When funding your small or medium business, you keep your budget at the forefront. You begin with a skeleton crew of only the most essential personnel. One question that comes up for chief executive officers (CEOs) is if their business immediately needs a chief information security officer. This depends on the size and age of the business.
What is a small or midsize business (SMB)?
Gartner defines a small and midsize business (SMB) as a business with organizations employing less than 999 individuals. A small business has less than 100 employees, while a medium or mid-sized business has between 101 and 999. The definition of a micro business that is smaller than a small business ranges depending on location. In Australia, a business with 15 or fewer employees qualifies as a micro business; a business with fewer than 50 employees qualifies as a micro business in the UK. In the US, employing six or fewer employees qualifies as a micro business. A small business typically has less than $50 million for annual revenue, but a mid-sized business has an annual revenue of between $50 million to $1 billion.
These smaller businesses have different budget requirements. While they still need information security, the security needs of small businesses and micro businesses differ from those of mid-sized companies. While mid-sized businesses may hire a part-time or full-time, on-site CISO, a small business may not have the budget for this position. A micro business would not have the budget for hiring a CISO. All businesses share in the threat of a data breach, though, and all sizes of businesses need an independent contractor or consultant who discusses cybersecurity with the leadership and devises plans and strategies to enhance the company’s security. A virtual CISO can provide for all of these needs.
How a Virtual CISO Helps
Hackers and other cybercriminals know that SMBs have a tough time affording full-time CISOs and other security services, so they make those businesses a target. In 2018, the last year for which data is available, hackers made SMBs the target of two out of three cybercrimes. Six months after those crimes occurred, 60 percent of the SMBs were no longer in business.
This adversely affects the economy in numerous ways, including unemployment. The US’s 58.9 million SMBs employee 47.5 percent of its workforce, says the US Small Business Administration. Not only does the community lose the business and the service it provides, but it also loses the jobs it provided. This causes a ripple effect of problems making protecting the SMBs more important.
While a virtual CISO does not provide on-site actions to protect the business, it does guide the business in its security plans. Their input can help the SMB or micro business remain under budget and optimize their business’ security and business procedures to achieve forward progress.
Any company can contract with a virtual CISO to protect their day-to-day business activities from security threats. The CISO also contributes to the firm’s strategic vision and business development. Since the passage of the General Data Protection Regulation (GDPR) in the European Union (EU), businesses throughout the world had to update their privacy protections and formalize plans to protect consumer and employee data and create documentation and reporting techniques and procedures that meet with GDPR requirements. The duties of documenting and reporting privacy breaches typically fall to the CISO. In cases where the company contracts with a virtual CISO, although an independent contractor, this individual completes these requirements.
The objectivity of the virtual CISO provides one of the main advantages of using this contract position. The SMB obtains the consultancy it requires to develop security objectives and goals, implement appropriate security procedures and deploy the necessary software and hardware solutions to protect the business. By eliminating bias, the virtual CISO circumvents bureaucracy to shore up security and efficiency.
What does a CISO or vCISO do?
The information security officer analyzes the business and its current procedures. It may use many mechanisms to suggest improvements that can increase efficiency and security. This may occur during the first iteration of the business risk assessment (BRA) or the second. The CISO may use any method or multiple improvement methods, including Six Sigma or the Toyota method. Identifying these vulnerabilities and addressing them as soon as possible begins the security improvements but is not the end of the process.
Protecting a business from data loss and customer privacy transgressions is only the first step. The CISO also connects the business’s computer security strategy with its goals, objectives, and milestones to ensure it meets its priorities, manages risk, and remains on budget.
While identifying threats remains important, so does adhere to the latest techniques to avoid the threats. The CISO also makes technology procurement decisions, prioritizes the firm’s main services and assets, sets the physical access controls, examines the legal compliance regimes and fulfills them, and coordinates with the leadership to improve overall security.
Some SMBs have an IT team, while most micro-business has no IT team. In the case of the latter, the entire team consists of the CISO. This leaves a huge hole for them to fill since they must build upon the business’ capabilities without interfering with day-to-day operations. Hence, the business continues to meet its client base’s expectations. Doing this within micro or small business budget presents a challenge.
The Cost of a CISO vs. vCISO
Hiring an on-site, dedicated CISO may be within reach of some SMBs. Still, many probably cannot afford the expense of an annual salary of $215,273, the median annual salary for the position, according to Salary.com. Those who can afford the position have lost their personnel in the past because their CISO got lured away by another company. In a survey conducted by the Information Systems Security Association (ISSA), 38 percent of its respondents said their CISO had changed jobs when offered a better compensation package. Hiring a vCISO on a contract basis costs much less. You can contract for a specific number of hours per week to create a position within your budget.