Q&A: Should you outsource the office of the CISO?

A few years ago, the idea of outsourcing the CISO function may have seemed absurd. However, rapid and radical advances in technology have not only made this option feasible, but even desirable for many organizations. A variety of technical, practical, legal and cost benefits can accrue from a virtual CISO. This includes an ability to better manage a security operations center (SOC) and build out a more comprehensive security framework revolving around zero trust.

Here’s a look at some of the key issues surrounding CISO outsourcing:

Q: Why should an organization consider outsourcing the CISO function?

A: The average tenure for a CISO is about two years. It’s important to recognize that this creates a difficult situation. For one thing, a knowledge and expertise deficit often occurs. There’s a learning curve associated with the job and applying security principles to a specific company. A lack of consistency can also ensue. Different leadership approaches and styles can make security more challenging. The result can be technical debt and gaps that lead to higher risk levels.

Q: What challenges do CISOs face that undermine their ability to do the job?

A: The data security risk landscape is changing at a furious rate, and the strategies and technologies used to battle risks are also evolving. These include areas such as cloud, security engineering, emerging technology, identity access management (IAM), application security and DevSecOps. Today, there are incredible complexities associated with the CISO function, and short tenures often translate into gaps and vulnerabilities that aren’t immediately obvious. It isn’t uncommon for a CISO, after taking the reins at a company, to discover that an organization isn’t adequately protected. Enacting all the necessary changes can take months—or longer. This task is often complicated by existing silos, especially in larger organizations. As technologies and business functions accumulate, more and more security gaps can appear.

Q: How do these risks play out?

A: Attacks, breaches and breakdowns can result in lost revenues, reputational damage and regulatory actions, including large fines. In a worst-case scenario, ransoms or the loss of intellectual property can destroy a company. For example, a Canadian roofing company had its product formulas stolen, and they were later reproduced in China at a fraction of the cost. The company wound up losing market share and revenue. Another complication is the difficulty of finding and affording adequate cyber insurance. Inconsistent security leadership is one of the factors that lead to higher insurance premiums.

Q: How should best practice organizations confront these security and regulatory risks?

A: A number of best practices exist. To start, it’s vital to conduct a thorough assessment and understand where gaps and vulnerabilities exist. This internal audit must include an examination of technology, processes and people. It must focus on metrics and KPIs that actually reduce risk—and potential exposure to an attack or breakdown. The goal is to lock systems down but also reduce the risk of regulatory actions. With accurate and actionable information, it’s also possible to understand where spending should take place. Instead of attempting to address all security threats equally, an organization can focus on the defenses that really matter.

Q: How does an outsourced CISO function work?

A: As an example, by outsourcing the CISO function in the RSM-as-a-service model, an organization gains instant on-demand access to knowledge and experience. It’s a relationship that delivers a spectrum of services—such as IAM, a SOC and managed security services—all within an integrated framework. In many cases, this approach not only improves the overall protection framework, but it also results in cost savings. For instance, one marketing group found that it had redundant storage and security technologies in place. These systems weren’t improving protection, but they were boosting costs. Once the company turned to an outsourced framework, it was able to modernize and streamline the IT framework.

Q: How does this approach improve risk assessment and other tasks?

A: With the right service provider, the onus for data security shifts. There’s no longer a need to worry about vendors, products, services and integration. There’s no reason to attend to constant patches, updates and upgrades. A best-in-class service provider can cut through layers of complexity and ensure that every aspect of data security is addressed. This results in fewer data silos and downstream issues. Problems—and complete disconnects—that can result from business and security groups having their own ideas about what compromises risk go away. It’s also possible to continually assess security and regulatory controls and ensure that there’s constant alignment.

Q: What does a high level of automation provide?

A: With a single pane of glass perspective, continuous monitoring and a coordinated framework in place, it’s possible to deploy highly automated controls, including those that establish privileged access. An organization gains real-time oversight—including green, yellow and red signals—that makes it much easier to address problems and handle reconciliations. All of this adds value by reducing costs and allowing staff to focus on more strategic elements.

Q: Why do some companies pay for managed offerings but wind up having a negative experience?

A: The biggest problem is that some of these platforms are clunky, and they require ongoing investments and upkeep. Someone has to know how to use them effectively, and with a revolving CISO door the task can be difficult—or even impossible. Too often, people create workarounds, and security protections, over time, break down.

Q: How would you suggest organizations approach outsourcing the CISO function?

A: Ask questions. Understand how a managed solution operates and what you get with it. An outsourced CISO approach must deliver more than technology. It’s all about adopting a comprehensive framework that incorporates people, processes and technology. A solutions provider should have plenty of experience in the space, establish clear metrics and ROIs and have certificates verifying third-party compliance standards, such as Sarbanes-Oxley (SOX) or HIPAA.