Nov 04 2022

5 Questions to Ask When Evaluating a Virtual CISO

Outsourcing security operations with a virtual CISO can help universities supplement their staff and provide 24/7 coverage. Here are five questions to ask when evaluating provider options.

What Are Your Milestones and Incentives to Achieve Them?

The decision to outsource security usually comes only after it’s clear that an on-campus solution is not achievable or cost-effective. Assume the virtual CISO will need to redesign your security operations center (SOC). Ask for a project plan, as well as milestones and incentives to be sure that it moves along and doesn’t become a low priority.

How Will You Assume Risk and Accountability?

Being a CISO is easy if the worst thing that can happen is you get fired. Outsourcers need to have more skin in the game. Virtual CISOs are typically hired as part of a risk mitigation plan. Without some transfer of risk to the outsourcer, your interests won’t be aligned, so make sure the virtual CISO is truly invested.

Click the banner below for exclusive content about cybersecurity in higher ed.

What Will the IT Team Still Be Responsible For?

A virtual CISO must be up front and realistic about the tasks that will still be the responsibility of campus team members, such as periodic risk assessments, risk appetite exercises and categorization of information assets. Without a true partnership in these areas, you’ll be overwhelmed with alerts. Be wary of the virtual CISO who promises to handle absolutely everything.

What Are the First Steps You’ll Take During a Serious Cyber Incident?

There’s no right answer here, but the virtual CISO must be aware of the many moving parts in a higher education environment and how a textbook incident response can be adapted to account for them. If the CISO doesn’t mention the Federal Educational Rights and Privacy Act, for example, it’s time to look elsewhere.

LEARN MORE: How to ensure FERPA compliance in colleges and universities.

How Will SaaS Products Fit with Your Security Plans?

Properly integrating Software as a Service security alerts into an on-campus SOC is still a moving target in the security industry. Find out if your prospective virtual CISO has a technically sound answer about how to receive and process this information. Look for someone who understands the difficulty and has a realistic approach to resolving it.

VPanteon (platter) and cagkansayin (five)/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT