A day in the life of a virtual CISO: speaking the board’s language

Like other forms of as-a-service offerings, cybersecurity-as-a-service can be an appealing option for organisations looking to dynamically navigate the broader cyber threat landscape while still keeping costs in check.

For organisations that don’t have these internal resources but still require C-level security expertise to underpin their security operations, a virtual CISO may be the way to go.

To be a virtual CISO, you have to be prepared to quickly get under the skin of the organisation you’re working with – wherever they are in the world – to deliver outcomes to the board, senior and middle management that will tangibly improve their cyber security posture.

A virtual CISO helps organisations to shape the cyber security strategy, bridge resource gaps and direct the cyber security programme.

Each organisation has its own unique security profile, shaped by the threats and risks they face. However, many experience the same challenges:

• Some are unaware of the extent of consequences when a cyber attack or breach occurs
• Some IT teams do not consider security an essential part of their operations
• Some businesses do not understand that security is integral to their processes, and ultimately, their success.

These challenges, coupled with the fact that technology risks are often hard to communicate to the board, can make it hard for businesses to build a robust cyber security posture.

So what does a virtual CISO do and how can they help address these challenges?

Communicating cyber risks to senior management

While no single day will ever be the same for a virtual CISO, there are some key things we do to help businesses overcome their security challenges– the most important being giving the senior management the knowledge they need to understand and appreciate the cyber risks their business faces.

Part of this involves having the answers to the expected ‘so what?’ questions from the senior teams. These questions can vary but will often reflect the following:

• “So what if we don’t have a policy?” You run the risk of not having the governance to protect you and your customers data, which may mean a loss of customers, regulatory scrutiny or financial penalty.

• “So what if we don’t patch our systems in time?” This could lead to a vulnerability that is exploited, leading to unavailable systems and loss of data. The impact of which could result in unexpected loss of profitability, performance and revenue.

• “So what if we don’t have the right key performance indicators?” Senior management won’t have an understanding of how security expenditure is performing or the rising risk in operations.

Identifying benefits and opportunities for the board

The next challenge of a virtual CISO’s role is identifying the cyber security improvements that can be made and the benefits of doing so. This involves engaging with key stakeholders across the board –CEOs, CFOs, CTOs, CIOs or IT operations, as well as CROs.

How this is achieved depends on who you are engaging with, but it often boils down to a number of things. One being speaking their language.

CEO

CEOs focus on strategy, operations, regulations and compliance, as well as financial growth – so, it’s important to discuss cyber risk and resilience in the context of these five key areas. This ensures that they know that you are linking everything back to the reduction of risk to the performance and profitability of the business.

CFO

When speaking to financial stakeholders in a business, a lot of work goes into changing their thinking around cyber security. Many see it as a costly overhead – not something which could benefit the commercial growth of the business.

So, the main challenge here is explaining the cost to the business when recovering from a potential incident. Once this has been achieved, a virtual CISO can help them see the value in regularly testing their incident response capability and their wider crisis management response. This will include getting them to consider how they will forecast growth at critical points in the business calendar, and how they are going to report to the board on the cost to revenue.

CTO/CIO and IT operations

The role of the CTO or CIO cannot be underestimated. Competing demands often see IT operations focused on system and data availability, but not the security of these systems. This is often no fault of their own – the burden on the business and especially the IT team is quite demanding.

In this instance, the direction a virtual CISO brings can be incredibly valuable, and see businesses successfully pass a regulator audit and improve their control posture and risk profile.

CRO

Working with the CRO is usually the most interesting type of board engagement. Why? Because we talk risk! While the CRO focus is on business risk, bringing cyber risk into perspective helps the CRO gain a comprehensive view of their overall environment.

CRO’s are not typically technically minded and helping them to understand how a technical risk may impact the business in non-technical terms is very beneficial. It brings home the need to protect data and systems based onrisk appetite and helps the conversation when there is a request for spend.

The real-world impact of a virtual CISO

In my time as a security professional, I have seen the impact on business departments and individuals when there is a breach –whether this is confined to internal teams, or when it is an external incident. The fallout can impact IT, legal, compliance, finance as well as the security team.

What isn’t seen is the impact on lives outside of work, when teams have to deal with the impact of a breach and the way it consumes minutes, hours and days. Emotions run high, stress and pressure increases.

Having these stories at the forefront of my mind whenever, wherever and whoever I’m advising helps me to bring the realities to life for my client.

And that’s why a virtual CISO can be so valuable to a business. We offer a wealth of experience and knowledge gained from working with organisations through the good and the bad. Our ultimate goal is to ensure that businesses have the tools they need to build robust cyber security postures.