Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer.

A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership.

It’s a changing role in a changing world. But do you really need one?

How Prevalent is the CISO Title in 2023?

Many companies actually choose to not have a full-time, in-house CISO. A Navisite survey found that a whopping 45% of companies do not employ a CISO.

While the job has to be done, it doesn’t necessarily have to be done by a CISO. Some companies assign parts of that role to a chief information officer (CIO) or chief security officer (CSO). Some believe that a CIO or CSO title carries more weight with a board.

It helps when your head of cybersecurity sits on the board, so the board sees them as an influential equal. Yet only 12% of CISOs have seats on their company’s boards of directors.

And it matters whom the CISO reports to — the CEO, CIO or CFO. The org chart can help or hinder the project of making sure divisions work in harmony toward the goal of maximizing cybersecurity.

With or Without a CISO, Who Can Your Company Go to for Security Advice?

Every organization benefits from outside experience, whether they have a CISO or not. One way CISOs achieve this is by getting together and sharing war stories, solutions, best practices and threats.

And, of course, keeping up on the reading, training and educational sessions at conferences both virtual and in-person are important for every company’s security personnel.

But there are two powerful ways to infuse staff with the cybersecurity expertise you need. The first is to turn to top-level companies in the industry for guidance, workshops, advice and consulting.

The second is to hire outside expertise in the form of a virtual CISO, or vCISO.

What is a Virtual CISO?

Some organizations choose a virtual CISO: someone who performs the role of a CISO, but who does not actually work directly for the organization.

There are many advantages to hiring a vCISO. It’s a way to bring in a more experienced person faster at a lower cost. Some organizations can use a vCISO for security hiring, including the hiring of a permanent CISO. Smaller organizations might use a vCISO to design and build an initial security and compliance program while doing without a vCISO or CISO later on. Additionally, the transition to zero trust is a major one, and it could make sense to bring in a vCISO to help design and execute that transition.

Another place where vCISOs come in handy is to manage the security and compliance dimension of a merger or acquisition. And vCISOs give you flexibility, plus the expert advice you need to make a host of decisions for your companies around compliance, third-party access to your networks, cloud architectures, IoT, risk management, security governance and more.

Whether your company employs a CISO, assigns those responsibilities to other C-level leaders or hires a vCISO, the goal should be strong cybersecurity leadership aligned both with leadership in general and also the goal of minimizing the costs and risks of cyberattacks.

More from CISO

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read