Working in cybersecurity can be exhausting. Not only must Information Security Officers (ISOs) be well-versed in the ever-changing world of technology, but they must also be experts in security, compliance, communication, and the business itself. As a bonus, they get to do all of this while playing from behind the 8-ball, as malicious actors continually try to steal their thunder. 

It's no wonder a skilled ISO is a highly respected and sought-after individual. It's also no wonder ISOs are in short supply and have an extremely high turnover rate. According to a 2020 article by ZDNet, the average tenure of an ISO is 26 months due to high stress and burnout. 😲 This is a problem for many organizations, as having an ISO is a critical component of an effective information security program. 

So, what do we do when we face a problem we cannot solve by ourselves? We outsource. 

Outsourcing the ISO Function 

A virtual ISO (or vISO) is the term used to describe a third party who assumes the role of an ISO for an organization. While there are conflicting perspectives regarding a vISO's responsibilities, for the purposes of this article, we are going to consider a vISO as the individual(s) solely responsible for an organization's information security operations. 

vISOs have been growing in popularity in recent years. This isn't entirely a surprise, as there are some massive benefits to outsourcing the ISO function. For example, some benefits include: 

  • Potentially lower costs associated with outsourcing than hiring. 
  • Increased accessibility to knowledge and expertise related to information security. 
  • Improved stability which comes with a contractual third-party arrangement.
  • Broader selection of possible candidates. 

At this point, outsourcing to a vISO probably sounds pretty good. However, before you sign on the bottom line, there are four things you need to consider. 

4 Things to Consider 

Before we begin, please note, the purpose of these considerations is not to discourage outsourcing certain security functions. The purpose is to highlight some key risk factors and potential effects on your business. Our hope is to provide thoughts and commentary to help you navigate the murky waters of outsourcing, and ultimately, be more secure. 

A vISO is not an employee.

When you contract with a vISO, you are not hiring an employee, you are hiring a third-party service provider. While they do indeed work for you, they do not work for you; they work for themselves or for their company. Inasmuch as this could be a benefit, it can also be a challenge. This third party will have an in-depth knowledge of your organization's inner workings, access to your sensitive organization and client data, and business-critical responsibilities. 

This being the case, you should not only perform the traditional due diligence which comes with hiring a new employee, you will also need to demonstrate extra care during contract negotiation and plan for ongoing vendor oversight. This is a bit of a "Catch-22," as you may be considering a vISO to help shoulder the burden of these exact duties. 

There are many types of vISO relationships.

When you hire a vISO, are you hiring one person or are you hiring a team? This is important to consider, as it will have a direct impact on the service you receive and how you communicate with them. The following table provides some examples of positive and negative risks associated with centralized (one vISO) and decentralized (a team of vISOs) services. 

 

Opportunity 

Threat 

Things to Consider 

Centralized Service 

Additional levels of personalization are brought to the program. 

The possibility of a single-point-of-failure. 

If the individual becomes unable to perform the job, your organization may find itself back at square one. 

Decentralized Service 

Increased efficiency and additional staffing capabilities. 

Lack of clarity in the event a single person is needed. 

In a situation where everybody is responsible, who is really responsible? 

 

There's also the question of exclusivity. Are you the vISO's only client? In many circumstances, the reason hiring a vISO is cost-effective is because their resources are shared among multiple clients. If the relationship is not exclusive, have you taken appropriate steps to ensure the vISO can: 

  • Keep your data confidential and separate from the data of their other clients? 
  • Be available and respond promptly when you need them? 
  • Devote the time, attention, and resources necessary to fulfill your ISO role? 

When determining whether to outsource to a vISO, it is important to consider all the possibilities and limitations involved. 

A vISO cannot know your organization like an employee.

A vISO works for a different organization. While certain business cultures can complement one another, a vISO would still have their own mission, vision, and values. Take into account whether these cultures and missions will work well with each other. 

Most vISOs would not spend every day with your employees, engaging in your local community, and building relationships with your clients. Because of this, you need to consider if the vISO would be able to represent your organization in the same way as an on-staff ISO. There are many advantages a third-party can bring to the table, but ultimately, they would function as a third-party extension of your business and not as an employee. 

You cannot abdicate accountability to a vISO.

All of this brings us to the pinnacle point. While you may be able to outsource some security responsibilities to a vISO, you cannot outsource accountability. The organization's senior management and Board of Directors will always be held ultimately accountable for all decisions and actions taken by the organization. This includes both the successes and the failures of the business. 

According to the FFIEC, there are six key qualities of an ISO, including sufficient authority, stature within the organization, and independence. An ISO, and especially a CISO, is an integral part of an organization's senior management team. As such, they must be a trusted individual who is authorized to make business-altering decisions on their own. If corporate leadership is confident a vISO can represent the business well and make independent decisions, it may be a viable choice, but it remains one of notable risk, nonetheless. 

So, what should you do? 

Before you decide to fully outsource to a vISO, consider this alternative path to filling an ISO role. 

  • Create an information security committee within your organization to fulfill the role of the ISO. Include representation from applicable departments (e.g., technology, risk management, audit, senior management, etc.). Operating in a committee reduces the stress and workload often placed on a sole individual, as it allows multiple individuals with sufficient authority, stature, and independence to coordinate and perform the responsibilities of an ISO
  • Invest in your internal staff to grow an ISO. If you still wish to have or need a standalone ISO, consider investing in the growth of your internal staff by offering educational and certification opportunities. Additionally, keep in mind this position is susceptible to high burnout and turnover. As such, do what you can to keep the workload manageable. 
     
  • Get tools which can help make the job easier. For example, instead of making your ISO work in complex documents and spreadsheets to manage the organization's cybersecurity program, consider subscribing to a cybersecurity GRC software application like Tandem, an integrated suite of solutions, designed for ISOs in community financial institutions. 
     
  • Consider outsourcing part of your security operations. There are many benefits of outsourcing and more financial institutions turn to cybersecurity consultants every day. According to the Tandem State of Cybersecurity Report, the percent of financial institutions who manage their cybersecurity programs with the support of third parties has increased from 70% to 78% since 2019. If you're looking for some consultants who can help with your information security, check out our list of Tandem Partners

The question we're trying to answer is not whether outsourcing security operations is a good idea or not. The question is: "How much and what responsibilities should you outsource?" While it may be tempting to outsource everything to a standalone vISO, it poses some challenges. Depending on the size and complexity of your organization, an appropriate approach might include employing an individual in the role of ISO, supplementing this person with third-party experts, investing in a long-term plan for their growth, and maintaining ownership of your organization's security.