<img alt="" src="https://secure.badb5refl.com/165368.png" style="display:none;">

As Regulators Lurk, Companies Look to vCISOs To Fill Board-Level Expertise Void

By Natalie Anderson on April 18, 2023

Subscribe to the Apptega blog

As Regulators Lurk, Companies Look to vCISOs To Fill Board-Level Expertise Void

April 18, 2023 | BY Natalie Anderson

As cybersecurity risks grow more severe, and the obstacles organizations must navigate to meet their regulatory and compliance obligations more complex, businesses are scrambling not just to staff rank-and-file security roles, but to gird their senior ranks with experienced talent. 

The problem: there’s little talent to be had at either level – and qualified personnel, if they’re not snatched up by a competitor, come with a steep price tag.

A recent report by (ISC)² found a global cybersecurity workforce gap of 3.4 million workers, which is a number, to put it in perspective, that would account for almost three-quarters of the existing talent pool. Nearly half of the organizations participating in that survey said the reason for the shortage boiled down to a lack of available talent – while another third said they either couldn’t retain talent, couldn’t afford it, or both. 

Within their most senior ranks, organizations face an even more pronounced expertise deficit. Based on an analysis of publicly available data, the Forbes Technology Council earlier this year reported that 9 in 10 public companies lack even a single board director with cybersecurity expertise – and that there’s a shortfall of more than 2,700 directors across the Russell 3000, which accounts for the majority of publicly traded companies. (Only half of the Fortune 500 has appointed a board member with the requisite experience.)

If the scarcity of expertise puts organizations at higher risk for data breach and more vulnerable to cybercrime, it also exposes them to sharpening regulatory scrutiny. Imminent changes to the SEC’s Cybersecurity Incident and Governance Disclosure Obligations for Public Companies will require public companies not only to describe how they’re managing cybersecurity risks, but to disclose what expertise, if any, their board members might possess.

But in the absence of full-time board-level expertise, organizations may rely more heavily, at least in the short term, on vCISOs – both to represent the business’s cybersecurity and compliance interests to investors and external stakeholders, and to provide redundancy where it’s needed.

“The SEC is forcing companies to have at least one person on their board with a cybersecurity background, but those people are expensive and there aren’t many of them out there,” Heather Lantz, senior vice president of cybersecurity at Ascend Technologies, said on a recent episode of Apptega’s Risky Business Podcast. “So the vCISO can act as a broad representative and help them deliver what’s needed from a compliance perspective.”

“I believe we’re going to have more companies engaging them because it’s hard to keep a CISO for long,” she continued. “We even have clients that have a CISO in place, but still want a vCISO program for resiliency.”  

One potential hurdle to CISOs joining board ranks is that, generally, they lack prior board experience. So while, according to a recent Heidrick report, 56% of CISOs said their ideal next role was to sit on a board of directors, only 14% said they currently held that role. 

In this sense, the vCISO position may be beneficial both for security-bereft organizations, and as a vehicle –  with the help of the managed service providers (MSPs) that are placing them – to help cybersecurity experts secure elusive board-level roles.

For more about the role of the vCISO, how organizations are leveraging it to fill talent gaps, and what MSPs can do to optimize the vCISO engagement for their clients, check out our latest episode of The Risky Business Podcast

More Resources

Walking the Line Between Compliance and Productivity in your Security Program

By focusing on cybersecurity basics to lay a strong foundation, organizations can create a proportional infosec program that doesn't harm productivity.

Learn More

The Product Pulse

Looking to learn about Apptega’s latest and greatest product updates? Well, you’re in the right place. Here’s what's new.

Learn More

Fully Automated AI-Powered vCISO Services Now Live in Apptega

Today, Apptega launched ApptegaGPT, an in-app virtual CISO service that leverages generative AI to produce recommendations for how organizations can meet their compliance obligations.

Learn More

Subscribe to Our Cybersecurity Insights