Pub. 16 2021-22 Issue 1

NEBANKERS.ORG 16 Should You Consider a vCISO Solution? Shane Daniel , CPA, CISA, CIA, Information Security Consultant, SBS CyberSecurity, LLC TECH TALK A Tested Solution to a Modern Problem The strategic use of contracted resources to perform activities traditionally handled by internal staff and resources is a commonly used definition of business outsourcing. While the term vCISO (virtual chief information security officer) is a rather new designation for those in the C-suite, the solution model is rather mature. What do vCISO arrangements look like? vCISO outsourcing arrangements may take many varieties and are used by organizations of all sizes and sectors. The contracted service can be as limited as assisting information security staff with an assignment in which they lack expertise. Other outsourcing arrangements may call for the vCISO to perform all or several parts of the information security program. Under these arrangements, the organization should maintain an information security coordinator to supervise consulting activities adequately. What are the benefits of hiring a professional expert? 1. Avoiding an Extended Recruitment Process — Even when offering competitive compensation, recruiting a CISO may take time and a significant monetary investment. Using a vCISO service provides immediate access to a team of cybersecurity experts, thus skipping a potentially lengthy, costly and risky recruitment process. 2. Varied Professional Knowledge — The skillset and knowledge base required for an effective information security program is constantly changing. Not only are professional consultants and advisors more apt to obtain and maintain professional certifications, but these individuals are also highly likely to be performing a similar role with other clients in your industry. That experience provides a consultant with an expansive skill set and unique perspective of best practices and trends. 3. Establishing a Fixed Cost — Using a contracted vCISO service solution allows the opportunity to fix the labor costs of information security over the term of the contract, locking in a predictable cost over the contract term. 4. Providing Measurable Deliverables — A prolonged recruitment process and training period will delay the organization’s response time to address