The National Cyber Security Alliance reported that "60% of small and mid-sized businesses fold within 6 Months of a cyber attack," and the more recent recognition of the notion that it is not if, but rather when you get hacked, suggests organizations can not longer take a wait and see approach regarding their investments in information security. One of the key investments will be the selection and retention of your Chief Information Security Officer (CISO) or Data Protection Officer (DPO). With the job market continuing to aggressively grow in the data security field, as offered in recent Fortune Magazine and other articles, finding and holding onto a truly qualified and experienced executive to lead a data protection program is becoming harder every day.
To help in this challenge, CIMA offers Virtual and Fractional Chief Information Security Officer (CISO) and Data Protection Officer services to our clientele. To help you better understand the difference between virtual and fractional CISO / DPO services we have prepared a brief summary below, for your convenience.
Sample Responsibilities for a Virtual CISO / DPO
The needs of the client and the contract in place for the term contract ultimately determine the exact responsibilities performed in the role. Notwithstanding this, the following are provided as examples of some of the functional responsibilities a Virtual CISO / DPO could perform:
֍ gap / assessments
֍ risk assessments
֍ policy development
֍ data privacy / security process and procedural development
֍ security / data protection white paper development
֍ lead and manage data privacy and security teams
֍ security / data privacy metrics (performance management)
֍ oversee security architecture design and implementation
֍ lead data privacy and security projects and program activities
֍ manage the relationship and utilization of 3rd party privacy and security tools and services
֍ data privacy / security product suitability
֍ consultation on new application development initiatives
֍ client meetings
֍ completing client security assessments / security information gathering (SIG) tools
֍ reviewing and interpreting new regulatory requirements
֍ awareness and training program development and management
֍ data breach / security incident management
֍ and more.
When To Hire a Virtual or Fractional CISO / DPO?
When a company is just setting up a data protection program
The first and foremost scenario when an organization contracts a virtual or fractional CISO / DPO is when small and medium sized organizations first embark upon the establishment of an information security or data privacy program, and when it is unclear the time demand for such resources following setup of the program.
It is well understood that setting up an information security or data privacy program takes a lot of work, but what is less known is given the varying drivers and ongoing requirements, what will it take to maintain it, and most importantly, will the organization need a full-time resource to management it.
When an existing internal role is vacant
Given a very aggressive job marketing, you can anticipate the recruiting time for a specialize leadership role like a CISO or DPO to be longer than other roles. Unfortunately, growth of jobs in these areas is exacerbating the situation causing an even longer recruiting cycle. For this reason, many organizations are now contracting a Virtual CISO so their data protection programs do not go without proper leadership guidance.
During Economic downturns, when Positioning an organization for sale, or other reasons hiring freezes may need to be instituted
To ensure the confidence of institutional investors and others, there may be periods of time when an organization may need to institute a hiring freeze to reduce visible ongoing operational expenses.
In these instances, organizations turn to companies like CIMA to source their needs on a term-based contract, so supporting funds for the role can be reported under a temporary expense category.
What is a Virtual Versus Fractional CISO / DPO
VirtuaL CISO / DPO
A "Virtual" CISO or DPO is an experienced data privacy / security leader that provides the services of the role on a full-time basis, under a term contract, but operates remotely except for specific times and events, where the client requires their attendance on-site or at leadership meetings for brief time-frames.
CIMA also offers Virtual CISOs and DPOs under a package contract arrangement with other services to help clients achieve ISO 27001 or 27701 compliance or certification.
Fractional CISO / DPO
A "Fractional" CISO / DPO is one that provides the same services as a Virtual CISO / DPO, but under a part-time basis, so the contracting organization does bear the cost of a full-time resource when a part-time resource will suffice. Fractional CISO / DPOs are typically shared among two to three clients depending on the contractual arrangement.
CIMA also offers Fractional CISOs / DPOs under a package arrangement, as part of a team that comes together to help a client become compliant under ISO 27001 or 27701.