May 16, 2023 By Mike Elgan 2 min read

Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer.

A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership.

It’s a changing role in a changing world. But do you really need one?

How prevalent is the CISO title in 2023?

Many companies actually choose to not have a full-time, in-house CISO. A Navisite survey found that a whopping 45% of companies do not employ a CISO.

While the job has to be done, it doesn’t necessarily have to be done by a CISO. Some companies assign parts of that role to a chief information officer (CIO) or chief security officer (CSO). Some believe that a CIO or CSO title carries more weight with a board.

It helps when your head of cybersecurity sits on the board, so the board sees them as an influential equal. Yet only 12% of CISOs have seats on their company’s boards of directors.

And it matters whom the CISO reports to — the CEO, CIO or CFO. The org chart can help or hinder the project of making sure divisions work in harmony toward the goal of maximizing cybersecurity.

With or without a CISO, who can your company go to for security advice?

Every organization benefits from outside experience, whether they have a CISO or not. One way CISOs achieve this is by getting together and sharing war stories, solutions, best practices and threats.

And, of course, keeping up on the reading, training and educational sessions at conferences both virtual and in-person are important for every company’s security personnel.

But there are two powerful ways to infuse staff with the cybersecurity expertise you need. The first is to turn to top-level companies in the industry for guidance, workshops, advice and consulting.

The second is to hire outside expertise in the form of a virtual CISO, or vCISO.

What is a virtual CISO?

Some organizations choose a virtual CISO: someone who performs the role of a CISO, but who does not actually work directly for the organization.

There are many advantages to hiring a vCISO. It’s a way to bring in a more experienced person faster at a lower cost. Some organizations can use a vCISO for security hiring, including the hiring of a permanent CISO. Smaller organizations might use a vCISO to design and build an initial security and compliance program while doing without a vCISO or CISO later on. Additionally, the transition to zero trust is a major one, and it could make sense to bring in a vCISO to help design and execute that transition.

Another place where vCISOs come in handy is to manage the security and compliance dimension of a merger or acquisition. And vCISOs give you flexibility, plus the expert advice you need to make a host of decisions for your companies around compliance, third-party access to your networks, cloud architectures, IoT, risk management, security governance and more.

Whether your company employs a CISO, assigns those responsibilities to other C-level leaders or hires a vCISO, the goal should be strong cybersecurity leadership aligned both with leadership in general and also the goal of minimizing the costs and risks of cyberattacks.

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today