Two questions for SaaS companies before hiring a CISO or vCISO

Office scene with computer workers at their desk and a cactus office plant

This year, I attended SaaStr, a conference in the SF Bay Area annually attended by founders and executives. The event provides founders and executives ample opportunities to co-mingle amongst other SaaS executives and potential investors.
 
One consistent theme emerged from my conversations with leadership of a few international SaaS companies; based in the U.S. and abroad. No longer could their companies rely on the best efforts of a non-specialized team, nor handle the associated risk. They knew they needed to augment their capabilities, but weren’t sure how.

The most common questions posed were:

At what point should I consider adding a CISO to my Executive Team?

When we do need experienced security leadership, do I need to go straight to a full-time CISO, or would a virtual/fractional CISO fill the need?

Here’s What I Advise

Q: At what point should I consider adding a CISO to my Executive Team?

A: For a SaaS company, the need for an information security program–led by a CISO–depends on two primary drivers:

  • The type of data the company has, or has access to while conducting business;
  • The company’s contractual obligations require it to demonstrate a certain level of security maturity before it can provide service. 

The above attributes are illustrative points to consider. At the end of the day, cyber risk is just like any other business risk. The right answer is different for every company and depends on an individual company’s risk appetite. 

If your company handles confidential, financial data, patient health information or controlled unclassified information, then you may want to consider the risk of damage to your company if that information found its way outside of your company. Most companies have at least one type of the above-named types of data.

Depending on your industry, your company may need to comply with state and federal regulations that govern how this kind of information is treated.

In healthcare, the Health Insurance Portability and Accountability Act protects sensitive patient health information from being disclosed without the patient’s consent or knowledge. E-commerce businesses in the State of California must comply with the California Consumer Privacy Act, a state statute intended to enhance privacy rights and consumer protection for residents of California.

Hiring a CISO is like a company engaging an attorney for a legal advice, or an accountant for financial help. Each company must decide when the risk is too great for them to go any further without professional subject matter expertise in the domain in question.

Q: When we do need experienced security leadership, do I need to go straight to a full-time CISO, or would a virtual/fractional CISO fill the need?

A: The answer here is every consultant’s favorite; it depends. On what? The growth stage of and complexity of your company.
 
Some companies are at a point in their maturity where a full-time CISO is necessary. For others, an experienced security leader able to execute effectively while remaining a cost-effective solution, is the best fit.

Two More Things to Consider Before Hiring a vCISO or CISO

How much risk are you comfortable with?

In today’s business environment, experienced security talent is hard to come by. A company could hire a more cost-effective resource; a smart person with drive who aspires to be a CISO but lacks the real-life experience. This comes with its own pros and cons, and it’s really a matter of level of comfort, and what level of risk the company is willing to assume. 

Conversely, company leadership must understand if an experienced security practitioner—who’s been a CISO elsewhere—can provide the strategic leadership and governance needed on a fractional basis. If so, can they simultaneously lead to the Company’s risk tolerance? If so, could the cost savings then be applied to other areas of need such as hiring on other members of the security team, or engaging security vendors with much needed technology and services while spending a similar amount to what an FTE could have cost the Company?

How Much Risk Are You Exposed To?

Overall, SaaS companies are more in need of security expertise than ever before, as the inherent global nature of their services expose them to a higher level of security risk. We provide experienced security leaders with the experience and background to support your business objectives, through our vCISO service. Our vCISOs are available to perform the work of a full-time resource in on a fractional basis to satisfy your company’s growing cybersecurity and privacy needs.

Why a SideChannel vCISO?

Our principal consultants possess a combined 400 years of experience among them. They’ve led cybersecurity programs—through both good and bad times—in places like USPS, Equifax, and the San Francisco Police Department. Some are published authors of books cybersecurity students study, while others actively teach. We experienced and trusted professionals, eager to help your business achieve.

Our vCISO service is a cost-effective solution that provides a cybersecurity program, tailor-made for your business. Reach out below to learn how the vCISO program can protect your businesses revenue, data, business relationships and reputation.