Happy New Year everybody!!
I wish that all of my friends and family out there, and people soon to
be met have all of their dreams come true this year. 2022 was for sure a challenging one, and even
for me personally. Let’s hope that the
world will be a better place this year, and that we can all live in peace and
harmony together.
Well, back to work.
In yesterday’s blog, I wrote some of the top Cyber trends that are going
to happen this year. I concluded it with
by simply saying nobody knows for sure if they will happen. But in today’s blog, I want to make my own,
big prediction for 2023.
You may be asking what is it? Well, it is literally the death of the CISO
role. Why do I say it? Look at the world around us. Everything is all digital, and the workforce
is pretty much all remote.
Even the talk of a Hybrid based work environment really has
not taken off, as many workers will choose to WFH, brought on primarily by the COVID-19
pandemic. Businesses are abandoning their
once traditional brick and mortar locations, in favor of much renting out much
cheaper virtual offices.
Plus, given the uncertainty of the financial markets, the tech
layoffs, and inflation, many companies are going to simply hold onto the cash
on their balance sheets until things stabilize out some more.
So with all of this, the end of the CISO is now at hand, giving
further rise to the role of the vCISO.
With the former, a lot of expense was paid out in hiring, salary, and offering
lucrative benefits. But with the latter,
all of that is gone.
You hire someone on a contract basis, for a fixed fee that is
just a fraction of what it would take to hire a CISO full time for one
year. Of course, there are many other
benefits of having a vCISO, such as scalability, access to greater resources,
etc.
But now that this is going to the trend now this year, what
will be expected of the vCISO? Here are
some clues:
1)
May or may not have control over:
When a vCISO comes into work for
you, they typically don’t waste any time.
Usually all that they need is a few hours of orientation at most, and
off they start working. So, the question
now comes: What happens if there is
indeed a security breach that happens under their watch? Under the new laws, it is supposed to
reported to federal or state authorities, within a short time, like 24-48
hours, and no longer than that. If this is
the case, then the chances of getting audited are even higher than normal. Btu since a vCISO is a contracted employee,
what should they do? Should it be left
to the other members of the C-Suite. No
matter what the situation might be, the vCISO is still viewed to be at the top
of the chain of command when it comes to the security of the business with whom
they are contracted to work with. In
other words, the buck literally stops with them. So yes, in the end, it is still expected that
the vCISO will report any breaches quickly.
But there will be pressure put upon him or her in the manner the breach
should be reported. For example, other
members of the C-Suite may want to word the language in any communications in
such as way that there will be minimal damage to the bottom line, and any loss
to brand and reputation. In the end, it
may be even wiser to hire a PR company for relaying these kinds of
communications, and even other types as well.
2)
Responding to a breach:
This is where the role of the
Incident Response (IR), Disaster Recovery (DR), and Business Continuity (BC)
plans will come into play. But since the
vCISO is once again a contracted employee, whose responsibility is it to make
sure that these documents are created, tested, and enforced? Once again, it will be that of the
vCISO. After all, that is why you hired
him or her, so that your business will be able to respond quickly in case a disaster
does happen. Since most vCISOs are on a fixed
contract basis, they will make sure that this is a priority and will get it done
quickly. They are not going to waste any
time. So now the question that comes
into mind is if there is no vCISO, or they are in between contracts, who is the
next person to take charge of all of this?
Well, naturally it would be the next in line, which is most likely the
head or manager of the IT Security team.
This brings up another important point:
Your company will have to work out a line of succession in case there
are periods of time in which you have no vCISO on hand.
3)
Working with the C-Suite and above:
Technically speaking, if the vCISO
is hired on a 1099 basis, then all that he or she has to do is simply the job
tasks that has been discussed and outlined specifically in their contract. This means that they are totally immune to
any company politics, or anything else like that. Also, the only people that they need to
interact with are the ones that the resources that will be required to get
their job done. But as we now forge ahead
into 2023, this mindset is going shift drastically. This means that the vCISO is going to have to
step outside of the bounds of their contract, and try to establish relationships
with the other members of the C-Suite as well as the Board of Directors. Also, they will be expected to establish their
lines of communications with them in such a way that it is understandable, free
from techno jargon, but above, what the actions taken mean to the bottom
line. Also, it will be up to the vCISO
to make sure that Cybersecurity remains a top issue with the others in the C-Suite
and the Board as well. Ultimately in the
end, it will be once again the vCISO who will also be held responsible for maintaining
a clear lines of communications with everybody in the company, in a top-down
manner. The bottom line is that you should
be able to provide the answer to this question all the time: “Why should I care”?
My Thoughts On This:
In the end, the vCISO is always going to be in the hot
seat. But the beauty about this role is that
it can be terminated until you can find another replacement, in a rather quick
fashion. Heck, there are over 3,000
Cybersecurity companies, and I would say it would be safe to say that most of
them to have some kind of vCISO services that you can make use of.
I also get asked the role of the CIO. Truthfully speaking, this is pretty much a phased-out
title now. I have never really seen it being
used any more, as the role of the vCISO has now taken root.
No comments:
Post a Comment