Real-World Examples Give Guidance on Which CISO Service is Right for You

Organizations are utilizing virtual CISO (vCISO)Organizations are utilizing virtual CISO (vCISO) and CISO as a Service (CISOaaS) offerings more often, particularly in a tight and expensive cybersecurity job market. Companies choose these outsourced security options when they need cybersecurity strategy or operational leadership temporarily or on an ongoing basis. But, how do you know which offering is right for you, and when is the right time to deploy each? Here, we summarize six client cases where we provided CISO support to give you real-world examples of when to use a virtual CISO, and when CISO as a Service is more appropriate.

The Value of CISO Services

Both types of CISO services are great options for solving problems, establishing a new or extending an existing cybersecurity program, as well as accelerate desired change.  Getting started is often the toughest step, but having a seasoned CISO guide, your organization translates into saving money, improving efficiency, as well as greatly enhancing the quality of your cybersecurity outcomes.

Virtual CISO vs. CISO as a Service

Is there a difference between vCISO and CISO as a Service? Typically, a vCISO is an individual contributor who works on-site or virtually to help an organization by leading a project, initiative, or solving specific advisory-type problems.  CISO as a Service’ is more likely carried out by a team and can be tied to other services like cyber operations, cyber program management, or risk management.  Both have advantages and fit particular needs better.

And, because CyLumena offers both services, it’s helpful to view them as a continuum where one often leads into the other as an organization’s needs evolve.

CISO Service Client Case Studies

As you read these use cases, the goal is to see scenarios of when other organizations decided they needed outside cybersecurity leadership or support. But, keep in mind that any CISO service provider should be willing to tailor the offering to your desired results, organizational culture, and cybersecurity maturity level.

While this case list isn’t exhaustive, it highlights the typical situations where clients have brought us in to provide cybersecurity leadership, guidance, and execution support to solve problems or reach timely goals.

Use Case #1: Increasing CISO Capacity

Company Type: High-Tech Life Sciences
Revenue/Size:  $1B
Service Chosen:  vCISO
Solution:  Fixed-cost deliverable of strategy and organizational roadmap.

Synopsis: An incumbent CISO needed assistance in articulating the cybersecurity strategy to the organization, as well as building out its organizational roadmap. The organization was in a phase of rapid growth, and additional executive resources were needed to finalize the approach. The foundations of the strategy were already in place but required development. The current CISO didn’t have enough bandwidth to get it all done in time.

Life Sciences

Use Case #2: Bridging & Recruiting CISO Leadership

Company Type: Industrial Company
Revenue/Size:
$1.5B
Service Chosen: vCISO
Solution: Hourly engagement as part of a nine-month assignment, to assume management of the current cyber program, identify leadership recruitment strategy, hire resource, and transition program to the new hire.

Synopsis: Through a combination of business reorganization and restructuring, this client found itself without a CISO. They chose a Virtual CISO option so that a seasoned CISO could review the program, make necessary changes, and hire a new CISO. Collaborating with human resources, the ideal candidate was identified and recruited while maintaining cybersecurity operations in the interim.

Industrial Plant

Use Case #3: Maturity via Outsourced CISO

Company Type: Small Manufacturing Company
Revenue/Size:
$100M
Service Chosen: CISO as a Service
Solution: Define, build, and run a small cyber program. T&M based on 20 – 40 hours per month.

Synopsis: This small organization didn’t require a full-time CISO, but knew that they needed a solid foundation for their cybersecurity program. A virtual CISO solution allowed them to develop cyber capabilities, better position the cyber function, and use cybersecurity as a competitive advantage in their marketplace. The relationship not only gave them the thought leadership of an experienced CISO but gave them seamless access to other cyber capabilities and services.

Manufacturing Plant

Use Case #4: Customers Demand Cyber

Company Type: Small Manufacturing Company
Revenue/Size:
$300M
Service: Chosen CISO as a Service
Solution: A small electronics parts designer and manufacturer needed help to develop a formal cyber, risk, and compliance program.

Synopsis: Small manufacturers and suppliers are increasingly being pressured by their customers to have sufficient cyber risk and compliance programs and to demonstrate their effectiveness. Typically, these customers are upstream product manufacturers and integrators. Despite having solid cyber practices in place, this client had not formalized their program nor tracked its performance at the enterprise level. The goal of this engagement was to bring the worlds of cyber, enterprise risk, and compliance together into one reporting framework. While having the know-how to navigate the organization’s political waters towards institutional change was vital, most valuable was the experience and understanding of what the upstream manufacturers were required. This was done as a six-month engagement, including program management services to the program.

Electronic circuit board

Use Case #5: Cyber Program Launch

Company Type: Small Law Firm
Revenue/Size:
$125M
Service Chosen: CISO as a Service
Solution: Build the foundation for a cyber program, incorporating the existing compliance program.

Synopsis: This client wanted to build a lightweight cyber program to bolster their current risk and compliance program. A primary driver was to begin to hold their IT services provider accountable for cyber who was responsible for all IT functions. The organization had robust process controls, but little in the way of technology controls. This became a hybrid program development and third-party risk initiative where additional controls were drafted and tracked. A new engagement approach was established with the IT Services provider, providing the needed oversight and accountability. Metrics and SLA tracking were established along with an educational awareness program, alongside hiring their first dedicated security practitioner — a cyber program manager.

Law Firm

Use Case #6: Cyber Program Spending Re-alignment

Company Type: Life Sciences Laboratory Services Firm
Revenue/Size:
$525M
Service Chosen: vCISO
Solution: A short-term engagement, to review cybersecurity contracts, grew into an analysis of all cyber spending.

Synopsis: The goal of the initial engagement was to review an MSSP renewal contract for value and suitability, but it quickly evolved to address a more substantial need to review all cyber spending. While the incumbent infosec director had a reliable program in place, the organization had seen significant growth and change, causing spending to become misaligned with the value and goals of the organization. Several aged contracts and vendors had grown lethargic over time. Not only were contracts, budgets, and technology reviewed and revamped, but the mindset and approach for outsourcing significantly improved, and spend optimized without any budget increases. The CISO service more than paid for itself.

Life Sciences Lab

CISO Services Deliver Value and Flexible Support

Whether choosing a vCISO — one consultant to solve a problem or lead an initiative — or CISO as a Service — a full cyber team to run an operation or a larger-scale project, these CISO services can deliver tremendous value by making cyber executive leadership and support attainable and flexible, providing ‘agents for change’ and accelerating desired cyber outcomes for the business.

Virtual CISO vs. CISO as a Service

How could your organization use CISO services – vCISO or CISO as a Service – strategically to achieve your cybersecurity priorities or fill temporary gaps in leadership or during periods of growth?

Contact Us

Chris Hart, SDLC Partners

Insight Contributor:

Chris Hart, Director of Cybersecurity

With over 25 years of experience in information security and information asset protection, Chris brings a wealth of knowledge to the table. His depth of technical expertise, coupled with his ability to communicate complex problems and solutions to the boardroom, gives him a unique perspective on where the industry has been and where it is going.

He has served as CISO for small start-ups, as well as multi-billion-dollar global enterprises in bio-technology, life sciences, telecommunications, and R&D companies.