Back to Blog
11 Jan 2021

Why you need a CISO function

The role of the Chief Information Security Officer (CISO) is to make sure a company is adequately protected against the changing, complex threat landscape.

We’ve outlined what a capable CISO should look like, and recommendations on how you can source one.


How has the CISO role evolved?

Back when cyber security was seen as an operational technology issue, the relatively new CISO role was an entire technology role. Fast forward a couple of years, the role has taken a dramatic turn and has become much more critical to managing enterprise risk. With the changing threat landscape, cyber security is now preserved to be a strategic technology issue and a business wide need. Whilst many businesses can run perfectly well without an in-house IT department, having a cyber security expert on hand would help prevent attacks and minimise damage and loss.

CISOs are also expected to not only possess the fundamental technical expertise and skills but also have a strong suit in leadership and understanding security priorities from a business perspective.


Investing in a CISO: Key Capabilities

As a critical member of the executive team, these are the top capabilities a CISO must have. Today’s security landscape needs security leaders who have broader skills and capabilities but are not necessarily all technical in nature.


Security knowledge

Obviously, the CISO should have vast security knowledge and understand the technical environment. By doing so, they can identify goals and executive security initiatives within the business when needed to make a decision.

Security knowledge goes beyond identifying potential threats. CISOs understand that the security landscape is shifting and has become much more complex. With complexity, comes the need to be more agile and conscious.

A conscious CISO recognises that there are various solutions to tackle security issues, but, security solutions aren’t ‘one size fits all’. Not all security products and services complement one another, and not all solutions fit to a business’s requirements. That’s why it’s crucial that the security strategy is tailored to the architecture of the company.

Regulatory rules are constantly changing, but the most common pressure currently is data-centric, focused on data privacy and protection, mostly accelerated by the pandemic. Rapid changes require adaptability to situations, and CISOs should be able to find the balance between data security and compliance requirements.

Security architecture plays a pivotal role in the life of a CISO. They should make sure that IT and network infrastructure is designed with best security practices in mind. As part of security infrastructure, a CISO should keep in mind that they are working in line with various security frameworks. Working with these guidelines provides the CISO with guidance on designing, implementing and measuring tailored security solutions.

With businesses constantly evolving, look for a CISO who is also committed to their own personal development. Are they interested in acquiring certifications? Training and development programs not only help the CISO but also give value to the business as these programs will have up-to-date industry knowledge and information regarding emerging technologies.


Leadership and executive presence

There’s never a given time when your business can be the next target of an attack and cause widespread disruption, possibly resulting in downtime and restricting business continuity. CISOs should have the ability and drive to make tough decisions, particularly during unpredictable situations, but also in a timely manner. Whilst CISOs oversee the entire security operations and decisions, a leader will be able to influence other executives by outlining and aligning the solution with the security goals and objectives of the business. When identifying and assessing threats, CISOs should be able to translate the risks into a language that other executives can understand.


Strategy planner

One of the most important factors for a CISO to consider is whether they can establish a successful and effective security program by developing a process to determine a security strategy. Your CISO should align this with company goals and work strategically and proactively to prepare plans which are both short-term and long-term.

They should also work to determine how security investments can bring value to the business. Deep business knowledge is also key to providing business-centric advice on how risk management can help a business. With regards to security and business resources, a good strategy planner ensures that they are aligned with one another, in order to deliver the anticipated results.


In-House vs vCISO

Making a decision on whether to hire a CISO in-house or work with a virtual CISO (vCISO) from an MSP can be challenging. But if you look at this from a cost element, outsourcing is considerably cheaper. With hiring an in-house CISO, you’ll be looking at an estimated exceeding cost of around £77,000 ($105,000); it’s important to note that this is entry-level. Someone who is vastly experienced will take home roughly £118,000 ($161,000) annually. If this isn’t blending in with your budget, you may want to consider a vCISO. Working with a provider will give you the expertise and oversight of a CISO, but for a reduced cost and most likely on a monthly subscription.

Steering away from the cost side, you would have to factor in the recruitment and training element which takes up time and money resources. Working with a virtual vCISO means your provider will equip you with an experienced expert. Your recruitment team may not know exactly what your business needs and what expertise would benefit you as a business. A security provider specialises in hiring the right individuals to support vast customer security needs, so they will tell you what you require and when.

vCISO’s are widely available and we know that cyber breaches do not come with a time stamp, so you need someone who is reliable and can offer 24/7 support. It’s also important to note the importance of adequate governance of cyber security policies. A dedicated vCISO will ensure that they are up to date with knowledge, based on evolving security measures, threats and vulnerabilities.


Cyber criminals are becoming more sophisticated and constantly changing their tactics and using new methods to attack businesses. To avoid being left behind and have a better chance of protecting your business, consider a new approach to security. Your current team can focus on prevention, but CISOs understand cyber resilience, so they’re well aware that prevention alone isn’t enough to keep hackers away. They will work with you to develop a full-proof plan based on prevention, detection and response.

Looking to learn more about the vCISO? Get in touch with our security experts today and find out more about how sharing the burden of your cyber security responsibilities can help your business.

By OryxAlign