● Track progress of the plan, with executive and board updates
- ● Monitor the effectiveness of these protections
- ● Periodically and regularly repeat the above steps
Although specifi c threats and vulnerabilities
may be unfamiliar to executives, the security process
applies general management actions: prioritizing
critical business functions, deciding which risks to
accept or mitigate, allocating resources, delegating
responsibility, approving plans, monitoring
effectiveness, and intervening when necessary.
PENETRATION TESTS
A penetration test is a controlled attempt to break into
an organization’s systems or data. These tests often
identify misconfi gured infrastructure, manufacturer
default passwords still in use, and software that
allows unfi ltered database access. Penetration tests
also may target employees or subcontractors (e.g.,
social engineering), or physical security protections.
Specialist fi rms generally conduct these reviews,
leveraging their knowledge of frequent confi guration
mistakes, common software and organizational risks,
and popular attack vectors.6
Penetration test results
are documented, and prioritized and become part of
the risk assessment and plan.
VENDOR REVIEWS
Operationally, many business functions and services
that used to be done in-house now are outsourced.
Systems once built by internal information technology
(IT) departments now are purchased, leased, or used as
software services, with data and systems in a remote
and vendor-controlled cloud.
These externally developed or provided systems still
must be checked for appropriate security standards,
and should be validated through vendor statements
or third-party certifi cates such as SSAE18 or ISO
audits, which are designed for service-providing
organizations.
Companies should conduct annual due diligence
reviews of their critical vendors and should expect to
provide statements to their own customers.
WRITTEN POLICIES
There are two approaches to documenting security
policies and standards. One is to research and
document best practices, making those the offi cial
policy and using the policy to force organizational
changes: an “idealist” approach. The other, an
“incrementalist” approach, is to document current
practices, testing for protection effectiveness, and
prioritizing and targeting required changes, thus,
making improvements over time. An organization’s
resources, business priorities, current protections,
and risk tolerance will guide where it belongs on
this spectrum. A reality check is that regulators
and many customers require
fi rms to test and verify that
their documented policies are
followed, so regulated or service-
providing organizations without
policies need to move quickly to
establish them.
TRAINING PROGRAMS
Many employees analyze
customer or fi nancial data on
spreadsheets, removing that
data from a controlled systems
environment if it is copied to
a laptop or work is done from
home. This is an example of
basic activities with risks that
all employees should understand. More important,
these are as much human and behavioral issues
as they are technological. Information security
awareness training programs are a common way to
educate people to better recognize security risks and
to modify their behavior to be safer.
Some fi rms focus on “Do Not” policies rather
than recognizing that many potentially risky
behaviors refl ect people’s work habits. Studies
suggest that the best way to change a behavior
is to change expectations around that behavior.
With information security awareness training, if
people believe they will bring malware into their
organization by clicking on links, then eventually
they will stop clicking on links – though habits can
be slow to change. Experienced Chief Information
Security Offi cers (CISOs) often can identify ways to
mitigate risks to a manageable level so that people
can get their jobs done with limited modifi cations or Constraints.
Returning to the spreadsheet example, password-
protecting spreadsheets containing critical data,
providing secure remote access to fi les, and
automatically encrypting laptop hard drives could
provide suffi cient data protection while supporting
a mobile or distributed workforce.
Security training for technologists is also
essential. System builders and operators have special
responsibilities for safety, but too often security
is handled by a separate team or considered an
afterthought. As an example of early consideration,
defensive programming is the technique of
designing, building, and testing systems with the
assumption that unexpected events will happen,
including security attacks. All developers should
be familiar with the inherent vulnerabilities of
the languages they use as well as the
common risks in specifi c functions
(such as database queries). Security
has been appropriately considered
before new systems or procedures
are implemented. Security should be
considered a core design or purchase
requirement, and proper training
teaches how and why security can be
applied throughout the life cycle of a
system.
