vCISO: A Cost-effective Cybersecurity Solution

Developing a cybersecurity function can be resource-intensive, error-prone, and expensive. As with other solutions in product and engineering, implementation incurs ongoing costs, and maintaining solutions requires continuous efforts. Before you can begin implementing a security function, you should pose the question of what you're trying to accomplish. Security, for security's sake, drains resources from revenue-generating functions, restricting customer acquisition and product development. You may feel comfortable defining customer and performance OKRs (Objectives and Key Results) and KPIs (Key Performance Indicators). However, making a security decision without the appropriate data to drive it can be daunting. In mature, developed organizations, these responsibilities sit within the security function led by the Chief Information Security Office (CISO).

A complete security function has several components:

• Security Operations Centers (SOC)

• Offensive security e.g., red teaming, penetration testing

• Application, mobile, and cloud security

• Security architecture

• Security awareness & training

Each of these streams can provide value to your organization; however, based on the threats you face, your controls, and the resources you possess, some may offer a greater return on investment than others. If you've identified one or more problem areas that warrant the development of one of the streams, it's crucial to consider how future streams will integrate. Implementing solutions capable of evolving alongside each other and your organization is vital.

In this article, we'll define the concept of a virtual Chief Information Security Officer (vCISO), how vCISO services help solve some of the problems described, what to expect if you're going to be working with a vCISO, and discuss how to approach the recruiting process.

For startups, COTS security solutions are expensive, often overkill, and require extensive configuration. Alternatively, open-source solutions rarely offer the same level of functionality, continuously require maintenance, and need contingencies when their maintainers no longer support them. This leaves startups to fend for themselves, often relying on poor visibility on their attack surface, vulnerability exposure, and manual steps to implement and verify security controls.

On the other hand, when a business develops, growing pains can make it challenging to create the foundation for the first time, primarily due to most teams' already established modes of operation. Implementing reliable security patterns, control governance, vulnerability management, and compliance can be quite a shift from the already established but insecure standard operating procedures (SOP).

Startups often delay security in favor of product and customer requirements. This approach is valid given the revenue-generating appeal of satisfying customer demand, the limited impact, and the small attack surface. However, with the introduction of security concepts such as defense-in-depth, least privilege, and a "trust but verify" culture, amongst others, the transition to growth can be a maturity step rather than a sudden change of direction.

As mentioned in the article, mature organizations hire a Head of Security or CISO to lead their security initiatives internally. Organizations usually bring them in when security demand warrants their function. They might already have one or two security engineers onboard but likely need to ramp up hiring and define clear responsibilities and objectives across multiple security teams. CISOs are responsible for the security of the business and have previous experience building security teams. vCIOs are a flexible CISO offering, often provided as a solution to organizations that might struggle to justify a complete security function and its associated leader but value security and would like guidance and direction to lay reliable foundations for engineering resilience.

Organizations in the early to intermediate stages of their product development journey typically employ vCISOs. We won't strictly define these stages in this article. However, you can consider them businesses with either engineer count < 50, recently acquired or pre-Series B funding or organizations still working on product-market fit (PMF). They're available as highly experienced security professionals with experience across multiple industries on a virtual ad-hoc, on-demand, or as-needed basis. vCISOs offer services as required, which is beneficial if your business grows quickly and determines the requirement for a larger security team. A strong vCISO would inform you as you approach key inflection points and recommend appropriate resource allocations alongside support in the security leadership selection process.

CISOs are generally not hands-on and cannot provide engineering support during the growing stages of your business, which is when you need it the most. Although they can help define your information security policies, procedures, and guidelines and represent security at executive and board meetings. These tasks depend on engineering implementations and metrics to report and adjust. Security visibility could be better at this stage, making metric tracking difficult.

vCISOs are a temporary solution that supports you during your business's early growth stages. They can help define your strategy based on your product, market, and customers to prepare you for the threats, risks, and compliance requirements you may face. They can perform ad-hoc security assessments, threat models, and risk assessments. CISOs allow businesses to scale by leveraging their team to deliver security services and solutions. Additionally, as a permanent staff member, they can define and implement long-term (3-5 year) security strategies and represent the business in audits, investor and board meetings. They often directly influence engineering decisions, making them a valuable and powerful resource.

Startup cybersecurity challenges differ from enterprise risks. Due to smaller teams, reduced attack surface, and limited budgets, applying enterprise solutions can create bloat and friction through unnecessary bureaucracy, tool, and configuration management. Below, we have defined some of the problems we've seen startups struggle with, alongside how vCISO services can help.

Cash and revenue are always important, especially when a business is starting. The most common reason for a revenue-generating business failing is issues with cash flow. Resources should be allocated towards generating or protecting revenue and improving or retaining margins. In the early stages, a majority portion should be focused on revenue generation. This leaves little to allocate towards revenue protection, creating the opportunity for security debt to accrue, making it more expensive in the future. In some cases, customer acquisition and the associated revenue are directly dependent on the presence of cybersecurity risk management policies, processes, and controls. Data shows us that B2B customers are taking a deeper look at cybersecurity than before, making it a prerequisite to maintain growth.

One key reason to consider a vCISO is budget restraints. Due to their ad-hoc nature, vCISOs are a flexible and effective option to acquire security expertise at a fraction of the cost of a full-time or even part-time security professional, let alone a CISO. With a vCISO, you only pay for what you need, and they work with you to determine the best model.

