Eladio Cortizas Information Security Consultant

vCISO/vDPO, business benefits of a service model

With the increase in cyberattacks, security breaches, the sophistication of attacks and the focus on information security, organisations need CISOs and also, in many cases, DPOs.

What is a CISO?

The Chief Information Security Officer (CISO) is the executive-level person responsible for an organisation's information and data security. Their primary function is to align information security with business objectives.

Among the functions they perform are:

  • Information security planning and management activities.
  • Collaboration with the definition of the organisational and management structure with regard to information security.
  • Initiatives affecting information lifecycle management practices.
  • Information security risk management activities.
  • Assessment of third parties with access to the organisation's data.
  • Coordination of audits by external regulators or customers.

What is a vCISO?

The vCISO is a professional who helps organisations develop and manage the implementation of the information security programme. At a high level, vCISOs help design the organisation's security strategy, and also help manage its implementation. Internal security staff may continue to exist, either reporting to or working with the vCISO to execute the security programme. In addition, the vCISO is generally expected to be responsible for presenting the organisation's information security status to an organisation's board of directors, executive team, auditors or regulators.

What is a DPD/DPO?

A Data Protection Officer (DPO) is responsible for ensuring compliance with the General Data Protection Regulation (GDPR) and other data protection regulations.

The functions of a DPD are:

  • Informing and advising all persons in the organisation who are responsible for, and personnel who have to process personal data, of their obligations under data protection regulations.
  • Supervise compliance with the provisions of data protection law, including the allocation of responsibilities, awareness and training of staff in data protection.
  • Provide advice and supervision on measures relating to the processing of personal data such as the data protection impact assessment.
  • Cooperate and act as a contact point with the supervisory authority.

What is a vDPO?

The vDPO is a professional who assists organisations in complying with the General Data Protection Regulation (GDPR) and other data protection regulations, when the organisation does not have the internal capacity to cover this figure. A vDPO guarantees independence as it is a person outside the structure of the organisation to supervise and monitor in an independent way the internal application and respect of the rules on data protection.

vCISO and vDPO use cases

  • They can be the bridge and recruitment of a new CISO/DPO. At specific times, the organisation does not have a CISO/DPO and needs to cover the tasks performed by these figures for an indeterminate period of time. During this time, they will review the current information security and compliance strategy, and help recruit, select and transition.
  • Assisting a small organisation. Some SMEs cannot afford to have these figures full time and on staff.
  • Creating a compliance programme. Organisations often do not have the expertise to develop a specific compliance programme and how that can translate into the creation of policies and processes for securing protected information. Currently there are many specific regulations and it is very difficult to fully specialise in all of them (ISO27001, ISO 27701, ISO22301, NIST, SOX, RGPD, LOPDGDD, ENS, TISAX, HIPAA, PCI DSS, DORA, EIOPA, LPIC, IEC 62443, RD 43/2021...).

Which organisations need a vCISO/vDPO?

  • All those that do not incorporate these roles in their workforces and are obliged to do so by legislation or sectoral regulations.
  • Organisations with confidential information.
  • Organisations with limited budgets.
  • Organisations that have specific information security needs in some specific tasks and not in the whole organisation, which does not justify hiring them on staff.
  • Organisations that require specific skill sets that are difficult to find in the current labour market.

Advantages for organisations of this vCISO/vDPO service model

The question of whether to hire a CISO/DPO or a vCISO/vDPO really comes down to the organisation's strategy.

It is advisable to start with a vCISO/vDPO to begin the groundwork and see if there is internal support within the organisation to implement a comprehensive information security and privacy programme

If you are not sure which is the best option, it is advisable to start with a vCISO/vDPO to begin the groundwork and see if there is internal support within the organisation to implement a comprehensive information security and privacy programme. Depending on the needs identified and, if necessary, hire a full-time CISO/DPO to complete the work.

The vCISO/vDPO model offers the following advantages:

  • It allows organisations to avoid the expense of employing a full-time in-house CISO, paying only for services and time spent. The cost is estimated to be between 30-40% of a full-time CISO/DPO.
  • They have more experience. They work or have worked for many clients in a very diverse set of industries and sizes. This gives them a wide range of experience that can be applied to the organisation.
  • They can be located anywhere. Rather than having to hire someone locally (which limits options), this model of consultancy can work from almost anywhere.
  • It allows organisations to fill the role quickly, without having to go through the hiring process.
  • They are a consumption-based option. You will perform tasks based on an agreed scope of work. Therefore, you are paying for the services you want and allow greater control over the use of resources.