How SMEs can outsource cyber security issues to a Virtual CISO

Top things Small Businesses SMEs should consider when outsourcing cyber security to a Virtual CISO.


Outsourcing cyber security operations to a Virtual CISO (Chief Information Security Office) is not only possible, but highly attractive – especially in the face of increasing complexity, the continual evolution of the cyber threat and the current shortage of skilled cyber practitioners.

However, there are some elements that Small Business SMEs and businesses cannot do – outsource the associated business risks and regulatory responsibilities, such as those under the General Data Protection Regulation (GDPR).

While Service Level Agreements (SLAs) governing security services will exist, suppliers are unlikely to provide unlimited liability for consequential losses as the result of a cyber attack, or privacy breach.

You therefore need to be able to make judgements on the services you are being provided and make informed decisions on what is sensible to outsource for your business.

At a business level a CISO will need to retain overall control and management of the organisation’s security policy, disaster recovery, regulatory aspects such as GDPR and high-level incident and media management, but it would be perfectly feasible to outsource the underlying support – such as the actual incident response and aspects of disaster recovery.

However, a full time CISO may not be affordable for small to medium enterprises (SMEs), so an alternative solution that is growing in popularity is to employ a “Virtual CISO”.

These are skilled and experienced CISOs who can provide independent support, to ensure regulatory requirements are being met and that outsourced providers are fulfilling the necessary service levels, at a fraction of the cost of a full-time employee.

Typical security services that can be outsourced include protective monitoring, vulnerability management, firewall management, antivirus etc. How you decide to outsource may depend on whether you already outsource your IT provision or if you use cloud services.

The current trend amongst SMEs is for cloud-based solutions, as they lower the overhead of having your own IT and security management teams, especially when using storage and software services as security controls – like patching and back-ups – are included in the subscription.

Deciding what to outsource to a Virtual CISO is often driven by the need for specialist staff (who are currently in high demand), threat knowledge and the practicality of maintaining your own capability.

As illustration, on occasion you may need an incident response team of several experts covering incident management computer forensics, network forensics, malware analysis, etc. But having these professionals on the payroll full-time, “just in case”, would be too expensive, assuming you could retain their interest.

Also, effective protection depends on a good level of up-to-date threat intelligence,  so unless you have specialists engaged in threat hunting and gathering threat intelligence, it will be difficult to defend your systems. Incident response and security monitoring, closely followed by vulnerability monitoring, are therefore the first things to consider.

Patching, firewall management and access management are more routine, so may be kept in house, but if this is the case, any protective monitoring provider must be aware of the current configuration to meet their SLAs.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident with affordable, live systems protection please ring us now on 01242 521967 or email or complete the form on our contact page NOWContact Cyber 139