The upsurge in cyber security attacks (both in number and in sophistication) has
caused business leaders to question the adequacy of their in-house capabilities.
Given the nature of this threat, where an assailant will seek out gaps in your
defenses, your capabilities have to cover the entire spectrum of prevention,
detection and reaction. When I was in charge of digital security in a Fortune 100
company, I needed a team of 64 experts to cover the specialist skill areas and the
7×24 nature of the operation.
How many companies can afford the cost of employing 64 people to keep the bad
guys out? These experts are expensive, hard to find, harder to retain, and have to be
carefully vetted because they have privileged access to your family jewels. Maybe
a Fortune 100 company can justify that resource allocation if they operate in an
industry sector where information is key to their business, such as Banking, Energy
or Defense. But a mid-cap company or a small-cap company could never attract
such experts into their employment, even if they could afford the salary bill. The
consequence is that they employ generalists who struggle to keep up with the
rapid increase in sophistication of the attack techniques, and so they are not only
vulnerable to a compromise, but there is a high probability they will never discover
that a compromise has occurred.
So there has to be a better way. Your company could outsource the entire digital
security task to a major IT services company or a major accounting firm, but often
that is not an affordable solution. Or you could go with an inexpensive local shop
without the overhead burden, but probably without the in-depth skills or the
controls or the background screening. One solution to this dilemma is to copy the
technology concept of “server virtualization” and to use “expert team virtualization”,
whereby a third party provides you with a shared resource that changes according
to your immediate needs (say to conduct penetration testing, or to scale up rapidly
to tackle an attack). That approach has the added benefit of leveraging insights from
other client companies in your sector, which an in-house team may not know about.
Smaller companies are now engaging a “Virtual CISO” or a “Virtual Digital Security
Team” as a more affordable option to building & maintaining an in-house capability.