How can a VISO balance out your team?
Hi everyone, this is Bill here. I wanted to talk a little bit about a conversation I had with a CIO friend of mine today. He runs the IT organization and the Security organization and the Risk for this medium-size business with about 400 users.
I want to talk to you about what we covered as it relates to a Virtual Information Security Officer (VISO). The problem he’s having, as he relayed it to me, is that his HR department gave him approximately $125,000 per year salary to work with for hiring a Chief Information Security Officer (CISO). He said he also has to add about 25% on top of that for all the benefits this organization offers. Even if it wasn’t 25% and it was more like 12%, that’s still quite a bit on top.
We are in a major metropolitan area and a very competitive industry. The challenge is that under these parameters, he’s not finding candidates with the skills he wants to see to satisfy the responsibilities of the position. He hasn’t been seeing the necessary suite of skills with the right balance for both the business side of the fence with governance and compliance, and on the other side of the fence with the technical and tactical pieces from a security operations point of view.
This Chief Security Information Officer, this CISO, has to come with skills in both areas. In addition to that, he also wants the candidate to have industry expertise – and that’s where he is really running into a tough road. There are just not a lot of people who can fill that role. This is still a relatively immature industry, but it’s a hot industry because the costs are really high.
How can you tackle this? One of the ways you can tackle it – and I suggested this to him because I think it’s very practical – is you can hire someone in the $60,000; $70,000; $80,000 range that has a lot of hunger, the right attitude and wants to learn the security industry. It doesn’t matter what their skills are – let’s say they’re strong on the business side – governance, which is a little bit easier – then they can do the business side of the fence with the governance and the compliance. They can handle that angle because it’s mostly checking the boxes and making sure systems and processes are working.
Now you’re still left with the technical and tactical side. One solution is that you can obtain Virtual Information Security Officer (VISO) capabilities from a firm. The best way to begin is by really breaking down the pieces that you need – places where you have soft spots and weaknesses on your team.
Whether this is on the systems side like SEIMs systems, firewall systems, DLP systems or edge systems, you can marry those to the governance side of the fence. That’s where you can plug in holes on the technical and tactical side. When your staff begins to understand and they start to learn the whole process, you can begin to grow them into the role you need them to be and as a security leader. By attending more advanced classes, they will continue to learn the unique industry capabilities that you need without you having over-paid for that developing skill set.
The savings you’ve achieved in salary can be used to obtain the VISO role or program from a firm or firms. This is just one way to tackle the issue. It is a very practical one – and one that I’m seeing constantly now because of the dearth of talent and people needing to look at options to achieve balance because of the budgets involved. It’s just very, very expensive to find really good high-level talent. AND. . . . there’s no guarantee that just because you spend a lot of money, you’re going to get the talent that you want and need.
I hope this video helps to break this down into pieces and will give you the confidence to go tackle the challenge and find some VISO programs from local providers near you to compliment the skills you have on your team. I hope you have a great day.
RedZone’s VISO Service Program can help fill the gaps and complete unfilled resources within your security team. Contact my RedZone team today: (410) 897-9494 | firstname.lastname@example.org.