Businesses are looking for skilled professionals who can provide the services of a virtual chief information officer (vCIO) or, specifically, to address cybersecurity, a virtual chief information security officer (vCISO).
Building a strategy and effectively managing IT is growing increasingly complicated for businesses. For business leadership whose core competency may be, for example, retail, manufacturing, healthcare, education or government administration, the fact that every company is now a tech company can be a challenging reality. As companies advance their digital transformations, they need someone in the C-suite who can make sure that their tech investments align with business goals. Furthermore, as they expand their networks and deploy more cloud solutions, they need someone to ensure they aren’t creating new risks and vulnerabilities that could result in cyberattacks and data breaches.
Taking the role of a vCIO or vCISO is different than providing managed services. The biggest contrast is that your priority as a virtual member of the C-suite isn’t selling solutions. Instead, for a monthly or quarterly fee, you assess needs from the client’s perspective and consult with their team to create an IT strategy, a workable budget, and a timeline for solution implementation. In some cases, the client prefers to work with a different company for managed services to ensure the decisions their vCIO is making aren’t influenced by their own interests.
The Higher Demand for vCISO
There are several reasons that vCISO services, rather than more generalized vCIO services, may open more doors and result in more growth for your company:
Good help is hard to find: Research for the fourth annual Life and Times of Cybersecurity Professionals 2020 report from Enterprise Strategy Group (ESG), in cooperation with the Information Systems Security Association International (ISSA), found that 45 percent of security professionals say the cybersecurity skills shortage has become more serious over the past few years. With fewer skilled people available to fill CISO positions at businesses and enterprises, a vCISO becomes a good option.
Good help comes at a cost: The shortage of skilled professionals in cybersecurity has made average salaries rise. Some businesses may not be able to afford to have a CISO in house, even if they have a CIO.
Cybersecurity takes time: An in-house CIO may be the leader requesting vCISO services. The changing nature of the threat and regulatory landscapes may be more than the CIO can address along with his or her other duties. A vCISO can focus on security alone, devoting full attention to technology that identifies threats and stops them.
Greater effectiveness: Businesses without cybersecurity expertise may take ineffective approaches. Some may deploy cybersecurity solutions without a strategy and hope for the best or throw money at solutions they don’t understand. Either way, their investments may not adequately protect their businesses and still face fines for noncompliance or data breaches. A vCISO will develop the most effective for the business that provides the maximum level of security possible.
Additionally, research for the ESG-ISSA report found that there is an overall lack of strategy in the cybersecurity specialty. The report states, “There is a continuous lack of training, career development, and long-term planning. As a result, cybersecurity professionals often muddle through their careers with little direction, jumping from job to job and enhancing their skill sets on the fly rather than in any systematic way. This, combined with the continued cybersecurity skills shortage, has stalled cybersecurity progress.”
The current state of the profession may create opportunities for skilled vCISOs who have the determination, focus and leadership abilities to provide real value to their clients.
Your Work Is Just Beginning
If you decide that specializing as a vCISO would be beneficial to your business, the ESG-ISSA report includes some valuable facts and advice:
- Experience is vital: 52 percent of cybersecurity professionals say hands-on experience is the most important factor in career development. Additionally, 44 percent say certifications are just as important. The report’s authors stress that learning to manage security isn’t purely academic. As you pursue certifications, it’s important to get first-hand experience under your belt as well.
- Expertise takes time: Developing the experience necessary to offer CISO services successfully isn’t a six-week program. ESG-ISSA research found that 39 percent of professionals say it takes from three to five years to master this field—and 18 percent say it takes more than five years.
MSPs who have provided security solutions to their clients and have taken advantage of vendor and industry education opportunities may have a head start on the timeline. Your track record as a trusted advisor may also have paved the way for you to become a vCISO. Building an offering that leverages your expertise and leadership could be the next milestone in your business’ growth and success.