WHAT TYPE OF BUSINESS needs a chief information security officer (CISO)? “Pretty much everybody,” says Doug Turpin, chief disruption officer at Tight Technologies, an MSP in Roanoke, Va. He adds that it’s not just regulated industries like medical and financial, but any company that has client data.
For smaller businesses, though, “the challenge is how do you economically deliver that expertise, because security experts don’t grow on trees,” says Rob Black, CEO of Fractional CISO, which provides virtual CISO services to midsize companies. Even for the midsize, “it’s unlikely many of them are going to be able to afford a full-time person.”
Enlisting the services of a virtual CISO, or a channel pro who provides vCISO services, can be a more affordable option. Unlike a vCIO, who oversees the entire technology stack, a vCISO “is going to be very focused on the security program,” primarily around people and processes, says Black. This includes cybersecurity strategy, governance, risk assessment, and compliance.
Fractional CISO does not sell security solutions but does advise on product selection. Clients are billed a fixed quarterly fee and typically have a three-year agreement.
Rob Black
The heavy lift occurs at the beginning of an engagement when Fractional CISO assesses the client and designs the security program. Once that’s in place, Black says they interact with clients typically once a week or more if needed. “There’s always something that comes up. Maybe their cyber insurance is coming up for renewal,” he says, or a new vendor needs to be evaluated to see if it’s a good fit from a cybersecurity standpoint. “There’s also new threats all the time.”
Avtek Solutions, an MSP in Allen, Texas, offers vCISO services such as compliance along with its managed security services, which include a white-labeled SOC, but doesn’t market specifically as a vCISO. SMBs are “looking at solving the problem, not filling the role per se,” says Wayne Hunter, president and CEO. He adds that AvTek wants the client to have shared responsibility for the security program.
Avtek has separate teams for managed security and compliance as a service. “Security and compliance need to be separate because if you’re having the same team do it, then it’s a fox-in-the-henhouse situation.” The compliance-as-a-service team monitors “what’s being done at the technical stack all the way through their standard operating procedures to the actual policies that need to be in place and to what framework they’re having to meet from a regulatory standpoint.”
Tight Technologies, which calls itself a vCIO with a focus on security, rolls vCISO services into its offering, including developing incident response plans. “If you’re following security standards from NIST or any kind of ISO standards, you’re going to have written policies for everything, for your incident response, for disaster, for backups, natural disasters,” Turpin says. “So we do help develop them for clients and have for years.”
For channel pros looking to add vCISO to their portfolio, Black says the margins are professional service level but cautions that staffing can be a challenge.
“Can you get the folks with the right skill set? Oftentimes it’s the person who can do the policies and the procedures and help advise and [who] understands cyber insurance and can speak to senior management about security and build a security roadmap, more so than the technical skills.”
Image: iStock
