2 am on a Friday night with all your servers and desktops encrypted by ransomware is not the best way to start a weekend. A security incident is just a symptom of a deeper underlying problem – usually that problem starts with the lack of security leadership.
Most small firms of up to 500 employees who fell victim to a ransomware attack did not have anyone to take care of their cybersecurity. They trusted their IT company or IT team to provide them with security, and IT guys do what they do best – install firewalls and antivirus products. Antivirus products and firewalls have never been successful against ransomware attacks, because these attacks are performed by live hackers, not by simple malware.
Yet even if they had a part-time or a full-time Chief Information Security Officer, they might still have been at the same level of risk.
Just having a general in your army does not guarantee victory or survival! Success depends on hundreds of factors, some entirely outside your control.
There are 7 major risks of working with a part-time CISO. Here they are:
- You did not know how to select someone to work part-time as your CISO
In our article, “How to hire a CISO – for HR and IT executives” we explain the factors to look for when hiring someone full-time or part-time. We also cover the selection criteria when you hire vCISO as a Service companies. It would be almost impossible to ‘wing it’ and be successful in hiring a part-time CISO for your small tech startup or SaaS firm. - You want to hire someone but do not plan to give them the executive support or budget to succeed
Chief Information Security Officers, even when working part-time or as a service, are expensive. One might think this investment should be enough to help your company stay protected – but it is not. Hiring a general and not providing them with the army, ammunition or military equipment will obviously lead to a failure. So why would anyone hire a CISO and not provide them with the resources they need to succeed? - The IT team or outsourced IT service company does not want to change their ways
IT teams are often the biggest saboteur or security efforts, in any company. Be it internal or external, the IT team will resist changing the way they did things for the past 10-15 years. Why should they? It is your job and your CISO’s job to communicate with them the changed threat landscape from when they started in IT and now. Ideally, you should change your contracts with your IT provider to include a clause about following your new security requirements to the letter. - You don’t know what they’re doing day in and day out
If you do not have a dashboard with all their daily, weekly and monthly tasks on display, with the ability to track what is going on, what is on their todo list and what has been completed in the past month, you may need to reconsider your hiring decision. - The risk of investing too much in things which add little to the security bottom line
Some ‘security experts’ like to play with technologies like kids like to play with toys. They would spend your money on their new toys just to play with them. And new ‘security toys’ come out faster than you can buy them. Even with an unlimited budget! Is your budget unlimited? - Mismatch between your tech stack and the defensive measures they implement
You might be trying to move to the Cloud, but if your part-time CISO is focused on the on-premises world, they will not help you move to a more modern tech stack, just because they are afraid of anything new or incapable of defending modern technologies. Either way, you risk losing your competitive edge on the market because of your hiring decisions. - Your CISO may choose the wrong focus for your Information Security Program Plan.
There are at least 18 distinct categories of defensive controls a company must implement. Every category has dozens to hundreds of separate security controls and all of them must be assigned a priority and urgency, based on the risks identified for your business. Let’s say they prioritize detection vs prevention and completely ignore response. That will mean you will get incidents all the time and won’t be able to respond to them properly. But you will be able to detect them! Prioritization of the right security controls at the right time is critical.