Skip to main content


In a tech-centered world, a vCISO can help small businesses protect their data

In a tech-centered world, a vCISO can help small businesses protect their data

Small business owners may see their type of organization as an unlikely target of cybercrimes, considering major retailers have access to more consumer data. But the statistics prove otherwise: In 2019, cyberattacks on small businesses increased by 448% (such attacks increased by 424% in 2018 as well), and 43% of all cyberattacks targeted small businesses in 2019 and cost such businesses an average of $200,000.

Cybercriminals are learning that they can get more bang for their buck by targeting smaller businesses, which tend to have unsecured networks, poorly protected client data, and employees who may not be able to identify cybersecurity threats. Unfortunately, small businesses are also likely to go under in the event of a cyberattack. According to the US National Cyber Security Alliance, 60 percent of small businesses hit by a cyberattack close their doors within half a year because of financial and reputational damage. If the US were to experience a wide-scale malware campaign targeting small businesses, the national economy would certainly be impacted.

So, why aren’t small businesses protecting themselves? There are a few potential reasons – first, they may not fully understand the risk of a potential cyberattack. The headlines are typically reserved for attacks on major companies, like Target and Verizon. The other reason may revolve around a lack of resources available to commit to hiring a full-time professional to help small business owners solve their cybersecurity issues.

Luckily, these businesses don’t have to hire full-time information security officers to protect their networks. The cybersecurity industry has responded to the need for more small business support by offering the vCISO, a remote, part-time information security officer who can oversee and manage cybersecurity efforts. VCISOs come with full credentials and cost a fraction of a full-time C-suite level executive.

These are the ways a vCISO may help you quell your information security concerns – and why they may be the answer to your cybersecurity prayers.

  1. VCISOs are affordable solutions to an often expensive business problem. The market is tight for good Chief Information Security Officers, and these people are expensive to hire. A full-time CISO makes anywhere from $172,000 to $293,000 per year. For most small businesses, that amount of money is unjustifiable for one position, especially when your network is small and needs very minimal support. Enter the vCISO, who is much less expensive, and will provide the exact level of cybersecurity support your business needs.
  2. VCISOs come pre-trained, pre-certified, and ready to help solve your security needs. Typically, these individuals are hired and trained by your chosen cybersecurity partner, so you know they come pre-vetted and recommended by people you already trust. vCISOs are prepared to perform tasks for your business that you don’t have the time or experience to handle yourself, like creating a detailed and well-crafted information security program, training your IT staff, and completing risk assessments to help you make more intelligent cybersecurity decisions.
  3. VCISOs can be a central part of your leadership committee and inform decisions that may impact your network security. Depending on the company you choose to partner with for vCISO support, that individual may be available for your organization’s IT committee and Board meetings. You will get peace of mind in knowing that decisions are being made with information security factored in. vCISOs can also create customized information security policies that align with your organization’s strategic objectives.
  4. VCISOs can train your employees to be the gatekeepers of your organization. Part of a good vCISO’s job is strengthening employee understanding of cyber risk. That might mean holding workshops to establish basic cybersecurity etiquette, communicating important security tips, or simply making sure employees are using strong passwords.


As you explore whether or not a vCISO is a fit for your company, remember that the security and protection of your organization’s and your customer’s information is ultimately up to you. Even if you outsource the responsibility to a vCISO, the organization must ultimately own and sign-off on all information and cybersecurity decisions. However, a good vCISO can truly help you make more intelligent cybersecurity decisions and do what’s right to protect your organization.


Written by: 
Jon Waldman, CISA, CRISC
Executive Vice President, IS Consulting and Co-founder - SBS CyberSecurity
President, SBS Institute


SBS Resources: 
SBS CyberSecurity has been helping organizations identify and understand cybersecurity risks to make more informed business decisions since 2004. If your organization is looking to better understand your cyber risk; build, maintain, or test your cybersecurity program; and make smarter, more informed cybersecurity business decisions, SBS can help.

  • {Service} Cybersecurity Partnership/vCISO: Gain a trusted cybersecurity adviser who can keep you informed and help you adjust to changing regulations or potential incidents with a CyberSecurity Partnership (CSP) program or Virtual Chief Information Security Officer (vCISO) custom engagement. Learn more
  • {Blog} Building Out the Core Responsibilities of an ISO: There are plenty of different roles and responsibilities a financial institution has to consider; however, one of the more difficult roles to address is that of the Information Security Officer (ISO). Even though all financial institutions have been expected to assign the role of ISO for nearly two decades, many organizations are seemingly still working to flesh out the specific responsibilities that an Information Security Officer should handle. Read blog


Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.

Certified Banking Security Manager

Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Thursday, August 20, 2020
Categories: Blog