With threat actors continually taking advantage of vulnerabilities at a record pace, small businesses find themselves in the same precarious positions as larger enterprises. A Mastercard survey found that 46 percent of small and mid-sized firms experienced a security incident within their current operations.
The same Mastercard survey, which gathered responses from 5,000 small and midsized firms, also found that only 23 percent of respondents are “very” satisfied with their cybersecurity plan, while 23 percent said they are “very” confident in their ability to identify security threats.
Studies like the Mastercard report show that small businesses require better cybersecurity help but often lack the resources that larger enterprises can dedicate to defenses and security staff. It’s one reason why many small and midsized firms have turned to virtual CISOs (vCISOs) as an alternative to hiring full-time cybersecurity executives.
A vCISO can work for a consulting firm or function as an independent contractor who helps develop, organize and implement a company’s cybersecurity plans. The vCISO can oversee an internal security team during a crisis and present details of an incident or risk to the executive suite and board – essential services for small businesses.
A report by security vendor Cynomi found that nearly 80 percent of managed service providers (MSPs) and managed security service providers (MSSPs) now report high demand among small businesses for vCISO services – outpacing interest in other offerings such as compliance readiness and cyber insurance support.
This increasing need for an executive cybersecurity advisor isn’t surprising for Randolph Barr, CISO at Cequence Security. He noted that small businesses are under growing pressure from regulators and their customers to prove they have basic security in place and the ability to protect data. At the same time, these firms often cannot justify the overhead of a full-time CISO, but they still need to show progress on policies, controls and compliance frameworks to win new business while keeping current clients satisfied.
“While many SMBs can hire analysts or experienced security professionals, those roles typically focus on operations, monitoring, patching, and handling incidents,” Barr told Dice. “What they often lack is the executive-level perspective on how to build a security program from the ground up and how to communicate security posture in a way that resonates with executives, boards and customers.”
For cybersecurity professionals with experience who are looking for a unique challenge, the vCISO role is in demand and a rewarding career path for those who can offer cyber expertise to organizations that need it. At the same time, the role is dynamic, and successful vCISOs need to master numerous skills to stand out.
As with other cybersecurity positions, artificial intelligence is also changing how vCISOs approach their job.
Creating a vCISO Career Pathway
In 2021, research firm Gartner outlined an early version of the vCISO’s job description, particularly as the cost of hiring and retaining cybersecurity talent began to increase. Analysts noted that vCISOs could help organizations in several ways, including staff augmentation, consultative engagement and management know-how, project management, and coaching and advisory services.
Since that time, more and more organizations, including small and midsized firms, have invested in cybersecurity tools and platforms to bolster their defenses. Barr, however, noted that valuable vCISOs help organizations optimize what they have instead of recommending purchasing more technology.
“The best vCISOs will first take a close look at what’s already in place and identify opportunities to better leverage those tools,” Barr added. “Most of the time, these tools are not fully configured or optimized, which means small and midsized businesses are not getting their full value. A good vCISO helps tune and extend what already exists before recommending net-new investments.”
At the same time, small businesses find themselves in an era of increasing compliance and regulatory responsibilities. These circumstances, Barr noted, show that vCISOs also need to deliver outcomes such as a SOC 2 Type II assessment or HIPAA incident reports for organizations that need these services to meet their obligations.
Chad Cragle, CISO at Deepwatch, believes that successful vCISOs develop their skills based on three pillars. These include:
- Breadth of security knowledge: From governance to cloud to compliance frameworks
- Business fluency: The ability to translate risk into dollars and decisions for executives
- Leadership and communication: Often being the lone voice helping a CEO or board navigate a crisis
While certifications – including Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), and Certified Chief Information Security Officer (CCISO) – are helpful, Cragle added that a vCISO’s cybersecurity credibility “mainly comes from experience, including managing security programs, leading incident responses, and passing audits. The best vCISOs have 'been there, done that’ scars they can draw on for new clients.”
Leadership and communication skills are also crucial. These allow a vCISO to better disseminate information across the various lines of business within an organization, which allows the advice and guidance to reach the right decision makers who can then act on those recommendations, said Andy Bennett, CISO at Apollo Information Systems.
“Successful vCISOs have to be good communicators, and often be able to apply security knowledge across multiple business verticals,” Bennett told Dice. “They have to be a dynamic, strategic security leader, and a detail-oriented project manager to keep track of the workstreams at different clients without crossing the streams. It is not for everyone, and not every good CISO or senior security consultant is cut out to be an effective vCISO.”
How AI Is Changing the vCISO Field
The Cynomi report details how AI use is changing the way vCISOs work and interact with their clients. For instance, the survey showed that 42 percent of MSPs and MSSPs report a more than 80 percent reduction in manual workloads due to increasing use of AI tools, allowing them – as well as vCISOs – to serve more clients without compromising the quality of service.
Apollo’s Bennett noted that the use of generative AI tools can help vCISOs improve their efficiency and that learning more about the technology is a way to stay ahead of vulnerabilities and those looking to exploit them.
“It is a fantastic tool to help quickly evaluate contracts, review large data sets, and generate first drafts of policies and procedures,” Bennett added. “It excels at finding anomalies and, when used properly, can make a vCISO, a CISO, and their teams and clients more efficient and effective. The bad guys are using AI very effectively, and if security teams and professionals don’t also leverage AI, the attackers will press that advantage.”
While AI can improve efficiency, these tools remain new to the market and have already drawn scrutiny from government agencies and lawmakers. vCISOs need to ensure that their clients and organizations understand the risks of using these tools and how best to protect company and consumer data.
“Tomorrow’s vCISO isn’t just a security leader; they will need to be an AI governance expert. That means understanding AI risks such as bias, data leakage, and compliance; helping companies adopt AI safely; and using AI tools to gain faster insights while remaining vigilant enough to challenge the machine,” Deepwatch’s Cragle told Dice. “The best vCISOs will embrace AI, not fear it. They’ll leverage it as a force multiplier while emphasizing the one thing AI can’t replace: trusted human judgment.”