More remote workers mean larger attack surfaces, and as cyber criminals take advantage of the rush to provision a remote workforce, the pain of the cybersecurity professionals’ shortage has become acute. Last year, the ISC(2) Workforce Study identified a shortage of 561,000 cybersecurity professionals in North America. Globally, that number is over 4,000,000 professionals. In April of this year, another ISC(2) survey found that 47 percent of the cybersecurity professionals surveyed were reassigned to other IT support activities while companies were ramping up to deal with the requirements of a newly remote workforce. As we move to “what’s next?”, how do enterprises obtain the needed resources and expertise to better address cyber risk in the new environment?
Virtual Chief Information Security Officer, or vCISO, services have traditionally been a method to alleviate short-term staffing issues. However, if the focus is simply putting a body in a seat, enterprises will find that they are either over-paying for levels of expertise they don’t need or that candidates don’t have the depth or breadth of experience necessary to meet urgent needs. To be successful, the vCISO delivery model must be flexible enough to provide the right resource for the right task at the right time.
As part of our CISO+ service offering, Coalfire has identified three possible use cases. The first use case is where a senior cybersecurity professional is needed to deal with external stakeholders like regulators and customers. Involvement with the board of directors would also be included in this use case. The number of hours for this individual might be small, but the level of expertise and executive polish requirements is likely high.
The second use case is the requirement for security program leadership. This role focuses on developing or refining a cybersecurity program and overseeing its implementation. In this role, coordination with internal stakeholders to develop business-aligned governance structures is key. To support this, policies are developed, the roles of senior leaders in the areas of risk management and incident response are established, and budgeting, development and implementation of distinct cybersecurity projects are fulfilled. This role is more time-consuming but doesn’t necessarily require the same level of expertise and experience as the first use case.
The third use case is where a company needs a mid-level cybersecurity professional to work with internal stakeholders to develop procedures and standards, ensure legal and contractual requirements are met, provide operational and technical-level incident response activities, and handle other day-to-day tasks. In this scenario, the hours and expertise level would be dependent upon the project.
When determining requirements for cybersecurity support, conducting a careful needs analysis will create a full understanding of the role, time required to meet that role, and the level of expertise and experience needed to attain the desired results. Keep in mind that more complex needs may require more than one individual. Having a clear idea of the outcomes you’re looking for, and not just putting a body in a seat, helps ensure success.