BlackheathPoint offers a subscription-based model with a pre-determined offering. This lets you quickly get going with a clear definition of what you will receive each month. Due to its subscription model, you can cancel at any time, much like any other product subscription, providing extensive flexibility in managing your finances.

Developing a reliable cybersecurity foundation that meets present-day requirements but limits the creation of friction towards the development of future solutions is critical to creating an enabling security function. Implementing security gates across the software development lifecycle (SDLC) can be tempting. Still, if implemented incorrectly or without adequate consideration of the developer experience (DX), they will create unnecessary roadblocks to delivering bug fixes, features, and performance improvements. Even more important is how the organizational culture and structure are developed to promote secure development and appropriate risk management. An organization that delegates control development, configuration and enforcement, vulnerability identification, management, and remediation to the security team will inevitably create bottlenecks within the security team. As with software engineering, we must consider the coupling we create across functions. In some cases, this coupling is necessary, but there are strategies you can implement to promote decoupling over time.

Organizations must set up appropriate strategies, policies, and standards. Once established, the focus shifts towards alignment. A vCISO can design and implement cybersecurity policies and frameworks aligned with your organization's needs and objectives. They can create a detailed incident response plan to guide your team through potential future incidents, perform thorough risk assessments, and establish a foundation for sustained cybersecurity success for your business.

Strong cybersecurity leaders understand that their role is supportive in nature. They can guide existing leaders on how to develop security engineering solutions without creating unnecessary overhead for engineering teams. They leave feature customer requirements to customer success leaders but continuously provide their input on how the risk model evolves. Once in agreement with executive leaders regarding the changes to risk levels, they look to deliver resilient, scalable, and cost-effective solutions without unnecessarily impacting customer requirements. Security leaders can save resources by focusing efforts on the right problems. CEOs and CTOs are focused on customer and product development, leaving little room for identifying threats or existential risks. By identifying the right data, analyzing it, and leveraging their experience and networks, security leaders can avoid spending time and engineering resources on low ROI (Return On Investment) activities, thereby providing the greatest revenue protection for dollars spent.

Consider a vCISO service if you need assistance directing, managing, or upskilling your current engineering or security team. If your employees don't require a full-time leader but would benefit from professional guidance, goal-setting, training, and mentorship, a vCISO is an ideal solution. They can step in to provide direction, ensure your team has the necessary resources and budget, and help them focus on the right problems.

Your success depends on a combination of technology, talent, sales, and marketing innovation. Given the budget constraints we previously discussed, you should focus your efforts where the most significant value is to be found. Your challenges could be unique to your product, team, or industry, and solutions may not require a permanent resource to deliver them. Niche tasks that require specific expertise are a prime target for productized cybersecurity services. They enable you to acquire expertise and resources without long-term commitment.

vCISO service providers often have a team of experts with diverse backgrounds working behind the scenes. For instance, if your organization already has a cybersecurity program but undergoes a merger or acquisition, it may need to adjust some existing processes. Choosing a vCISO with relevant experience can help take the weight off and gain access to unbiased, independent third-party opinion at low cost. They can develop or modify existing policies, guidelines, and frameworks to seamlessly integrate and reflect the new operational landscape.

Customers, founders, investors, and regulators are becoming more aware of the importance of cybersecurity. Users are becoming especially critical, given the impact of recent breaches on their personal lives. As a result; regulators mandate disclosure of personal data breaches, and levy heavy fines on companies that fail to disclose unauthorized access to data in a timely fashion. Naturally, due to the impact on user retention, the legal and revenue implications investors want to ensure that their investments are protected. Audits and third-party oversights are now a key part of business development, funding rounds, and exits.

Shift-left security tends to revolve around engineering concepts. Despite an organization's culture being one of the first aspects it develops, security solutions rarely guide young businesses in establishing a strong security culture from the beginning. Given the difficulties in changing an organization's culture, it should be established early, making maturity steps feel like natural progressions rather than sharp deviations. Changing your deployment model is more accessible than re-aligning tens or even hundreds of engineers on how to develop software through new guardrails that add another step to their workflow.

Security solutions are evolving to provide answers. Productized services are growing in popularity, and the security space is no exception. Services such as vCISOs/fractional CISOs/CISOaaS, COTS solutions offering tailored functionality at reduced costs to help align with startup financial constraints, and professional service offerings aim to include security as early as possible in a business's journey.

A vCISO offers a flexible, on-demand solution for security leadership, providing customized strategies and guidance to establish a strong security foundation. They help develop and implement cybersecurity policies, incident response plans, and thorough risk assessments. This support is critical during the early growth stages, preparing startups for future threats and compliance requirements without the long-term commitment and higher costs of a full-time CISO. As startups grow, transitioning to a permanent CISO becomes vital for sustained growth and security. A full-time CISO ensures comprehensive security measures are embedded across the business by creating long-term strategies, leading security teams, and representing the organization in important meetings and audits.

In summary, utilizing vCISO services enables startups to build a robust cybersecurity foundation, making it easier to transition to advanced security stages as the business expands. The future of startup cybersecurity lies in adaptable, cost-effective solutions like vCISOs that offer the necessary expertise and guidance to navigate cybersecurity complexities from the beginning.