Cybersecurity audit and advisory. PHOTO: Sera-Brynn.

Cybersecurity is a Team Sport: Why a Fractional CISO Makes Sense to Manage Risk

How to share a Chief Information Security Officer

Heather Engel, Chief Strategy Officer of Sera-Brynn  

Suffolk, Va. – Feb. 28, 2019

We live in a sharing economy. Almost anything can be had for a fraction of the cost of ownership.

Need a ride? You can use Pace for bikes, Lyft or Turo for cars, or Lime for scooters.

Need cash? Shared residential Wi-Fi? (Try Fon.) How about a shared puppy? (Fractional cuteness at Share A Dog.)

In business, shared-service offerings abound: shared workspace with wellness centers (and beer) and shared cloud computing (no beer). In the past decade, the shared service model has greatly matured. In the past year, the delivery of cybersecurity and risk management services has been undergoing its own revolution.

The Future: Fractional CISO

If you are looking at a more efficient way to mitigate and manage information security risk — or just want to take your security program to the next level — a Fractional CISO (or FCISO for short) might be a good fit.

Here are six reasons a FCISO makes sense:

1. Skills. Managing cyber risk requires a LOT of disparate skill sets. An expert in incident response or forensics may not be an expert in privacy or compliance. A developer with experience in secure coding probably isn’t designing secure architectures on the side. An expert in cloud architecture usually won’t be doing penetration testing or conducting user training. No one person can be an expert in all these things. And if they are, you probably can’t afford them.

Designing and maintaining a top-notch cybersecurity program takes deep knowledge and an unwavering focus. Building a strategic alliance with a FCISO can help a company access the skill sets it needs, when it needs them.  A good FCISO should have credentialed and experienced experts such as cybersecurity engineers, CISSPs, forensics experts, a robust incident response team, and access to privacy professionals, attorneys, accountants, public relations experts, law enforcement liaisons, and others.  

Your FCISO can also oversee other service providers. You probably hired a managed services provider because you couldn’t or didn’t want to manage certain aspects of your infrastructure. But those services without oversight is usually a bad idea. For one thing, if you don’t know how to do it yourself, you won’t be sure you are getting what was agreed to, paid for, and necessary to reduce cyber risk.

2. Economics. In the law of supply and demand, low supply and high demand will increase price. Prices will increase to the point that some buyers will drop out of the market. The problem is that no company that wants to stay in business can afford to simply opt-out of cybersecurity.

Thinking back to our college-level economics classes, cybersecurity talent is nowhere near equilibrium — it’s a constrained market, and demand far outstrips supply. In fact, Cybersecurity Ventures’ Jobs Report predicts 3.5 million unfilled positions by 2021. There simply aren’t enough people with even general security knowledge, let alone the expertise to measurably reduce cyber risk. The bad news is that there is no short-term relief in sight, no hidden cache of cyber experts who haven’t come on the market yet, no manufacturing facility that can ramp up and produce more security-expert widgets. The good news is that hiring a FCISO means you’ll have access to a variety of skilled experts when you need them.

3. Burnout. Workforce stress is present in lots of jobs, but with an expectation of constant availability, cybersecurity pros are tired.

There is no job field today that changes more rapidly, with more severe consequences for failure, and with an expectation for expert knowledge-levels in so many skill sets (see #1).

Make the right decisions and you might not get hacked. Miss one small detail, and you’ll probably be job hunting with a reputation that precedes you. Workplace stress isn’t good for anyone, and the constant pressure of fighting attacks 24/7 while worrying about statistics like “64 percent of insider threat risk is careless behavior or human error” can drive even the most resilient CISO to exhaustion. Are CISO sabbaticals a thing yet?

Besides having to keep up with the speed of data, security pros are often covering down for all those other unfilled positions created by a supply shortage (#2) further adding to workplace stress.

4. Budget. Not all companies need a full-time CISO (gasp). In most companies, security is a necessary overhead expense. It requires constant investment and updates. Security generally doesn’t make money, although it might improve a business process here and there. Risk is constantly in flux. I’ve worked with hundreds of clients, including start-ups, small businesses, and mid-size companies with relatively uncomplicated business models. For many, hiring a full-time CISO would make no sense at all.

When a full-time CISO doesn’t make sense or isn’t in the budget, a FCISO can help with initial security strategy, then targeted initiatives to maintain an acceptable level of risk.

5. Breaches. I was facilitating an incident response exercise recently and was asked a great question by the CFO. That question was, “If some superbug or zero-day malware were to infect a large number of companies simultaneously, how do I know that I’ll be able to get the help I need?” The answer is: You don’t.

Any company that’s been through a breach will tell you that incident response and forensics investigators often have a long lead time. When you’re bleeding data or locked up by ransomware, being told the soonest response available is three weeks out and requires a $25,000 retainer is pretty much a non-starter. If this is a concern, hire a FCISO company with access to certified incident handlers, and specify in the contract expectations for incident response times.

6. Blame. I once worked with a client who needed to rein in administrative privileges. Users across the organization had the ability to modify their machines, including turning off antivirus and installing software. Every time the IT staff tried to pull back privileges, they got so much pushback at every level that the CIO was forced to back down. We were able to work with the team to cite several reasons, including compliance, that allowed them to “blame” the consultant (us) and finally get much-needed changes.

Very often it takes an outsider to get executive leadership to pay attention. A FCISO with a reputable security company can make the case to the CEO, CFO and others to act on long-stalled projects. They can describe what other companies in the same industry are doing, and let execs know if they measure up or fall short.

A good FCISO provides you with a single point-of-contact who coordinates all aspects of your security and pulls in other experts as needed. This is not a SaaS product, or remote vulnerability scans with a report you must read and act on. This is a coordinated, strategic partnership modeled on the concept that cybersecurity is a team sport.

Compliance Report Archives

Heather Engel is Chief Strategy Officer of Sera-Brynn. She has nineteen years of experience in cyber security, with an emphasis on cyber risk management including regulatory compliance, incident response, crisis communications, Continuity of Operations (COOP) planning, development and exercise execution; policy development, and computer network operations.

Sera-Brynn is a global cyber risk management audit and advisory firm. Founded in 2011 by former members of the U.S. intelligence community, Sera-Brynn’s clients include many of the world’s most admired and recognized brands.