Why You Should Hire A (Virtual) CISO
Equifax. Boeing. Under Armour. Each brand conjures up, respectively, the image of well-known financial services, aeronautic design and fitness apparel. But they have something in common: breaches in cybersecurity.
Over the past few years, the cyber landscape has changed dramatically with the increasing sophistication and variety of cyberattacks and breaches — and it keeps changing.
The commercial real estate industry is not immune to this threat. Over one-third of real estate firms have experienced a cybersecurity event themselves or at one or more of their properties in the last two years.
Many companies are realizing that protecting their information, assets and business in this changing landscape requires risk-based, executive-level consideration, management and ownership that goes beyond the IT department. But with limited resources, skills and expertise available, ensuring the right level and access to cybersecurity expertise has become difficult. The global cybersecurity workforce will have more than 1.5 million unfilled positions by 2020, according to a Frost & Sullivan and (ISC)2 report.
Enter the virtual chief information security officer. The virtual CISO evolved from current market conditions to provide organizations that don't have the resources or expertise in-house to leverage comprehensive cybersecurity leadership and program oversight on an ongoing basis. Part technical expert, part senior leader, a virtual CISO develops and directs the cybersecurity management strategy from the C-suite down, creating a comprehensive information security program that leverages forward-looking technology, people and practices.
As cyberattacks grow more nuanced, having a leader internally or available through a third-party service to identify risk and determine an integrated, enterprise-wide approach to cybersecurity has become essential.
Baker Tilly principal and cybersecurity growth leader David Ross considers the strategic aspect of the virtual CISO position to be the most critical job requirement.
“Robust cybersecurity programs start with determining a company’s risk profile," Ross said. "Cybersecurity is a risk-based problem, not a technology problem. A business needs to define its strategic goals and determine how a cyber program can align with its core mission."
For example, real estate developers are concerned not only with the physical security of their properties, but also focus on the importance of investor lists and strategies, including intellectual property. All hold a place of critical importance among the business’ strategic plans.
Comparable to the rise of technology, and subsequently chief information officer and chief technology officers across C-suites in the 1990s, cybersecurity has become an integral part of a company’s future success and continued productivity.
Companies must consider two fundamental questions when determining cybersecurity expertise and its role in the organization: Does it regard cybersecurity as something core to its identity, and is this an area that the company needs to rely on as a strategic asset?
From those initial questions, a virtual CISO can begin to build a solution for the business and collaborate with the C-suite to execute the day-to-day plans. But building the entire internal team necessary for a robust cybersecurity program goes beyond a sustainable budget for many companies.
"Instead of investing in a CISO that commands a six-figure salary, or hiring internally from an IT pool that lacks leadership experience, a virtual CISO can offer strategic know-how and targeted program execution at a reduced cost," Ross said.
For commercial real estate, a virtual CISO can supplement the existing management team’s cybersecurity efforts or serve as an interim solution. As the Internet of Things and smart buildings continue to push the real estate industry toward adopting more technology, virtual CISOs offer a sustainable way to manage increased cyberthreats that are new to the company without investing in a full-time team.
Cybersecurity needs can vary from month to month.
“A company might need several experts once a month to conduct penetration testing," Ross said. "The next month they might need an entirely different set of skills to execute on a different part of the company’s cybersecurity program. Ensure your cybersecurity approach includes sustainable, scalable strategies allowing for peak needs.”
A virtual CISO offers a more scalable approach to cybersecurity, giving companies access to talent if and when it is needed. Some companies need a more operational approach, while others need more help on the strategic side and the virtual CISO can adapt as needed.
"Is there a new form of malware out there? How would an organization know if the external threats have changed?” Ross said. “An example is cryptocurrency mining malware that takes over your machine to mine for a third party. That threat did not exist six months ago, and it is hard for organizations that are under-resourced to keep up with what is going on in the world.”
Working with a third party to build a cybersecurity program can also help keep a company up to date on evolving threats and provide the right level of protection. Baker Tilly’s virtual CISO team partners with the client to create a sustainable cybersecurity program which takes into account the client’s unique strategic and operational objectives. From there, the virtual CISO operationalizes necessary technology, people and threat intelligence to protect the organization.
This feature was produced in collaboration between Bisnow Branded Content and Baker Tilly. Bisnow editorial staff was not involved in the production of this content.