“One CISO, please!”
If you’re trying to improve your business’s cybersecurity you’re going to encounter the concept—or rather role—of the CISO. The Chief Information Security Officer.
There’s a lot of discussion online about what a CISO does and who they (should) report to in an organization. To summarize it all very briefly, the CISO is in charge of leading the cybersecurity team and efforts of the business to ensure the business’s success. That means they aren’t security analysts reviewing alerts from network intrusion detection. Rather, they set the goals for cybersecurity, build the team, get the team rowing in the right direction, write cyber-policy, direct training, etc.
You run into the concept of the CISO early on when trying to build the security function of your business because it needs the leadership CISOs offer: they’re leaders, team builders, and strategists. Without leadership, you end up paying for risk assessments and penetration tests that ultimately don’t serve your business.
So if you need a cyber-leader, how much do they cost? Well, Forbes says they average $584,000 per year in salary, not including bonuses and equity (https://www.forbes.com/sites/forbestechcouncil/2023/02/28/why-hire-a-virtual-ciso-in-2023/). That’s extreme and not normal. According to Salary.com CISO salaries range between $220,000 and $275,000 per year with an average salary sitting in the ballpark of $250,000 (https://www.salary.com/research/salary/benchmark/chief-information-security-officer-salary).
Honestly, that’s one-quarter million dollars a year that your business probably doesn’t have. But cybersecurity as a function (made of people, processes, and tools; not a feature built from software) needs leadership.
The odds are that you don’t need everything a $250K CISO brings to the table and if you were to hire one they’d be overkill for your organization. Especially if you’re just getting started, what you need in the short term is a skilled cyber professional that can:
Evaluate risk and shortcomings and present them in terms that non-IT leaders understand
Build plans and strategies to mitigate risk
Set direction, write policy, and design procedures that work for your business
Manage vendors and security training
Set budget
There’s more strategy and documentation in those requirements than leadership. That’s because a new cyber function likely leverages existing personnel and fills gaps by buying services. With a sufficiently well versed cybersecurity professional, you can manage the function while relying on existing people business leadership practices. That sounds more like hiring a technical program manager (TPM) who works directly for the COO or CFO.
Returning to Salary.com, TPMs have an average salary of $150,000 per year which is at least going to save you $100,000 while still saving you the headache of making your COO manage the cybersecurity awareness training or the CFO manage the IT helpdesk vendor (https://www.salary.com/research/salary/posting/technical-program-manager-salary).
Alternatively, you can further lean into buy-over-build while your business continues to grow by bringing in an outside or virtual CISO (vCISO) to accomplish the specific functions you’re missing while pairing them with an empowered leaders within your organization to drive change. The vCISO functions as a strategist, coach, and consultant so that you get the cybersecurity help you need now while you lay a proper foundation so you can continue to grow towards better safety and stewardship.
In contrast to any kind of full-time employee, a vCISO or security consultant can flex to meet you where you’re at and produce the change you need to see right now. Some vCISO services can be quite expensive but for us that normally translates to about $4000 for our for-profit clients—or about one-fifth of the cost of full time CISO.