May 16, 2023 By Mike Elgan 2 min read

Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer.

A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership.

It’s a changing role in a changing world. But do you really need one?

How prevalent is the CISO title in 2023?

Many companies actually choose to not have a full-time, in-house CISO. A Navisite survey found that a whopping 45% of companies do not employ a CISO.

While the job has to be done, it doesn’t necessarily have to be done by a CISO. Some companies assign parts of that role to a chief information officer (CIO) or chief security officer (CSO). Some believe that a CIO or CSO title carries more weight with a board.

It helps when your head of cybersecurity sits on the board, so the board sees them as an influential equal. Yet only 12% of CISOs have seats on their company’s boards of directors.

And it matters whom the CISO reports to — the CEO, CIO or CFO. The org chart can help or hinder the project of making sure divisions work in harmony toward the goal of maximizing cybersecurity.

With or without a CISO, who can your company go to for security advice?

Every organization benefits from outside experience, whether they have a CISO or not. One way CISOs achieve this is by getting together and sharing war stories, solutions, best practices and threats.

And, of course, keeping up on the reading, training and educational sessions at conferences both virtual and in-person are important for every company’s security personnel.

But there are two powerful ways to infuse staff with the cybersecurity expertise you need. The first is to turn to top-level companies in the industry for guidance, workshops, advice and consulting.

The second is to hire outside expertise in the form of a virtual CISO, or vCISO.

What is a virtual CISO?

Some organizations choose a virtual CISO: someone who performs the role of a CISO, but who does not actually work directly for the organization.

There are many advantages to hiring a vCISO. It’s a way to bring in a more experienced person faster at a lower cost. Some organizations can use a vCISO for security hiring, including the hiring of a permanent CISO. Smaller organizations might use a vCISO to design and build an initial security and compliance program while doing without a vCISO or CISO later on. Additionally, the transition to zero trust is a major one, and it could make sense to bring in a vCISO to help design and execute that transition.

Another place where vCISOs come in handy is to manage the security and compliance dimension of a merger or acquisition. And vCISOs give you flexibility, plus the expert advice you need to make a host of decisions for your companies around compliance, third-party access to your networks, cloud architectures, IoT, risk management, security governance and more.

Whether your company employs a CISO, assigns those responsibilities to other C-level leaders or hires a vCISO, the goal should be strong cybersecurity leadership aligned both with leadership in general and also the goal of minimizing the costs and risks of cyberattacks.

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today