Looking for the latest information security and privacy insights from EXTEND? Follow us on LinkedIn.

To CISO or Not to CISO?

For those of us old enough to remember, the emergence of Information Security as a distinct and important function within the organization is very similar to the emergence of Information Technology departments years ago. Back then, as computing moved from mainframe to midrange to desktops, the organization needed to answer several questions to see how this new area fit into corporate functions.

  • Is this a permanent change or temporary need?
  • Should we stand up a distinct department?
  • How does this function relate to other corporate functions?
  • How do I find talent?
  • How do I spend optimally to derive the most benefit?
  • How much will this cost?
  • Is this just an “insurance policy,” or can it provide a competitive advantage?

One big difference is between IT and InfoSec is that with cyber threats, “the enemy has a say.” With COVID-19 and the acceleration of work from home, corporations no longer have the luxury of waiting to deploy effective data privacy and information security strategies. There has been a sharp increase in cyber-attack incidents, specifically exploiting the additional vulnerabilities of a distributed workforce.

Security through obscurity is no longer an option.






Of course, large enterprises have robust InfoSec programs in place. However, if your organization is not a Fortune 500 company and does not necessarily have the concomitant technology or financial capacity, how do you build an InfoSec program and departments that balances your risk against limited resources? Do you need a CISO?

A high-quality CISO, whether an employed part of your team or in an outsourced expert capacity, will bring significant experience in developing and executing a holistic cybersecurity plan that coordinates with the company’s risk appetite. Our experience has produced one hard and fast rule: if you have or hold personally identifiable information in any form, you MUST have a CISO.

"The realization is growing in the C-Suite that just one serious security incident or data breach could derail the growth and profitability of their companies because of the cost to remediate, fines and legal fees, and customer loss. As a result of this awareness, the role of the CISO is growing in importance, as is the need to have an enterprise-wide IT security strategy that supports the company’s mission and goals."






Every organization is different but, finding the right one may be difficult given the limited supply of this emerging talent. An alternative is to outsource the function to an experienced vendor that offers virtual or fractional CISO services. Regardless of whether your CISO is an employee or managed by an outside resource, protecting your information assets and minimizing cyber risk depends on a strong Information Security program.

In our experience working with clients, the most successful InfoSec program implementations have these things in common.

There is a formal project plan based on where you are and where you need to be. This plan would be based on a gap assessment and include a near term (90 days) and midterm (1 year) goal; risk-weighted objectives; and firm costs associated with achieving these goals.

There is a personnel plan for your team to manage this function. Whether you have designated internal resources or outsource your InfoSec function to a Managed Security Service Provider, there needs to be a chain of accountability within your organization.

There is a robust, transferable underlying platform. You would not run your finance function without an accounting system, do not run your Infosec function without an Information Security Management System. And if you decide to start with a virtual CISO service, make sure they are using a platform that you can adopt if or when you bring the function in-house.

Position your efforts to gain a competitive advantage. For SMBs and even large companies, formal, documented information security programs are still the exception. Communicating your activities to your clients gives them comfort that you are taking security seriously and may offer a stark contrast to your competition.

Security through obscurity is no longer an option. While the future evolution of the Information Security function – especially relating to the interplay with IT, compliance, and internal audit functions – remains to be seen, its emergence as a necessary, discrete function within an organization is undeniable. While InfoSec has the abstruseness of any emerging, technical function, there are proven, successful ways to build a program that is right for your organization at a reasonable cost.


EXTEND Resources’ Virtual CISO Services provide strategic and operational leadership to create, manage, and monitor your security program on a full- or part-time basis. We identify security gaps and risks, develop mitigation plans, and maintain compliance programs — all designed to protect you, your clients, and your vendors. Learn more or contact us at info@extendresources.com.






Scroll to Top
Skip to content

By continuing to use the site, you agree to the use of cookies. Learn More

We use cookies to personalize content and ads, to provide social media features and to analyze our traffic. We also share information about your use of our site with our social media, advertising and analytics partners. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.