Cyberattacks are on the rise. Data from 2023 shows organizations facing a shocking average of 1248 attacks per week. Experts predict the global cost of cyber crime for this year to top $8 trillion.
It is easier than ever for individuals or groups to access ransomware and other malware kits. Still, cybersecurity teams are stretched thin, especially in smaller businesses. These organizations have weaker security and are less likely to attract a strong law enforcement response than high-profile structures. And so, they are becoming a key cybercriminal target. For many such businesses, it is a question of when, not if, they will fall victim to such an attack.
Despite this threat, many SMBs can’t afford to employ someone to manage their cybersecurity, or fill such a position. How can they nonetheless access the technical expertise needed to shore up their cyber defenses? Enter the virtual Chief Information Security Officer, or vCISO.
Startup Cynomi just launched the first directory of vCISO providers – MSPs and MSSPs in Northern America. Founder and CEO David Primor helped me get a better grasp of the need at hand, the solution vCISO services provide, and the benefits that the vCISO Directory will bring to businesses.
What is a CISO, and why is this role so necessary?
A Chief Information Security Officer – or CISO – is the person in charge of the organization’s cybersecurity and compliance. They are responsible for establishing security strategy, and ensuring that the company’s assets are protected from external and internal cyber threats.
Given this need, why is it difficult or undesirable for many companies to employ one?
While most big enterprises hire an in-house CISO for a range of about $200k to $350k annually, small and medium-sized businesses typically can’t afford employing such a professional. In many cases they actually do not need a CISO to fill this role full time.
Most often, all they need is an external part-time resource who is responsible for the company’s cyber security. This is the vCISO.
What kinds of companies tend to face these challenges?
Nowadays every company, regardless of its size, is a target for cyber criminals. Hackers simply realize that smaller organizations typically lack the resources, security expertise and enterprise-class security tools that cybercriminals typically have to evade in larger organizations, and so they target SMBs.
SMBs face increasing challenges when it comes to cybersecurity and compliance. They have to protect themselves from ever-growing cyber threats, comply with increasing regulation requirements and meet cyber insurance demands. As such, cybersecurity has become a priority across the board. This is true for all kinds of SMBs, regardless of the industry or vertical they operate in.
What is a virtual CISO (vCISO)? What are the advantages of using vCISO services, rather than hiring a person?
Where a regular CISO is responsible for developing and implementing an organization’s information security program, a virtual CISO or vCISO has the same responsibilities but for more than one company. The vCISO is typically responsible for the overall security and compliance of the company. Responsibilities include security strategy, security architecture, and communication of the organization’s cybersecurity posture to key stakeholders.
The “CISO role is also known as a “fractional CISO” and “CISO as a service”. vCISO services can be provided by individual security practitioners, consultants, or by trusted partners such as MSPs and MSSPs.
The main advantage of using a vCISO instead of employing a full-time CISO is the lower cost. This allows organizations who can’t afford hiring a CISO to build up their cyber resilience nonetheless.
Your company, Cynomi, is a vCISO platform. What does that mean?
A vCISO platform is a software that supports the vCISO by automating some of their work. It typically leverages AI to do most of the manual repetitive work of the virtual CISO. This saves time and makes the whole process more efficient and effective.
Some vCISO platforms, such as Cynomi’s, encompass the knowledge and expertise of experienced CISOs and thus can guide the user through the process of cybersecurity strategy creation.
What kinds of companies use your platform? How does it utilize AI to benefit them?
Our main users are MSPs and MSSPs that provide vCISO services, or ones that are starting to offer them, to their end-customer. The platform supports their day-to-day work as it streamlines their tasks and automates a significant portion of their time-consuming manual work. Along with CISO-level knowhow, AI allows this to be done in the most efficient way, through automatic customization, risk assessment, and prioritization of tasks by their potential impact.
You recently launched the first vCISO Directory. Why did you decide that collating this list of vCISO providers was important?
More and more SMBs are looking to engage with a service provider to address their cybersecurity management needs. As a result, the demand for virtual CISOs is rising. Working in this market, we learnt that many SMBs looking for vCISOs struggle to find the right service provider for them. Most don’t even know what to look for, where to look for it, and how to choose the right individual or company to work with. We came up with this directory to help those SMBs find vCISO service providers and make an informed decision when selecting one.
How many providers are currently listed, and what details about them does the Directory include?
As of today, the directory includes about 250 vCISO service providers. We keep receiving more requests from providers asking to be listed. The directory currently covers only the U.S. but we are planning to expand it to other regions in the future.
What is your key advice to businesses trying to become more proactive about their cybersecurity?
Like in many other areas, the first step is acknowledgement. As a business owner or manager, you need to take care of your security and make it a priority, you are halfway there. The next step is to consult with a cybersecurity expert. It could be the MSSP or MSP you work with, a cybersecurity advisor, a professional vCISO or an employee who has the required expertise. From that point, make sure you have someone in charge of your IT security, and ensure this person sees the whole picture and can build a security strategy and plan.