INCIDENT RESPONSE PLAN
Organizations need to monitor if their
protections have been broken. This
includes setting warnings on fi rewalls,
reviewing activity logs and investigating unusual
events. Unusual events include those when customers
or vendors may have detected a problem at your
business, as about half of breaches are reported from
outside and not discovered internally. It is diffi cult
to plan during an emergency, so companies should
have pre-established incident response plans (IRPs)
for how to respond to and recover from different
breaches. These plans can be viewed as an extension
of other business continuity or disaster recovery
preparations.
A general IRP will include steps to detect,
investigate, respond/mitigate, recover, and
remediate. If a computer crime has been committed,
care is needed to avoid destroying or contaminating
evidence. Thus, a good plan has pre-identifi ed
experts to assist as needed, who also can coordinate
with the police, FBI, or Secret Service, and who can
require vendors to preserve incident-related data.
A written IRP is a fundamental business and
security requirement, as is having a pre-established
incident response team to carry out that plan.7
According to the Ponemon Institute, in 2016
it took fi rms an average of 191 days to discover a
security breach and then another 66 days to contain
it.
Important Questions and Considerations
BEST PRACTICES VERSUS GOOD ENOUGH
Security standards such as NIST9
and ISO10 specify
best practice protections. These standards evolve
over time and refl ect the cumulative experience of
security leaders from around the world. Standards
are an excellent starting point for a security program,
and they all offer some fl exibility to be adapted as
appropriate. Companies can decide that best practice
protections are not necessary or even appropriate
for parts of their business. Limited controls often
are acceptable for systems or data that are not
business-critical. An effective risk policy can state,
“We understand there are risks to not doing xxx, but
have decided to accept these risks and instead will
protect and monitor that protection by yyy and zzz.”
Expert guidance on the prevalence and severity
of different risks can guide effi cient decisions on
the benefi ts, cost, effort, and complexity of different
protections.
SECURITY TECHNOLOGY SOLUTIONS
A traditional view of cybersecurity was to build a
network wall (fi rewall) to keep dangers out and then
assume all was safe within the protected environment.
Among other challenges with this approach, the
distinction between ‘outside’ and ‘inside’ can be
blurry. Technology is part of many people’s jobs, and
mobile devices, remote access, and web interfaces makes perimeters hard to defi ne and therefore
harder to protect, especially because vendors and
clients also may be connected. As a result, effective
security is better achieved through multiple layers
of protection and compartmentalization. Users,
systems, and data should be tightly managed for
those who need access, and technologies should be
implemented to help monitor for and protect against
unusual or risky activities.
There are thousands of vendors selling
security-related hardware, software, and services.
Products include network management, anti-virus,
encryption, and other tools. Services include code
evaluation and security operations centers. However,
integrating security tools into an operational business
can be complicated, and poorly chosen or poorly
implemented technologies can hide or even create
security problems. Well-integrated tools will help
make safer behavior a default (e.g., restricting and/
or checking software installations for malware, and
fl agging the CEO’s email request for an urgent vendor
payment as actually coming from an external email
system). An experienced CISO can evaluate security
technology products and guide an organization
toward those that are most effective and appropriate.
Effective security requires an understanding of how
to identify and manage risks and secure behavior.
Tools help, but they are not the solution.
FOR BOARDS AND SENIOR EXECUTIVES
Recent standards set by the NACD11 include an
update that the association’s affi liated boards are
required to have direct access to information and
cybersecurity expertise, as they are now being held
responsible for the effectiveness of information
and cybersecurity programs and strategy. These
responsibilities include board review of identifi ed
information and cyber risks, – including legal
implications, board approval of an enterprise-wide
security strategy, ensuring that responsibilities
and resources are appropriately allocated, and
monitoring the effectiveness of these programs,
including timely updates on critical incidents.
There is no such thing as perfect protection, so
boards and executives need to identify which risks
they are willing to accept and which they want to
mitigate or avoid, a decision process that combines business, legal, operational, technical, and security
knowledge. Unfortunately, there is a signifi cant
gap in security expertise at the executive and
board level in most organizations. There are not
enough CISOs to go around.
