Hiring a vCISO: Top Three Challenges for Small Companies
If you are running a company with anywhere from 10 to 30 employees (or even a few more), there is a good chance that you need dedicated cybersecurity expertise to protect your growing firm. However, hiring a Virtual CISO (vCISO) can potentially be too expensive for a firm this size. Your company might need a “thinner” solution.
How do I know?
I run a Virtual CISO company and I talk to a lot of companies this size. Do we have some clients at sub-30 employee companies? Yes. But for every one we have, there are three that we speak to that cannot afford a vCISO.
To date, we have addressed this by turning down quite a bit of business in this segment of the market. But that’s not really good for anybody, especially the client who still needs a fix!
One of my peers has many very small clients. He uses part-time employees to service these customers.
I don’t think this strategy is right for my firm, but I’ve been thinking about how we could innovate to take on these smaller firms. To be able to do that, we need to understand the essential question: what, exactly, does a small company need for cybersecurity?
What Small Companies Need
In reading and talking to these smaller businesses, I’ve seen some consensus emerge.
Small companies need to understand their cybersecurity risks, and they need to build a plan to mitigate those risks. Then they need help with executing their plan. These are activities that we do for many of our clients.
Small companies need to be able to respond to security questionnaires and Requests for Proposals (RFPs) from their prospects and customers. In many cases, their larger customers are asking them to execute numerous security controls. The smaller supplier needs to have credible answers for their larger prospects.
Small companies need to be able to comply with certifications for their industry, and others dictated by their customers, such as SOC 2 or ISO 27001.
What vCISOs Can Deliver
In a professional capacity, vCISOs can help companies with risk assessments, cybersecurity plans, and managing the execution of the plan in hand. Virtual CISOs also help with client engagement, and answer prospect questions. They help with compliance-related tasks. vCISOs can be the key driver for cybersecurity improvement in an organization.
Small Company Challenges in Hiring a vCISO
Here are the three key small company challenges in hiring a vCISO:
1) If you thought all of the services above could be a lot, you are right! When we help our clients with just the compliance part of the equation, updating policies, closing gaps and managing the audit, we spend a lot of time just on those tasks. The cost associated with this work is often too much for smaller clients. Our medium-sized clients love that we will help them obtain the certification, and save them countless amounts of effort. But the smaller ones usually choke on the price tag.
2) Updating policies can require a huge amount of effort. Often, smaller companies will have a bunch of policies that “someone came in to do” initially. These policies may or may not reflect the actual practices of the firm. They are often borrowed from larger companies or from other industries, and thus, may include a lot of items that are not relevant (resulting in wasted effort). They typically have many things included that are not best practices. Finally, they have policies that are not actionable. Understanding the existing policies, understanding what practices are followed, and then making changes is a lot of work. We often say around here that editing policies is actually a lot more work than putting new ones in place!
3) Answering customer security questions can be a never-ending struggle for some companies. This is especially true for those that are assisting large firms. Having an outsourced expert answer run-of-the-mill questions might make sense for some firms, but it can be beyond the operational budgets of others. It’s not a “one size fits all” service!
How We Might Address Customization in the Future
We’re considering a few things right now to better address the market for smaller sized firms. One of them that has gotten attention recently is the idea of leveraging a partner product like Tugboat Logic.
With this tool, we would be able to handle some of the more standard requests without spending significant time that increases the cost. That would give us the ability to focus on the advice, customized recommendations and other high-value deliverables for these clients.
We have started this discussion with new prospects that are smaller in size. We hope that the results are what we expect… happy, more secure customers!
About the Author
Rob Black, CISSP, is the Founder and Managing Principal of Fractional CISO. He helps organizations reduce their cybersecurity risk as a vCISO. Rob is the inventor of three security patents. He consults, speaks, and writes on IoT and security.