June 14, 2021

From the Desk of the vCISO: Virtual CISO Services Bridge the Cybersecurity Leadership Skills Gap

Aaron Boissonnault

2021 is the unofficial 10-year anniversary of the cybersecurity skills gap. One of the earliest mentions of the shortage of cybersecurity professionals came from ESG Analyst Jon Oltsik in 2011. Though we’ve had a decade to solve this problem, the gap has only gotten worse.

The 2020 (ISC)² Cybersecurity Workforce Study estimates the cybersecurity workforce gap worldwide to be 3.1 million, with the U.S. facing a deficit of 359,000 workers. According to (ISC)², “employment in the field needs to grow by approximately 41% in the U.S., and 89% worldwide, to meet the anticipated demand.” The study also found that these cybersecurity shortages are taking a toll on companies’ cybersecurity postures. More than half of the study’s 3,790 respondents say they believe cybersecurity staff shortages are putting their organizations at risk.

vCISOs in High Demand

The skills shortage is a pervasive problem at every cybersecurity job level, including chief information security officers (CISOs). Wall Street Journal Reporter Kim Nash does a nice job detailing why CISOs are so hard to come by in her article, “Talent Shortage Makes CISOs a Hot Commodity.” She notes companies’ varying expectations for job requirements and experience levels as several factors contributing to the limited number of candidates.

Of course, the lack of CISOs in the market is a problem affecting organizations of all sizes—but it’s becoming especially troublesome for mid-market and large organizations. In fact, in her article, Nash notes, “sitting CISOs at large U.S. companies are in great demand.”

The CISO shortage isn’t the only thing getting worse. The cybersecurity landscape is too. Between the ransomware epidemic, attacks on critical infrastructure, and the surge of phishing and other social engineering threats (as a result of the COVID-19 pandemic and the associated work-from-home push), the cybersecurity landscape has never been scarier. This reality leaves many companies struggling to defend against this sophisticated threat landscape without the right security leadership in place.

Bridging the Gap with Virtual CISO Services

Outsourcing has emerged as a common and effective way to overcome the skills gap across technology areas, and the same holds true for the cybersecurity. Remember ESG Analyst Jon Oltsik? He’s still tracking the cybersecurity skills shortage. In this blog post, he notes that ESG’s 2020 Technology Spending Intentions Survey found that “of those organizations that have a problematic shortage of cybersecurity skills, 73% will increase usage of third-party services to help them dig their way out of this personnel hole.”

Outsourcing is an easier and more affordable way for mid-market companies to fill their vacant CISO position. So much so, in fact, that virtual CISO (vCISO) services offered by managed service providers (MSPs) are becoming more mainstream. At a high level, vCISO services provide companies with the security leadership skills they need to assess risk, develop a security strategy to mitigate identified risks, maintain governance and overall defend against today’s complex threats.

Here are five reasons why vCISO services can be so impactful in the quest to bridge the cybersecurity skills gap:

1. You benefit from on-demand security leadership

The evolving threat landscape continuously calls for new security skillsets and specialized knowledge, and a vCISO service can provide the unique skills you need, when you need them—from assessing risks and developing your cybersecurity strategy to ongoing governance and everything in between.

2. You get CISO-level expertise (and more) at a much more affordable price point

Outsourcing is the most cost-effective approach to attaining the evolving expertise required for cybersecurity, because you only incur costs when you’re actually utilizing security services at the time that you need them versus having to hire someone full time. And those skills are an investment—a full-time CISO’s salary can easily run you in excess of $200,000.

3. You have a breadth of technical and leadership expertise at your fingertips

With vCISO services from MSPs, such as Navisite, you get a whole lot more than one named CISO at the helm. You also have access to the entire cybersecurity team supporting the vCISO, benefiting from the full breadth and depth of their expertise and experience.

4. You don’t have to deal with the headache of recruitment

Finding, recruiting and retaining CISOs in this competitive landscape can be challenging. Outsourcing to a vCISO solves the recruitment problem and eliminates the risk of having to deal with potential turnover—as well as the resulting disruption it creates for the business.

5. You’ll get unbiased guidance and support

The right vCISO service will provide objective, unbiased guidance on the best path forward to strengthen your security posture and serve as your trusted partner—not just your service provider—keeping your best interests at heart. The result is a strong partnership that you can rely on day in and day out.

Navisite’s vCISO Service Delivers

Navisite’s vCISO Service provides all of the benefits above and so much more, removing the skills, resource and budget constraints that prohibit companies from developing and maintaining a strong cybersecurity strategy. Backed by a team with years of experience helping companies of all sizes develop and implement cybersecurity frameworks, we’ll work alongside your team to:

  • Perform a cybersecurity risk assessment, including a security gap analysis.
  • Develop a customized cybersecurity plan that will help you remediate areas of risk and maintain a strong security posture.
  • Provide regular program tracking to maintain governance (so you don’t stray from your desired state of security), and to continually refine and enhance cybersecurity strategies.

At Navisite, we know there is no “one size fits all” security solution. Not only does our vCISO service rectify the cybersecurity skills and technical gaps within mid-market organizations, but it’s right-sized for each customer—meaning, we’ll meet you wherever you are on your security journey. To learn more about Navisite’s vCISO service, read our press release and data sheet. To find out how our vCISO Service can help you enhance your cybersecurity program, contact us today.

About Aaron Boissonnault

Aaron is the Chief Information Security Officer at Navisite and is responsible for security and compliance programs and the delivery of our managed security and advisory services to help customers implement and maintain the highest levels of cybersecurity protection and best practices. Aaron has more than 18 years of experience in the industry, holding various leadership and consulting roles in cloud security, infrastructure security and security operations.