CISOS AND VIRTUAL CISOS
A Chief Information Security Offi cer (CISO) is a
senior-level executive responsible for establishing
the information and cybersecurity strategy for an
organization.
This individual has access and responsibilities
to the board and senior executives, works closely
with senior managers in all departments, and
has the responsibility to integrate security
considerations and protections throughout the
company. Note, while a CISO can establish, lead,
and supervise a security program, it requires the
entire organization to execute it.
Regulations may require a company to designate
a CISO; however, some individuals are assigned
these responsibilities without the necessary
experience and skills, which usually take 10-plus
years to acquire. Hiring and keeping an expert may
also be diffi cult, as there is a global shortage of
qualifi ed CISOs.
There is currently a shortage of qualifi ed CISOs.
The Rand Corporation reported global demand as
10x to 30x higher than the estimated 1,000 top-
level security experts,12 with over 100,000 unfi lled
information security positions in the United
States.
For companies and boards facing this expertise
gap there is an alternative, which is to contract
or outsource the CISO function on a part-time
or advisory basis while retaining executive
responsibilities within the fi rm. These part-time
advisors are known as virtual CISOs, and they help
companies leverage a combination of business,
regulatory, technology, and security expertise. The
NACD explicitly recognizes the benefi ts of virtual
CISOs.14 Experienced virtual CISOs can provide a
range of supporting roles, including:
A Chief Information Security Offi cer (CISO) is a
senior-level executive responsible for establishing
the information and cybersecurity strategy for an
organization.
- ● Advising boards and senior executives on their information and cybersecurity responsibilities, presenting security risks and choices in a prioritized business context, and supporting the development, implementation, and monitoring of an enterprise security strategy.
- ● Mentoring internal security officers, accelerating their professional development, and providing guidance on priorities, projects, and purchases
- ● Advising or leading specific projects such as vendor selections, purchase decisions, and reviews of security plans, or prioritizing audit findings and coordinating their remediation (as it is sometimes easier for an outside expert to bridge internal hierarchies).
- ● While most of the above work can be scheduled in advance, virtual CISOs also can provide emergency support, such as for breach evaluation and recovery efforts. Ideally your organization has a ransomware plan already prepared, but getting external advice in a crisis still helps.
SECURITY PROCEDURES COME FROM THE TOP
As cyber risks increase, organizations that
understand and implement effective security
will be in stronger positions to protect their
operations, data and customers against potential
breaches, while meeting regulatory and best
practice standards.
As with any corporate priority, security strategy
needs to be set and supported from the top of
the organization. With expert CISO or virtual
CISO advice, board members and executives can
appropriately incorporate security into their
company’s activities. For those that don’t, the lack
of preparation could be catastrophic.
Aspire Profile
Securing cyberspace is unquestionably one of the most pressing issues confronting businesses today. The aggregate of businesses transforming digitally has grown exponentially in the past decade. While information technology has proved a blessing for many business sectors, it also created risks for the security of organizations’ systems and digital data. These systems and data are the biggest asset for many companies, which makes their entire businesses vulnerable to cybercriminals and cyber-attacks.
To alleviate the vulnerabilities of various organizations, vSEC LLC—a Chicago-based cybersecurity consulting firm, leverages its business and security knowledge to help clients identify and better manage their cybersecurity priorities. Founding Partners Mike Phillips and John Falck first came up with the idea for the firm in 2017. Over the years, Mike, John, and their CISO (Chief Information Security Officers) peers had recognized that the demand for experienced CISOs greatly exceeded the supply, and that gap would continue to grow. Virtual CISO consulting allows CISOs to help many companies. Mike had over 25 years of experience as a Chief Information Security Officer whilst John had similar experience as a Business/Technology Executive before they jointly founded the firm with a goal to approach security needs in the context of business priorities
MAXIMISING SECURITY
vSEC introduced its specialized cybersecurity consulting with a focus to provide executive-level guidance to businesses. Serving as a ‘virtual CISO’, or vCISO, vSEC helps firms assess their current security posture, to identify key risks, and to develop and execute a security strategy and roadmap that implements prioritized controls. ese implementations involve a combination of policies, plans, and procedures, as well as supporting security tools. “For many larger firms it is a complex process to understand what security tools they already own and how to get those (and other tools) integrated so they work as desired,” asserts John.
