I have been coaching youth basketball for nine years.
I started when my little guy was in first grade; now he is in ninth. And while he still plays and is now even refereeing youth basketball, the sun has set on my days as his coach.
Fortunately, my daughter is just 12, which gives me a couple of more years coaching her. (Her team won the 5th/6th grade girls championship last year. I will accept your congratulations.)
Workload-wise, the change means this year, I will only be doing half as many lineups, half as many practice sessions, and half as many games.
And soon, in just over a year, I will hang up my whistle and clipboard for good.
Sad? Absolutely. But few things stay the same, whether in parenting or … you knew this was coming … cybersecurity!
Evolving Cybersecurity Needs
You start a company.
At first, it’s two, three, maybe four people. Definitely no cybersecurity hires.
Then it moves to 20, 30, 40 people. Now, while you certainly need cybersecurity help – security questions show up in sales cycles, insurance applications get more detailed – you still may not make a dedicated cybersecurity hire.
One day, if things continue to go well, your company grows to 200, 300, 400 people. Now, leadership teams and boards start asking pointed questions about risk, audits become more formal, and security incidents have real financial consequences. At some point, you may need to up your game to even more cybersecurity expertise – whether full-time or more robust part-time help.
It’s a logical progression. But how do you know when you have reached one of these new hiring thresholds? It’s not as obvious as aging out of youth basketball.
It’s not even as obvious as many other “events” in your business or personal life that announce themselves unambiguously and require action – the birth of a child, moving your office to a different state, becoming a publicly-traded company, etc.
But, there are some common clues…
Your organization is facing sales headwinds. Small customers continue to buy, but larger companies realize your security program is not up to par. Or you have gone up market and have run into different requirements.
Your organization has grown in complexity. Cybersecurity is more than just “IT” (email, antivirus, internal policies). It also needs to consider things like physical premise security, vendor management, and finance processes involving funds transfer. The bad guys attack what they want to attack, not just what you are prepared to defend.
You kinda, sorta, have cybersecurity covered. You have an “IT person” and assume they are taking care of it. You have a cybersecurity policy you downloaded a year ago but have not looked at since. You haven’t been hacked (yet).
These kinds of things suggest it’s time to get some help. At that point, there are often two transitions…
The first is outsourcing to other people. That’s where we, as Fractional CISOs, are brought in.
The second is when you “graduate” from your first cybersecurity leaders to a more comprehensive solution. Sometimes that is moving from an existing single employee vCISO to a firm like us. Or it may be moving on from external help to a full-time hire.
Making the Change to Full-Time, Internal Help
Many companies already have a skilled technical person, but they may not have someone who can run Governance, Risk, and Compliance (GRC).
If you bring on a CISO, that person will want a GRC analyst onboard to do a lot of the work and run the program. That means you should be prepared to hire two people, one of whom will be highly compensated.
Also, think about how long the CISO will likely remain in your organization. In many cases, that may be just 18 – 24 months, before they jump ship to a larger organization with more responsibility and a bigger team.
Handled well, when that CISO does move on, the organization is left with well-documented risk decisions and a security program that doesn’t fall apart when leadership changes. When it’s done poorly, the next leader ends up rebuilding from scratch.
These challenges and the transitions that come with them make up a fair amount of our work. We help clients move from one cybersecurity leadership situation to another, or help those that have lost their cybersecurity leader for whatever reason.
As you dig deeper into your own circumstances and think about whether a change is in the cards, here are some things to consider…
- Who is in charge of your cybersecurity program? If you had to think about it for more than a couple of seconds, you don’t have a cybersecurity leader.
- Who presents a quarterly cybersecurity update to senior management on how the program is going? The IT guy? Nobody? Again, if you’re not sure, it’s a pretty good sign your organization needs more mature cybersecurity leadership.
- Who evaluates the security quality of your IT department or Managed Service Provider? See 1 and 2 above for the same answer!
- How often is your sales process slowed down by security questions you have trouble answering? Missed opportunities may not show up on your income statement, but they are every bit as real.
- When was the last time you seriously considered your organization’s cyber risk? Was it in line with your risk tolerance? (Are you even clear about what your risk tolerance is?)
These are the signs that lead companies to give us a call, either because they have identified a clear shift in need or there are signals in the air that indicate it’s time to invest in the next thing.
If your business has changed, but your approach to cybersecurity hasn’t, that gap will eventually show itself – sometimes in expensive ways.
Time for me to make the lineup for my daughter’s game tonight. (Oh boy! My son is refereeing it!)
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.
