Working in cybersecurity can be exhausting. Not only must Information Security Officers (ISOs) be well-versed in the ever-changing world of technology, but they must also be experts in security, compliance, communication, and the business itself. As a bonus, they get to do all of this while playing from behind the 8-ball, as malicious actors continually try to steal their thunder.
It's no wonder a skilled ISO is a highly respected and sought-after individual. It's also no wonder ISOs are in short supply and have an extremely high turnover rate. According to a 2020 article by ZDNet, the average tenure of an ISO is 26 months due to high stress and burnout. 😲 This is a problem for many organizations, as having an ISO is a critical component of an effective information security program.
So, what do we do when we face a problem we cannot solve by ourselves? We outsource.
Outsourcing the ISO Function
A virtual ISO (or vISO) is the term used to describe a third party who assumes the role of an ISO for an organization. While there are conflicting perspectives regarding a vISO's responsibilities, for the purposes of this article, we are going to consider a vISO as the individual(s) solely responsible for an organization's information security operations.
vISOs have been growing in popularity in recent years. This isn't entirely a surprise, as there are some massive benefits to outsourcing the ISO function. For example, some benefits include:
- Potentially lower costs associated with outsourcing than hiring.
- Increased accessibility to knowledge and expertise related to information security.
- Improved stability which comes with a contractual third-party arrangement.
- Broader selection of possible candidates.
At this point, outsourcing to a vISO probably sounds pretty good. However, before you sign on the bottom line, there are four things you need to consider.
4 Things to Consider
Before we begin, please note, the purpose of these considerations is not to discourage outsourcing certain security functions. The purpose is to highlight some key risk factors and potential effects on your business. Our hope is to provide thoughts and commentary to help you navigate the murky waters of outsourcing, and ultimately, be more secure.
1. Perform thorough due diligence before hiring.
When you contract with a vISO, you are not hiring an employee, you are hiring a third-party service provider. This can be a benefit to your organization because they will bring their expertise and efficiencies. However, there is a risk involved as this third party will have an in-depth knowledge of your organization's inner workings, access to your sensitive organization and client data, and business-critical responsibilities.
While this is expected, you should not only perform the traditional due diligence which comes with hiring a new employee, you will also need to demonstrate extra care during contract negotiation and plan for ongoing vendor oversight.
2. There are many types of vISO relationships.
When you hire a vISO, are you hiring one person or are you hiring a team? This is important to consider, as it will have a direct impact on the service you receive and how you communicate with them. The following table provides some examples of positive and negative risks associated with centralized (one vISO) and decentralized (a team of vISOs) services.
|
Opportunity |
Threat |
Things to Consider |
Centralized Service |
Additional levels of personalization are brought to the program. |
The possibility of a single-point-of-failure. |
If the individual becomes unable to perform the job, your organization may find itself back at square one. |
Decentralized Service |
Increased efficiency and additional staffing capabilities. |
Lack of clarity in the event a single person is needed. |
In a situation where everybody is responsible, who is really responsible? |
There's also the question of data separation and responsiveness. It is not likely you are the vISO's only client. In many circumstances, the reason hiring a vISO is cost effective is because their resources are shared among multiple clients. I When outsourcing an vISO, it is important to take appropriate steps to ensure the vISO can:
- Keep your data confidential and separate from the data of their other clients.
- Be available and respond promptly when you need them.
- Devote the time, attention, and resources necessary to fulfill your ISO role.
When determining whether to outsource to a vISO, it is important to consider all the possibilities and limitations involved.
3. The vISO must be a good "fit" for your organization.
A vISO works for a different organization and will likely have their own mission, vision, and values. Therefore, it is important to find a vISO whose business culture complements your own.
Most vISOs would not spend every day with your employees, engaging in your local community, and building relationships with your clients. Because of this, you need to consider if the vISO would be able to represent your organization well, if needed. There are many advantages a third party can bring to the table, but careful consideration should be made to make sure they are the right "fit."
4. You cannot abdicate accountability to a vISO.
All of this brings us to the pinnacle point. While you may be able to outsource some security responsibilities to a vISO, you cannot outsource accountability. The organization's senior management and Board of Directors will always be held ultimately accountable for all decisions and actions taken by the organization. This includes both the successes and the failures of the business.
According to the FFIEC, there are six key qualities of an ISO, including sufficient authority, stature within the organization, and independence. An ISO, and especially a CISO, is an integral part of an organization's senior management team. As such, they must be a trusted individual who is authorized to make business-altering decisions on their own. Corporate leadership needs to be confident in their vISO's ability to represent the business well and make independent decisions.
Alternatives to Outsourcing
While outsourcing to a vISO is a good solution for many organizations, there are a few other alternatives to consider.
- Create an information security committee[BW11][AP12] within your organization to fulfill the role of the ISO. Include representation from applicable departments (e.g., technology, risk management, audit, senior management, etc.). Operating in a committee reduces the stress and workload often placed on a sole individual, as it allows multiple individuals with sufficient authority, stature, and independence to coordinate and perform the responsibilities of an ISO.
- Invest in your internal staff to grow an ISO. If you still wish to have or need a standalone ISO, consider investing in the growth of your internal staff by offering educational and certification opportunities. Additionally, keep in mind this position is susceptible to high burnout and turnover. As such, do what you can to keep the workload manageable.
- Get tools which can help make the job easier. For example, instead of making your ISO work in complex documents and spreadsheets to manage the organization's cybersecurity program, consider subscribing to a cybersecurity GRC software application like Tandem, an integrated suite of solutions, designed for ISOs in community financial institutions.
- Consider outsourcing part of your security operations. There are many benefits of outsourcing and more financial institutions turn to cybersecurity consultants every day. According to the Tandem State of Cybersecurity Report, the percentage of financial institutions who manage their cybersecurity programs with the support of third parties has increased from 70% to 78% since 2019. If you're looking for some consultants who can help with your information security, check out our list of Tandem Partners.
The question we're trying to answer is not whether outsourcing security operations is a good idea or not. The question is: "Are you outsourcing the work while maintaining proper responsibility?" Outsourcing to a vISO can provide a lot of efficiencies and bring stability to your organization's information security. As you consider outsourcing, it is important to consider all the challenges involved so you can select the right vISO for your organization.