vSEC clients are in the financial or financial-technology industries, healthcare, energy, regulatory compliance, and manufacturing. e company admires clients who are motivated to be secure rather than merely to document security compliance. It believes that security is not purely dependent on technology but does require adapting technology to securely support business activities. is business-focus approach to helping clients is the factor makes vSEC a frontrunner in the cybersecurity space. Its special skill is to combine cybersecurity and business understanding to help clients prioritize and implement a security program that is appropriate for their organization. is approach includes establishing security monitoring and reporting structures so executives and boards have insight into the effectiveness, risks and maturity of their security program.
As a virtual CISO business, vSEC states that while it performs some projectbased contracts, the majority of clients hire it on a retainer basis, meeting on a fixed weekly schedule over multiple months to develop and execute a cybersecurity strategy and roadmap, whilst still being available to respond to urgent security questions as needed. vSEC is product and technology agnostic, so clients oen approach it for advice when they want to review or select security tools or vended services.
vSEC developed the security policies that a start-up required for rapid regulatory approval for their off-shore digital currency exchange and clearing business. Because of the timing of their launch, security policies and controls had to be developed before many people were hired or operations established.client recognized that project requirements would change significantly, but also wanted to maintain the same regulatory approval and business launch dates for competitive reasons.
vSEC structured the project on a timematerials basis and coordinated with other security and technology specialists to ensure a quick response to changes during the project. Fortunately, with vSEC’s combination of security, financial industry, and regulatory experience, it was able to anticipate and guide many project requirements. “project was a success – the security element of the regulatory review was perfect, and the business met its regulatory approval date,” says John.
ADAPTION IS THE KEY TO BE SECURE
Cybersecurity is both professionally challenging and rewarding. “As security consultants, our work makes people and companies safer, both decreasing the probability and impact of security problems and improving firms’ abilities to detect and respond to security incidents that do occur,” says John. As partners, they believe that security is not a problem to be solved once. “Companies develop new business technologies over time, new threats emerge to attack those, and therefore new security controls are needed in response,” explains Mike.
MAXIMISING
This constant evolution is exciting and requires a commitment to professional improvement and collaboration for CISOs and vCISOS to stay on top of their responsibilities. In the cybersecurity sphere, companies constantly face external risks such as ‘ransomware’ and ‘false payment’ scams. However, the biggest security risks oen are internal, coming from vulnerabilities in how companies operate, i.e., how they manage users, technology, and data. To address both external and internal risks, cybersecurity needs to offer protection through implementing and monitoring tools including anti-virus and firewall systems, and also needs operational controls such as limiting system access of users, restricting administrative system privileges, encrypting confidential data and testing backups.
As a member of the cybersecurity ecosystem, vSEC has established and maintained collaborative relationships with multiple specialist cybersecurity firms. It also has advisory relationships with some venture capital and private equity groups, which gives vSEC access to early-stage security companies and technologies. For example, one of its favourite start-ups developed a proprietary system to secure applications and data from attack even on compromised devices.
“
GUIDANCE IS ESSENTIAL
“For too many firms, cybersecurity still receives a ‘do the least required’ priority,” says John. vSEC anticipates a
combination of pressures that may drive reluctant firms to improve and formalize their cybersecurity controls. Likely external forces include more companies reviewing the security policies and controls of their vendors, expansion and enforcement of privacy and data protection laws, and the insurance industry increasingly demanding proof of effective security controls as a condition for cyberinsurance. As another key factor, if boards and executives are held accountable for their firm’s cybersecurity, as they are for supervising other business risks and controls, that may drive a large shit in executive attention to prioritize cybersecurity
A jump in demand for cybersecurity likely will attract more security vendors leveraging and promoting nextgeneration security technology. vSEC expects it will take several years before the hype has settled and a few tools and services become well established. Trough all of these transitions, vSEC expects that experienced cybersecurity advice will remain very valuable in helping companies understand and manage their security risks.
