• United States




New cyber regulations highlight need for virtual CISOs

Sep 05, 20174 mins
CybercrimeData and Information SecurityTechnology Industry

NY regulations increase demands on CISOs already under stress and in short supply

cio ciso role
Credit: Thinkstock

The question of responsibility for cyber-attacks has been a gray area for the last few years. Regulators have treated data breaches and hacking attacks as though they were earthquakes or floods beyond human control, but that’s beginning to change. A new set of rules just went into effect in New York that requires financial services companies to have comprehensive cybersecurity strategies.

For too long many organizations have been burying their heads in the sand, but we know that these attacks are no acts of God – they are engineered by humans – and, unlike earthquakes, we can take effective action to prevent them. The new regulations outline the need for a cybersecurity plan that includes risk assessments, penetration testing, encryption, multi-factor authentication, and a host of other sensible security steps, including the appointment of a CISO (Chief Information Security Officer).

CISOs in short supply

Every large company, at the very least, should have a dedicated CISO on staff, but for smaller businesses a full time CISO might be beyond their budget. The problem is, even if they are willing to employ a CISO, there’s a massive skills gap and it’s growing. There will be a shortfall of 1.8 million cybersecurity workers by 2022, according to the International Info System Security Certification Consortium which conducted a survey of more than 19,000 cybersecurity workers.

The CISOs out there with the kind of experience and skillsets that companies really need are in constant demand. As many as 46% of cybersecurity professionals are solicited to consider other cybersecurity jobs at least once a week, according to an Information Systems Security Association survey. Clearly there aren’t enough CISOs to go around.

Making a case for a virtual CISO

Whether you’re a small business, or you’re just struggling to fill the position, a virtual CISO could be the ideal fit. You can gain access to the specialty skills you need to draft an effective strategy for cybersecurity, benefit from a depth of experience that would be unattainable through recruitment, and gain a knowledgeable mentor to help your InfoSec staff develop.

Virtual CISOs can be put on retainer for a certain number of hours, hired by the project, or you can buy a block of support hours. You can get top talent and have them direct your risk assessments and help formulate your cybersecurity plan at a fraction of the price of a full-time pro with the same level of experience.

You can also be confident that vCISOs are up to date with the latest developments in the field and have working knowledge of other large organizations’ security efforts. The investment required to bring a vCISO in for consultation and have them help build a strategy is insignificant next to the true cost of a data breach.

The need is great and growing

At first glance, you may think these regulations don’t apply to you, but they don’t just cover banking, insurance, and brokerage firms that operate in New York – they also apply to third-party vendors that are in business with these organizations. Cloud services, point-of-sale solutions, and payroll vendors will also need to have comprehensive cybersecurity programs.

The New York regulations stipulate that “Each Covered Entity shall designate a qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy (for purposes of this Part, Chief Information Security Officer or CISO).”

First statements to acknowledge compliance are due by February 15, 2018. There are exceptions for firms that do less than $5 million worth of business in the state or employ fewer than 10 staff, but everyone else had better get things in order. If a data breach does occur and the victim is found to have been negligent with regard to cybersecurity, then it can expect serious punishment.

In an ideal world, CISOs should talk to the board frequently, but they’re only required to report in writing annually for regulatory purposes. A vCISO is going to be the easiest and best way to meet this requirement for an awful lot of organizations.

We expect other states will follow suit with their own cybersecurity regulations and, in this climate, the rise of the virtual CISO is assured.


Michelle Drolet is a seasoned security expert with 26 years of experience providing organizations with IT security technology services. Prior to founding Towerwall (formerly Conqwest) in 1993, she founded CDG Technologies, growing the IT consulting business from two to 17 employees in its first year. She then sold it to a public company and remained on board. Discouraged by the direction the parent company was taking, she decided to buy back her company. She re-launched the Framingham-based company as Towerwall. Her clients include Biogen Idec, Middlesex Savings Bank, PerkinElmer, Raytheon, Smith & Wesson, Covenant Healthcare and many mid-size organizations.

A community activist, she has received citations from State Senators Karen Spilka and David Magnani for her community service. Twice she has received a Cyber Citizenship award for community support and participation. She's also involved with the School-to-Career program, an intern and externship program, the Women’s Independent Network, Young Women and Minorities in Science and Technology, and Athena, a girl’s mentorship program.

Michelle is the founder of the Information Security Summit at Mass Bay Community College. Her numerous articles have appeared in Network World, Cloud Computing, Worcester Business Journal, SC Magazine, InfoSecurity,, Web Security Journal and others.

The opinions expressed in this blog are those of Michelle Drolet and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.