Chief Information Security Officer (CISO), or the equivalent function, has become a standard in business, government and the non-profit sector throughout the world, and a growing number of organizations have a formally defined position. By 2009, approximately 85% of large organizations had a security executive. So, what about small to mid-size organizations? Does the need for a security officer position and responsibilities diminish as the size of the organization becomes smaller? Do the risk of compromise, the need for a program to ensure information assets are adequately protected, the probability that ransomware or malware will have a damaging impact or that the likelihood of leaking sensitive data all lessen as the size of an organization decreases?
We believe the opposite to be true. Small to mid-size organizations have fewer IT staff who are typically running at a high utilization, causing less attention to be given to security strategy and IT risk identification and mitigation. We believe that small to mid-size organizations have the same need for the value that the CISO position brings to larger organizations. The big difference that we see is that, in many cases, the organizations have all the need and level of risk but do not have the budget or workload to maintain a full-time CISO.
In a perfect world, organizations could obtain all the benefits and value that a high-end experienced CISO brings, but only for the specific amount of time that is required to develop a security program that will help ensure electronic information and assets are protected and vulnerabilities and risks are identified and remediated. These organizations need an on-demand CISO committed to filling the role and responsibilities of a full-time CISO without the full-time commitment or cost, one who is available whenever security issues arise or technology changes are being considered. Imagine being able to remove the uncertainty about your organization’s security posture and reply to client inquires, cyber insurance questionnaires or third-party audits by saying, “Yes, we have a CISO focused on maintaining an enterprise cybersecurity vision and program that manages our information technology risks and protects our electronic assets.”
At Schneider Downs, we are able to provide CISO talent with more than 20 years of practical CISO experience with large health care organizations and with FBI cyber agent experience. This vast experience can applied to development of a reasonable cybersecurity program that makes sense for your organization, one that is tailored to identify real IT risks and uncover vulnerabilities exposing your organization to compromise with the focus on reducing risk and strengthening your overall security posture. If a part-time CISO who provides full-time security responsibilities is of interest to your organization, contact Eric Wright, Will Hatcher or Frank Dezort to find out more information.