One worrisome issue for Mike and John is the potential professional dilution of the CISO and virtual CISO titles, and a resulting credibility risk to what is a relatively new profession. They both highlight estimates that there are only a couple thousand CISOs globally with 15 to 20+ years’ experience, so many companies are chasing a small pool of cybersecurity experts. Since there is not a formal career path or accreditation to become a CISO, many individuals are getting such titles by taking the role. “Unfortunately, adding “and Security” to someone’s job does not automatically give them necessary security experience,” cautioned John. Some security service providers approach this expertise gap by offering standardized tools or reports, selling services that can be supported and replicated by relatively junior personnel. As a client focused business, Mike and John prefer to start with strategic level guidance and follow that by leading development and execution of cybersecurity plans. Hence, they expect vSEC’s expertise providing advice to executives and boards that combines cybersecurity, business and operational experience will continue to be a competitive differentiator.
Mike
What Does a CISO or Virtual CISO Cost?
Per Salary.com, a US-based Chief Information Security Officer (CISO) averages
$282,000 in salary and bonus, and total median CISO compensation is $376,000
including annual benefits worth $88,000 (insurance, 401k / pension, paid time off, etc.).
Median CISO total compensation is $376,249 (salary, bonus, benefits)
Glassdoor, as of June 2023, reports US CISO average annual compensation of $288,830: an average salary of $180,000 plus additional compensation of $109,000.
At the high end, Heidrick & Struggles’ 2023 CISO survey reported
median total cash
compensation for US CISOs of $620,000, with median total compensation of
$1,100,000 including equity grants.
vSEC estimates the median salary, bonus and benefits for a CISO with 15 years experience and a masters degree is $400,000, or $33,000 / month.
Note, beyond compensation, total employment costs include expenses and overhead
such as office and equipment, allocated IT and HR support, etc., things your CFO also
considers. Does a virtual CISO offer a lower cost way to get cybersecurity expertise?
Virtual CISO Costs
A virtual CISO (vCISO) can be thought of as a ‘fractional CISO’, a consulting relationship
where a client gets part of a security executive’s time. Some vCISOS are independent
CISOs (single-person practitioners), some work in small firms that focus on cybersecurity
consulting (such as vSEC), and many general consulting or security service firms also
quote vCISO services as an extension of their other offerings.
Virtual CISO advisory services usually are provided under multi-month contracts, and
these relationships can last many years. Services often are charged on a fixed retainer
basis covering an average or maximum hours per week or month. For many companies,
this is an attractive alternative to hiring a full-time CISO, as they get cybersecurity
expertise and leadership they need without the cost of a dedicated security executive.
A recent web survey of price quotes for virtual CISO services showed many offerings from $5000 to $20,000 per month, heavily dependent on how much time and support is needed by the client. vSEC virtual CISO services usually range from $6500 to $15,000 a month based on client needs, with $10,000 a month common for long- term support.
The main driver of virtual CISO pricing is the experience and therefore professional cost of the people providing the vCISO services. If calculated as an hourly rate, these monthly prices broadly reflect the fractional fully-loaded hourly cost of a highly experienced full time CISO, with a markup to cover margin and the overhead of a separate company.
You will pay less for a vCISO than a full-time CISO, however, we recommend viewing this as paying for the (part-time) amount of the cybersecurity expertise and leadership you need rather than getting a cheaper replacement from a less experienced person. A key real value comes from working with virtual CISOs who have assisted firms across many industries, which allows customization of established solutions to meet individual client needs, leveraging specialized resources as appropriate.
Sources
- ● https://www.salary.com/tools/salary-calculator/ciso?yrs=1.5&type=bonus
- ● https://www.heidrick.com/en/insights/cybersecurity/2023-global-chief-information-security-officer-survey
- ● https://www.glassdoor.com/Salaries/chief-information-security-officer-salary-SRCH_KO0,34.htm
- ● Other virtual CISO businesses.
